Automated Security Findings Management: A Case Study in Industrial
DevOps
- URL: http://arxiv.org/abs/2401.06602v1
- Date: Fri, 12 Jan 2024 14:35:51 GMT
- Title: Automated Security Findings Management: A Case Study in Industrial
DevOps
- Authors: Markus Voggenreiter, Florian Angermeir, Fabiola Moy\'on, Ulrich
Sch\"opp and Pierre Bonvin
- Abstract summary: We propose a methodology for the management of security findings in industrial DevOps projects.
As an instance of the methodology, we developed the Security Flama, a semantic knowledge base for the automated management of security findings.
- Score: 3.7798600249187295
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: In recent years, DevOps, the unification of development and operation
workflows, has become a trend for the industrial software development
lifecycle. Security activities turned into an essential field of application
for DevOps principles as they are a fundamental part of secure software
development in the industry. A common practice arising from this trend is the
automation of security tests that analyze a software product from several
perspectives. To effectively improve the security of the analyzed product, the
identified security findings must be managed and looped back to the project
team for stakeholders to take action. This management must cope with several
challenges ranging from low data quality to a consistent prioritization of
findings while following DevOps aims. To manage security findings with the same
efficiency as other activities in DevOps projects, a methodology for the
management of industrial security findings minding DevOps principles is
essential.
In this paper, we propose a methodology for the management of security
findings in industrial DevOps projects, summarizing our research in this domain
and presenting the resulting artifact. As an instance of the methodology, we
developed the Security Flama, a semantic knowledge base for the automated
management of security findings. To analyze the impact of our methodology on
industrial practice, we performed a case study on two DevOps projects of a
multinational industrial enterprise. The results emphasize the importance of
using such an automated methodology in industrial DevOps projects, confirm our
approach's usefulness and positive impact on the studied projects, and identify
the communication strategy as a crucial factor for usability in practice.
Related papers
- Bridging the Gap: A Study of AI-based Vulnerability Management between Industry and Academia [4.4037442949276455]
Recent research advances in Artificial Intelligence (AI) have yielded promising results for automated software vulnerability management.
The industry remains very cautious and selective about integrating AI-based techniques into their security vulnerability management workflow.
We propose a set of future directions to help better understand industry expectations, improve the practical usability of AI-based security vulnerability research, and drive a synergistic relationship between industry and academia.
arXiv Detail & Related papers (2024-05-03T19:00:50Z) - AI for DevSecOps: A Landscape and Future Opportunities [6.513361705307775]
We analyzed 99 research papers spanning from 2017 to 2023.
We identified 12 tasks associated with the DevOps process and reviewed existing AI-driven security approaches.
We discovered 15 challenges encountered by existing AI-driven security approaches.
arXiv Detail & Related papers (2024-04-07T07:24:58Z) - The current state of security -- Insights from the German software industry [0.0]
This paper outlines the main ideas of secure software development that have been discussed in the literature.
A dataset on implementation in practice is gathered through a qualitative interview research involving 20 companies.
arXiv Detail & Related papers (2024-02-13T13:05:10Z) - Devops And Agile Methods Integrated Software Configuration Management
Experience [0.0]
The aim of this study is to examine the differences and benefits that innovative methods bring to the software configuration management field when compared to traditional methods.
Improvements are seen in the build and deployment time, automated report generation, more accurate and fault-free version management.
arXiv Detail & Related papers (2023-06-24T13:40:27Z) - Evaluating Model-free Reinforcement Learning toward Safety-critical
Tasks [70.76757529955577]
This paper revisits prior work in this scope from the perspective of state-wise safe RL.
We propose Unrolling Safety Layer (USL), a joint method that combines safety optimization and safety projection.
To facilitate further research in this area, we reproduce related algorithms in a unified pipeline and incorporate them into SafeRL-Kit.
arXiv Detail & Related papers (2022-12-12T06:30:17Z) - Semantic Similarity-Based Clustering of Findings From Security Testing
Tools [1.6058099298620423]
In particular, it is common practice to use automated security testing tools that generate reports after inspecting a software artifact from multiple perspectives.
To identify these duplicate findings manually, a security expert has to invest resources like time, effort, and knowledge.
In this study, we investigated the potential of applying Natural Language Processing for clustering semantically similar security findings.
arXiv Detail & Related papers (2022-11-20T19:03:19Z) - Constrained Reinforcement Learning for Robotics via Scenario-Based
Programming [64.07167316957533]
It is crucial to optimize the performance of DRL-based agents while providing guarantees about their behavior.
This paper presents a novel technique for incorporating domain-expert knowledge into a constrained DRL training loop.
Our experiments demonstrate that using our approach to leverage expert knowledge dramatically improves the safety and the performance of the agent.
arXiv Detail & Related papers (2022-06-20T07:19:38Z) - Empowered and Embedded: Ethics and Agile Processes [60.63670249088117]
We argue that ethical considerations need to be embedded into the (agile) software development process.
We put emphasis on the possibility to implement ethical deliberations in already existing and well established agile software development processes.
arXiv Detail & Related papers (2021-07-15T11:14:03Z) - Artificial Intelligence for IT Operations (AIOPS) Workshop White Paper [50.25428141435537]
Artificial Intelligence for IT Operations (AIOps) is an emerging interdisciplinary field arising in the intersection between machine learning, big data, streaming analytics, and the management of IT operations.
Main aim of the AIOPS workshop is to bring together researchers from both academia and industry to present their experiences, results, and work in progress in this field.
arXiv Detail & Related papers (2021-01-15T10:43:10Z) - Dos and Don'ts of Machine Learning in Computer Security [74.1816306998445]
Despite great potential, machine learning in security is prone to subtle pitfalls that undermine its performance.
We identify common pitfalls in the design, implementation, and evaluation of learning-based security systems.
We propose actionable recommendations to support researchers in avoiding or mitigating the pitfalls where possible.
arXiv Detail & Related papers (2020-10-19T13:09:31Z) - AI-based Modeling and Data-driven Evaluation for Smart Manufacturing
Processes [56.65379135797867]
We propose a dynamic algorithm for gaining useful insights about semiconductor manufacturing processes.
We elaborate on the utilization of a Genetic Algorithm and Neural Network to propose an intelligent feature selection algorithm.
arXiv Detail & Related papers (2020-08-29T14:57:53Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.