Skip to main content
SpringerLink
Log in

Towards a DevSecOps-Enabled Framework for Risk Management of Critical Infrastructures

  • Conference paper
  • First Online:
Systems, Software and Services Process Improvement (EuroSPI 2023)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1890))

Included in the following conference series:

  • 511 Accesses

Abstract

Risk Management is a cornerstone of daily business operations that ensures their sustained viability over the long term. It is a critical function for any business as it helps identify potential threats and opportunities and enables informed decision-making. When placed within the context of critical infrastructures, a risk management profile attains a heightened dimension. The integration of security practices within the software development pipeline, commonly known as DevSecOps, is a novel approach to enhance software application security. This approach has been touted as a transformative solution that not only promotes the adoption of security practices but also provides financial benefits by mitigating risk levels and ensuring uninterrupted business operations. The objective of this paper is to present a conceptual framework to manage risk inside critical infrastructures in the DevSecOps context. This framework is built upon three pillars: action, state, and contrivance. It aims to: (i) facilitate the comprehension of risk, (ii) provide an incentive mechanism towards enhancing risk management, (iii) contribute to both human and machine contrivance, and (iv) ensure the quality of the information retrieved by involving all teams.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. European Commission: Communication from the Commission to the Council and the European Parliament - Critical Infrastructure Protection in the fight against terrorism. https://eur-lex.europa.eu/legal-content/GA/TXT/?uri=CELEX:52004DC0702

  2. Rehak, D., Markuci, J., Hromada, M., Barcova, K.: Quantitative evaluation of the synergistic effects of failures in a critical infrastructure system. Int. J. Crit. Infrastruct. Prot. 14, 3–17 (2016). https://doi.org/10.1016/j.ijcip.2016.06.002

    Article  Google Scholar 

  3. Esnoul, C., Colomo-Palacios, R., Jee, E., Chockalingam, S., Eidar Simensen, J., Bae, D.-H.: Report on the 3rd international workshop on engineering and cybersecurity of critical systems (EnCyCriS - 2022). SIGSOFT Softw. Eng. Notes. 48, 81–84 (2023). https://doi.org/10.1145/3573074.3573095

    Article  Google Scholar 

  4. The European Programme for Critical Infrastructure Protection (EPCIP). https://home-affairs.ec.europa.eu/pages/page/critical-infrastructure_en

  5. Critical Infrastructure Sectors | CISA. https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors

  6. Presch-Cronin, K., Marion, N.E.: Critical Infrastructure Protection, Risk Management, and Resilience: A Policy Perspective. CRC Press, Boca Raton (2016)

    Book  Google Scholar 

  7. Khan Babar, A.H., Ali, Y.: Framework construction for augmentation of resilience in critical infrastructure: developing countries a case in point. Technol. Soc. 68, 101809 (2022). https://doi.org/10.1016/j.techsoc.2021.101809

    Article  Google Scholar 

  8. A Guide to Critical Infrastructure Security and Resilience. https://www.cisa.gov/search

  9. Quitana, G., Molinos-Senante, M., Chamorro, A.: Resilience of critical infrastructure to natural hazards: a review focused on drinking water systems. Int. J. Disaster Risk Reduction 48, 101575 (2020). https://doi.org/10.1016/j.ijdrr.2020.101575

    Article  Google Scholar 

  10. Fox, M.R.: IT Governance in a DevOps World. IT Prof. 22, 54–61 (2020). https://doi.org/10.1109/MITP.2020.2966614

    Article  Google Scholar 

  11. Ramaj, X., Sánchez-Gordón, M., Gkioulos, V., Chockalingam, S., Colomo-Palacios, R.: Holding on to compliance while adopting DevSecOps: an SLR. Electronics 11, 3707 (2022). https://doi.org/10.3390/electronics11223707

    Article  Google Scholar 

  12. Riungu-Kalliosaari, L., Mäkinen, S., Lwakatare, L.E., Tiihonen, J., Männistö, T.: DevOps adoption benefits and challenges in practice: a case study. In: Abrahamsson, P., Jedlitschka, A., Nguyen Duc, A., Felderer, M., Amasaki, S., Mikkonen, T. (eds.) PROFES 2016. LNCS, vol. 10027, pp. 590–597. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-49094-6_44

    Chapter  Google Scholar 

  13. Carturan, S.B.O.G., Goya, D.H.: A systems-of-systems security framework for requirements definition in cloud environment. In: Proceedings of the 13th European Conference on Software Architecture, vol. 2, pp. 235–240. Association for Computing Machinery, New York, NY, USA (2019)

    Google Scholar 

  14. ISO - ISO 31000 — Risk management. https://www.iso.org/iso-31000-risk-management.html

  15. Computer Security Division, I.T.L.: NIST Risk Management Framework. https://csrc.nist.gov/Projects/risk-management

  16. NIST Cybersecurity Framework. NIST (2013)

    Google Scholar 

  17. Compliance Risk Management Applying the COSO ERM Framework. https://www.coso.org/Shared%20Documents/Compliance-Risk-Management-Applying-the-COSO-ERM-Framework.pdf

  18. 1nstitute, F.: The Importance and Effectiveness of Quantifying Cyber Risk. https://www.fairinstitute.org/fair-risk-management

  19. Project Management Institute ed: PMI Risk Management Framework. Project Management Institute, Newtown Square, Pa (2009)

    Google Scholar 

  20. The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE). https://www.enisa.europa.eu/topics/risk-management/current-risk/risk-management-inventory/rm-ra-methods/m_octave.html

  21. The CCTA Risk Analysis and Management Method (CRAMM). https://www.enisa.europa.eu/topics/risk-management/current-risk/risk-management-inventory/rm-ra-methods/m_cramm.html

  22. Forsgren, N., Kersten, M.: DevOps metrics. Queue. 15 (2017). https://doi.org/10.1145/3159169

  23. Plant, O.H., van Hillegersberg, J., Aldea, A.: Rethinking IT governance: designing a framework for mitigating risk and fostering internal control in a DevOps environment. Int. J. Account. Inf. Syst. 45, 100560 (2022). https://doi.org/10.1016/j.accinf.2022.100560

    Article  Google Scholar 

  24. Aljohani, M.A., Alqahtani, S.S.: A unified framework for automating software security analysis in DevSecOps. In: 2023 International Conference on Smart Computing and Application (ICSCA), pp. 1–6 (2023)

    Google Scholar 

  25. Yasar, H.: Implementing Secure DevOps assessment for highly regulated environments. In: Proceedings of the 12th International Conference on Availability, Reliability and Security, pp. 1–3. Association for Computing Machinery, New York, NY, USA (2017)

    Google Scholar 

  26. Rafi, S., Yu, W., Akbar, M.A., Alsanad, A., Gumaei, A.: Prioritization based taxonomy of DevOps security challenges using PROMETHEE. IEEE Access 8, 105426–105446 (2020). https://doi.org/10.1109/ACCESS.2020.2998819

    Article  Google Scholar 

  27. Woody, C.: DevSecOps pipeline for complex software-intensive systems: addressing cybersecurity challenges (2020)

    Google Scholar 

  28. State of DevOps Report 2021 | Puppet by Perforce. https://www.puppet.com/resources/state-of-devops-report

  29. State of Devops Report 2017 (2017)

    Google Scholar 

  30. Senapathi, M., Buchan, J., Osman, H.: DevOps capabilities, practices, and challenges: insights from a case study. In: Proceedings of the 22nd International Conference on Evaluation and Assessment in Software Engineering 2018, pp. 57–67. ACM, Christchurch New Zealand (2018)

    Google Scholar 

  31. Lwakatare, L.E., et al.: DevOps in practice: a multiple case study of five companies. Inf. Softw. Technol. 114, 217–230 (2019). https://doi.org/10.1016/j.infsof.2019.06.010

    Article  Google Scholar 

  32. Khurum, M., Gorschek, T., Wilson, M.: The software value map — an exhaustive collection of value aspects for the development of software intensive products. J. Softw. Evol. Process 25, 711–741 (2013). https://doi.org/10.1002/smr.1560

    Article  Google Scholar 

  33. Ramaj, X., Sánchez-Gordón, M., Chockalingam, S., Colomo-Palacios, R.: Unveiling the safety aspects of DevSecOps: evolution, gaps and trends. Recent Adv. Comput. Sci. Commun. 16, 61–69 (2023)

    Google Scholar 

  34. DevOpsSec: Creating the Agile Triangle. https://www.gartner.com/en/documents/1896617

  35. López-Peña, M.A., Díaz, J., Pérez, J.E., Humanes, H.: DevOps for IoT systems: fast and continuous monitoring feedback of system availability. IEEE Internet Things J. 7, 10695–10707 (2020). https://doi.org/10.1109/JIOT.2020.3012763

    Article  Google Scholar 

  36. Fenton, N., Bieman, J.: Software Metrics: A Rigorous and Practical Approach, 3rd edn. CRC Press (2014)

    Google Scholar 

Download references

Acknowledgements

This work is partially funded by the Research Council of Norway (RCN) in the INTPART program, under the project “Reinforcing Competence in Cybersecurity of Critical Infrastructures: A Norway-US Partnership (RECYCIN)”, with the project number #309911.

Author information

Authors and Affiliations

  1. Østfold University College, 1757, Halden, Norway

    Xhesika Ramaj & Mary Sánchez-Gordón

  2. Escuela Técnica Superior de Ingenieros Informáticos, Universidad Politécnica de Madrid, 28660, Madrid, Spain

    Ricardo Colomo-Palacios

  3. Norwegian University of Science and Technology, 2802, Gjøvik, Norway

    Vasileios Gkioulos

Authors
  1. Xhesika Ramaj
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ricardo Colomo-Palacios
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mary Sánchez-Gordón
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Vasileios Gkioulos
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mary Sánchez-Gordón .

Editor information

Editors and Affiliations

  1. Gazi University, Ankara, Türkiye

    Murat Yilmaz

  2. Dublin City University, Dublin, Ireland

    Paul Clarke

  3. Grenoble Alpes University, Grenoble, France

    Andreas Riel

  4. I.S.C.N. GesmbH, Graz, Austria

    Richard Messnarz

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ramaj, X., Colomo-Palacios, R., Sánchez-Gordón, M., Gkioulos, V. (2023). Towards a DevSecOps-Enabled Framework for Risk Management of Critical Infrastructures. In: Yilmaz, M., Clarke, P., Riel, A., Messnarz, R. (eds) Systems, Software and Services Process Improvement. EuroSPI 2023. Communications in Computer and Information Science, vol 1890. Springer, Cham. https://doi.org/10.1007/978-3-031-42307-9_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-42307-9_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-42306-2

  • Online ISBN: 978-3-031-42307-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation