Practical Framework for Continuous Security
Vainio, Mike (2023)
Vainio, Mike
2023
All rights reserved. This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2023112030202
https://urn.fi/URN:NBN:fi:amk-2023112030202
Tiivistelmä
This thesis seeks to identify a structured way for integrating security seamlessly with a DevOps driven software development and delivery process. Instead of relying on specialised security personnel, this thesis describes methods and practices that aim to be easy adopt and actionable for anyone working within the software development or delivery process.
This thesis used applied action research as its research approach. The research design consisted of five steps and three data collection rounds. The first data collection round was for the current state analysis of the case company’s security processes and practices, it consisted of one-to-one interviews, workshops, and a survey. The second data collection round was for proposal building, it consisted of peer-reviews, interviews and a workshop. The third data collection round for validation of the initial proposal, it consisted of a workshop.
The current state analysis describes and analyses the case company’s existing security processes and practices. The findings from the current state analysis helped to identify areas for the literature and best practice search that resulted in building the conceptual framework. The findings from both current state analysis and existing knowledge helped to shape the initial proposal in the next stage, proposal building.
The proposal was built in three steps. First, initial scoping and planning was done in small workshops to find a suitable structured approach to security that is relevant in the case company's context. Second, the initial materials were distilled into a draft of the proposal, and feedback and suggestions on the draft was gathered. Third, with the feedback from the second step, the draft of the proposal was updated and more practical information and examples were developed into the proposal.
As the outcome, the thesis demonstrated how security can be integrated into a DevOps driven software development and delivery process via a security framework. The identified structured way for integrating security practices into the DevOps driven process provides both high level strategic guidance for effective communication and low level practical guidance for actionable steps. The practical implementation of the structured approach lays a foundation for secure implementations of future projects.
This thesis used applied action research as its research approach. The research design consisted of five steps and three data collection rounds. The first data collection round was for the current state analysis of the case company’s security processes and practices, it consisted of one-to-one interviews, workshops, and a survey. The second data collection round was for proposal building, it consisted of peer-reviews, interviews and a workshop. The third data collection round for validation of the initial proposal, it consisted of a workshop.
The current state analysis describes and analyses the case company’s existing security processes and practices. The findings from the current state analysis helped to identify areas for the literature and best practice search that resulted in building the conceptual framework. The findings from both current state analysis and existing knowledge helped to shape the initial proposal in the next stage, proposal building.
The proposal was built in three steps. First, initial scoping and planning was done in small workshops to find a suitable structured approach to security that is relevant in the case company's context. Second, the initial materials were distilled into a draft of the proposal, and feedback and suggestions on the draft was gathered. Third, with the feedback from the second step, the draft of the proposal was updated and more practical information and examples were developed into the proposal.
As the outcome, the thesis demonstrated how security can be integrated into a DevOps driven software development and delivery process via a security framework. The identified structured way for integrating security practices into the DevOps driven process provides both high level strategic guidance for effective communication and low level practical guidance for actionable steps. The practical implementation of the structured approach lays a foundation for secure implementations of future projects.