Integration of Security Standards in DevOps Pipelines: An Industry Case Study

TL;DR

This paper presents a systematic approach to integrating security standards into DevOps pipelines, specifically for industrial control systems, balancing security compliance with development agility.

Contribution

It introduces a novel method for automating security activities in DevOps pipelines tailored for industrial control systems and security standards.

Findings

Successful application at a large industrial company

Supports security compliance without sacrificing agility

Strengthens confidence in the approach's effectiveness

Abstract

In the last decade, companies adopted DevOps as a fast path to deliver software products according to customer expectations, with well aligned teams and in continuous cycles. As a basic practice, DevOps relies on pipelines that simulate factory swim-lanes. The more automation in the pipeline, the shorter a lead time is supposed to be. However, applying DevOps is challenging, particularly for industrial control systems (ICS) that support critical infrastructures and that must obey to rigorous requirements from security regulations and standards. Current research on security compliant DevOps presents open gaps for this particular domain and in general for systematic application of security standards. In this paper, we present a systematic approach to integrate standard-based security activities into DevOps pipelines and highlight their automation potential. Our intention is to share our experiences and help practitioners to overcome the trade-off between adding security activities into the development process and keeping a short lead time. We conducted an evaluation of our approach at a large industrial company considering the IEC 62443-4-1 security standard that regulates ICS. The results strengthen our confidence in the usefulness of our approach and artefacts, and in that they can support practitioners to achieve security compliance while preserving agility including short lead times.