Resilient Cloud cluster with DevSecOps security model, automates a data analysis, vulnerability search and risk calculation

TL;DR

This paper presents a resilient cloud cluster integrated with DevSecOps practices that automates vulnerability detection, risk assessment, and real-time threat modeling to enhance security in web application development.

Contribution

It introduces an automated risk assessment algorithm based on FAIR methodology, integrated into a cloud cluster deployment using Terraform and Jenkins, for continuous security monitoring.

Findings

Automated vulnerability detection during development

Real-time risk assessment with quantitative metrics

Enhanced security through continuous monitoring and adjustment

Abstract

Automated, secure software development is an important task of digitalization, which is solved with the DevSecOps approach. An important part of the DevSecOps approach is continuous risk assessment, which is necessary to identify and evaluate risk factors. Combining the development cycle with continuous risk assessment creates synergies in software development and operation and minimizes vulnerabilities. The article presents the main methods of deploying web applications, ways to increase the level of information security at all stages of product development, compares different types of infrastructures and cloud computing providers, and analyzes modern tools used to automate processes. The cloud cluster was deployed using Terraform and the Jenkins pipeline, which is written in the Groovy programming language, which checks program code for vulnerabilities and allows you to fix violations at the earliest stages of developing secure web applications. The developed cluster implements the proposed algorithm for automated risk assessment based on the calculation (modeling) of threats and vulnerabilities of cloud infrastructure, which operates in real time, periodically collecting all information and adjusting the system in accordance with the risk and applied controls. The algorithm for calculating risk and losses is based on statistical data and the concept of the FAIR information risk assessment methodology. The risk value obtained using the proposed method is quantitative, which allows more efficient forecasting of information security costs in software development.