Enterprise DevSecOps: Integrating security into CI/CD pipelines for regulated industries
Dallas Baptist University,
Business Administration and Management, Dallas, Texas, USA.
Review Article
World Journal of Advanced Research and Reviews, 2022, 13(02), 633-648
Publication history:
Received on 30 December 2021; revised on 20 February 2022; accepted on 25 February 2022
Abstract:
As organizations considered upscaling their DevOps adoption for speedy software delivery, it became imperative to integrate security into the CI/CD pipeline. The urgency of this practice cannot be overstated. Security should be embraced at every stage of the software development life cycle if only to meet compliance requirements in its strictest sense, especially where such requirements apply in industries like healthcare, finance, and government. DevSecOps turns the whole perspective toward incorporating security from Day 1 of the development cycle; that is, security is integrated and thus is never separated from or considered only toward the end.
The paper introduces DevSecOps and looks into some security problems organizations face when integrating security into their CI/CD workflows. Proactive security strategies, such as threat modeling (a process of identifying potential threats to a system and the likelihood of those threats being realized), automated security testing (using tools to automatically test for security vulnerabilities), and real-time monitoring (continuously monitoring systems for security threats), will contribute to the early identification and fixation of vulnerabilities during the software development lifecycle. It further focuses on architectural patterns that effectively integrate security into the nature of things without compromising the speed and agility of DevOps practices compared to governance frameworks that need to be matched against clearly articulated security policies, which are nevertheless to remain agile to permit operational freedom.
By automation, policy-as-code, and continuous compliance monitoring, organizations can impose their security requirements with a fair level of assurance against risks, even within regulated settings. The paper further outlines best practices for security implementation in DevOps pipelines that target common goals towards speed, security, and compliance. As the modernization process within software development lifecycles deepens further, DevSecOps is poised to become a major pillar within the construction of secure, resilient, and regulatory-compliant applications, instilling a sense of optimism about the future of secure software development.
Keywords:
Enterprise DevSecOps; Regulated industries; Security automation; Compliance-as-code; Zero Trust security.
Full text article in PDF:
Copyright information:
Copyright © 2022 Author(s) retain the copyright of this article. This article is published under the terms of the Creative Commons Attribution Liscense 4.0