Security Activities Integrated into DevOps Software Development and Operation Processes
Saarinen, Helena (2022)
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2022110922359
https://urn.fi/URN:NBN:fi:amk-2022110922359
Tiivistelmä
Web application security and safety are important issues for all digital service users. The speed of application development cycles, constant changes, and continuous integrations cause many challenges to ensure and maintain web application security. Web service users have often unnecessarily worried about security, because in many cases automated scanning tools can find most of the security vulnerabilities [1]. Web applications must be built and designed to prevent intentional attacks and protect users from exposing confidential information even if they use insecure actions [1].
The Agile application development model is widely used for web service development. In this model, changes are often made to the service, and ensuring application security at the end of the process slows down the release cycles and increases costs. In addition, correcting security findings at the end of the development process is always difficult and more expensive.
The goal of this thesis is to learn more about web application protection methods by reviewing system security guidelines, best practices, and how these can be implemented in the agile application development model process at different stages.
This thesis is based on the literature which incorporates application development methods, security practices and security verification processes. Following the conceptual knowledge base, the case company application development and operation processes' current state evaluation was executed using the BSIMM framework. It was found that in case company Security Testing practice area activities' maturity level was remarkably lower than companies used in the comparison. The final proposal includes 20 high and medium level security activities to improve the case company application development and DevOps processes.
The Agile application development model is widely used for web service development. In this model, changes are often made to the service, and ensuring application security at the end of the process slows down the release cycles and increases costs. In addition, correcting security findings at the end of the development process is always difficult and more expensive.
The goal of this thesis is to learn more about web application protection methods by reviewing system security guidelines, best practices, and how these can be implemented in the agile application development model process at different stages.
This thesis is based on the literature which incorporates application development methods, security practices and security verification processes. Following the conceptual knowledge base, the case company application development and operation processes' current state evaluation was executed using the BSIMM framework. It was found that in case company Security Testing practice area activities' maturity level was remarkably lower than companies used in the comparison. The final proposal includes 20 high and medium level security activities to improve the case company application development and DevOps processes.