Using a Semantic Knowledge Base to Improve the Management of Security Reports in Industrial DevOps Projects

TL;DR

This paper proposes a novel approach that treats security report findings as beliefs in a knowledge base, enabling continuous logical inference to improve feedback management in industrial DevOps security processes.

Contribution

It introduces a knowledge base-based method for managing security reports, enhancing feedback loop quality and addressing industry challenges.

Findings

Improved management of security reports in DevOps projects

Effective use of logical inference for security feedback

Positive industrial project evaluations

Abstract

Integrating security activities into the software development lifecycle to detect security flaws is essential for any project. These activities produce reports that must be managed and looped back to project stakeholders like developers to enable security improvements. This so-called Feedback Loop is a crucial part of any project and is required by various industrial security standards and models. However, the operation of this loop presents a variety of challenges. These challenges range from ensuring that feedback data is of sufficient quality over providing different stakeholders with the information they need to the enormous effort to manage the reports. In this paper, we propose a novel approach for treating findings from security activity reports as belief in a Knowledge Base (KB). By utilizing continuous logical inferences, we derive information necessary for practitioners and address existing challenges in the industry. This approach is currently evaluated in industrial DevOps projects, using data from continuous security testing.