Abstract
Risk Management is a cornerstone of daily business operations that ensures their sustained viability over the long term. It is a critical function for any business as it helps identify potential threats and opportunities and enables informed decision-making. When placed within the context of critical infrastructures, a risk management profile attains a heightened dimension. The integration of security practices within the software development pipeline, commonly known as DevSecOps, is a novel approach to enhance software application security. This approach has been touted as a transformative solution that not only promotes the adoption of security practices but also provides financial benefits by mitigating risk levels and ensuring uninterrupted business operations. The objective of this paper is to present a conceptual framework to manage risk inside critical infrastructures in the DevSecOps context. This framework is built upon three pillars: action, state, and contrivance. It aims to: (i) facilitate the comprehension of risk, (ii) provide an incentive mechanism towards enhancing risk management, (iii) contribute to both human and machine contrivance, and (iv) ensure the quality of the information retrieved by involving all teams.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
European Commission: Communication from the Commission to the Council and the European Parliament - Critical Infrastructure Protection in the fight against terrorism. https://eur-lex.europa.eu/legal-content/GA/TXT/?uri=CELEX:52004DC0702
Rehak, D., Markuci, J., Hromada, M., Barcova, K.: Quantitative evaluation of the synergistic effects of failures in a critical infrastructure system. Int. J. Crit. Infrastruct. Prot. 14, 3–17 (2016). https://doi.org/10.1016/j.ijcip.2016.06.002
Esnoul, C., Colomo-Palacios, R., Jee, E., Chockalingam, S., Eidar Simensen, J., Bae, D.-H.: Report on the 3rd international workshop on engineering and cybersecurity of critical systems (EnCyCriS - 2022). SIGSOFT Softw. Eng. Notes. 48, 81–84 (2023). https://doi.org/10.1145/3573074.3573095
The European Programme for Critical Infrastructure Protection (EPCIP). https://home-affairs.ec.europa.eu/pages/page/critical-infrastructure_en
Critical Infrastructure Sectors | CISA. https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors
Presch-Cronin, K., Marion, N.E.: Critical Infrastructure Protection, Risk Management, and Resilience: A Policy Perspective. CRC Press, Boca Raton (2016)
Khan Babar, A.H., Ali, Y.: Framework construction for augmentation of resilience in critical infrastructure: developing countries a case in point. Technol. Soc. 68, 101809 (2022). https://doi.org/10.1016/j.techsoc.2021.101809
A Guide to Critical Infrastructure Security and Resilience. https://www.cisa.gov/search
Quitana, G., Molinos-Senante, M., Chamorro, A.: Resilience of critical infrastructure to natural hazards: a review focused on drinking water systems. Int. J. Disaster Risk Reduction 48, 101575 (2020). https://doi.org/10.1016/j.ijdrr.2020.101575
Fox, M.R.: IT Governance in a DevOps World. IT Prof. 22, 54–61 (2020). https://doi.org/10.1109/MITP.2020.2966614
Ramaj, X., Sánchez-Gordón, M., Gkioulos, V., Chockalingam, S., Colomo-Palacios, R.: Holding on to compliance while adopting DevSecOps: an SLR. Electronics 11, 3707 (2022). https://doi.org/10.3390/electronics11223707
Riungu-Kalliosaari, L., Mäkinen, S., Lwakatare, L.E., Tiihonen, J., Männistö, T.: DevOps adoption benefits and challenges in practice: a case study. In: Abrahamsson, P., Jedlitschka, A., Nguyen Duc, A., Felderer, M., Amasaki, S., Mikkonen, T. (eds.) PROFES 2016. LNCS, vol. 10027, pp. 590–597. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-49094-6_44
Carturan, S.B.O.G., Goya, D.H.: A systems-of-systems security framework for requirements definition in cloud environment. In: Proceedings of the 13th European Conference on Software Architecture, vol. 2, pp. 235–240. Association for Computing Machinery, New York, NY, USA (2019)
ISO - ISO 31000 — Risk management. https://www.iso.org/iso-31000-risk-management.html
Computer Security Division, I.T.L.: NIST Risk Management Framework. https://csrc.nist.gov/Projects/risk-management
NIST Cybersecurity Framework. NIST (2013)
Compliance Risk Management Applying the COSO ERM Framework. https://www.coso.org/Shared%20Documents/Compliance-Risk-Management-Applying-the-COSO-ERM-Framework.pdf
1nstitute, F.: The Importance and Effectiveness of Quantifying Cyber Risk. https://www.fairinstitute.org/fair-risk-management
Project Management Institute ed: PMI Risk Management Framework. Project Management Institute, Newtown Square, Pa (2009)
The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE). https://www.enisa.europa.eu/topics/risk-management/current-risk/risk-management-inventory/rm-ra-methods/m_octave.html
The CCTA Risk Analysis and Management Method (CRAMM). https://www.enisa.europa.eu/topics/risk-management/current-risk/risk-management-inventory/rm-ra-methods/m_cramm.html
Forsgren, N., Kersten, M.: DevOps metrics. Queue. 15 (2017). https://doi.org/10.1145/3159169
Plant, O.H., van Hillegersberg, J., Aldea, A.: Rethinking IT governance: designing a framework for mitigating risk and fostering internal control in a DevOps environment. Int. J. Account. Inf. Syst. 45, 100560 (2022). https://doi.org/10.1016/j.accinf.2022.100560
Aljohani, M.A., Alqahtani, S.S.: A unified framework for automating software security analysis in DevSecOps. In: 2023 International Conference on Smart Computing and Application (ICSCA), pp. 1–6 (2023)
Yasar, H.: Implementing Secure DevOps assessment for highly regulated environments. In: Proceedings of the 12th International Conference on Availability, Reliability and Security, pp. 1–3. Association for Computing Machinery, New York, NY, USA (2017)
Rafi, S., Yu, W., Akbar, M.A., Alsanad, A., Gumaei, A.: Prioritization based taxonomy of DevOps security challenges using PROMETHEE. IEEE Access 8, 105426–105446 (2020). https://doi.org/10.1109/ACCESS.2020.2998819
Woody, C.: DevSecOps pipeline for complex software-intensive systems: addressing cybersecurity challenges (2020)
State of DevOps Report 2021 | Puppet by Perforce. https://www.puppet.com/resources/state-of-devops-report
State of Devops Report 2017 (2017)
Senapathi, M., Buchan, J., Osman, H.: DevOps capabilities, practices, and challenges: insights from a case study. In: Proceedings of the 22nd International Conference on Evaluation and Assessment in Software Engineering 2018, pp. 57–67. ACM, Christchurch New Zealand (2018)
Lwakatare, L.E., et al.: DevOps in practice: a multiple case study of five companies. Inf. Softw. Technol. 114, 217–230 (2019). https://doi.org/10.1016/j.infsof.2019.06.010
Khurum, M., Gorschek, T., Wilson, M.: The software value map — an exhaustive collection of value aspects for the development of software intensive products. J. Softw. Evol. Process 25, 711–741 (2013). https://doi.org/10.1002/smr.1560
Ramaj, X., Sánchez-Gordón, M., Chockalingam, S., Colomo-Palacios, R.: Unveiling the safety aspects of DevSecOps: evolution, gaps and trends. Recent Adv. Comput. Sci. Commun. 16, 61–69 (2023)
DevOpsSec: Creating the Agile Triangle. https://www.gartner.com/en/documents/1896617
López-Peña, M.A., Díaz, J., Pérez, J.E., Humanes, H.: DevOps for IoT systems: fast and continuous monitoring feedback of system availability. IEEE Internet Things J. 7, 10695–10707 (2020). https://doi.org/10.1109/JIOT.2020.3012763
Fenton, N., Bieman, J.: Software Metrics: A Rigorous and Practical Approach, 3rd edn. CRC Press (2014)
Acknowledgements
This work is partially funded by the Research Council of Norway (RCN) in the INTPART program, under the project “Reinforcing Competence in Cybersecurity of Critical Infrastructures: A Norway-US Partnership (RECYCIN)”, with the project number #309911.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Ramaj, X., Colomo-Palacios, R., Sánchez-Gordón, M., Gkioulos, V. (2023). Towards a DevSecOps-Enabled Framework for Risk Management of Critical Infrastructures. In: Yilmaz, M., Clarke, P., Riel, A., Messnarz, R. (eds) Systems, Software and Services Process Improvement. EuroSPI 2023. Communications in Computer and Information Science, vol 1890. Springer, Cham. https://doi.org/10.1007/978-3-031-42307-9_4
Download citation
DOI: https://doi.org/10.1007/978-3-031-42307-9_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-42306-2
Online ISBN: 978-3-031-42307-9
eBook Packages: Computer ScienceComputer Science (R0)