Page 60 - 《软件学报》2021年第10期
P. 60
3032 Journal of Software 软件学报 Vol.32, No.10, October 2021
国内 DevSecOps 领域的研究空白,有助于研究者了解 DevSecOps 的意义和内容,也为企业实际落地 DevSecOps
提供了理论和实践上的指导.在此基础上,本文也提出了一些 DevSecOps 未来可能的研究与实践的发展方向.具
体而言,本文以 CAMS 理论模型为基础,从文化、自动化、度量、共享这 4 个方面比对了 DevSecOps 与 DevOps
的差异,详细阐述了 DevSecOps 中增添的新内容,并比较了 DevSecOps 中这 4 个方面特征之间的关系.此外,本文
还对能够应用于 DevOps 流程中的部分典型安全实践着重进行了总结介绍,并将这些实践分为阶段实践与通用
实践两个类别,系统且全面地介绍了 DevSecOps 实践现状,在一定程度上能够指导工业界实际落地 DevSecOps.
阶段实践基于 DevOps 流程图,详细总结了各个阶段之间的关系,并基于各个阶段的特点,给出了可用于各个不
同阶段的具体安全保障措施;通用实践则更专注于改进企业的安全文化和安全管理,两种类型的实践相辅相成,
相互促进,对改进企业实际的工作流程具有较强的实际指导意义.最后,我们也总结了实际落地 DevSecOps 可能
带来的益处与挑战,并展望了未来的发展趋势和研究方向.尽管如今 DevSecOps 的解决方案还不够成熟,但是随
着技术的发展和研究的深入,DevSecOps 也终将会克服这些阻碍,形成一个更具普适性的科学理论体系,广泛地
应用于实际的企业生产中.
References:
[1] Cohen D, Lindvall M, Costa P. An introduction to agile methods. Advances in Computers, 2004,62:166.
[2] Schwaber K, Beedle M. Agile Software Development with Scrum. Upper Saddle River: Prentice Hall, 2002.
[3] Beck K. Extreme Programming Explained: Embrace Change. Addison-Wesley, 2000.
[4] Ahmad MO, Markkula J, Ovio M. Kanban in software development: A systematic literature review. In: Proc. of the 39th Euromicro
Conf. on Software Engineering and Advanced Applications. IEEE, 2013. 916.
[5] Lwakatare LE, Kuvaja P, Oivo M. Dimensions of DevOps. In: Proc. of the Int’l Conf. on Agile Software Development. Springer-
Verlag, 2015. 212217.
[6] Kim G, Humble J, Debois P, Willis J. The DevOps Handbook: How to Create World-class Agility, Reliability, and Security in
Technology Organizations. IT Revolution Press, 2016.
[7] Smeds J, Nybom K, Porres I. DevOps: A definition and perceived adoption impediments. In: Proc. of the Int’l Conf. on Agile
Software Development. Cham: Springer-Verlag, 2015. 166177.
[8] Jabbari R, Ali N, Petersen K, Tanveer B. What is DevOps? A systematic mapping study on definitions and practices. In: Proc. of
the Scientific Workshop Proceedings of XP. ACM, 2016. 111.
[9] Hüttermann M. DevOps for Developers. Apress, 2012.
[10] Senapathi M, Buchan J, Osman H. DevOps capabilities, practices, and challenges: Insights from a case study. In: Proc. of the 22nd
Int’l Conf. on Evaluation and Assessment in Software Engineering 2018. ACM, 2018. 5767.
[11] Liu BH, Zhang H, Dong LM. Survey on state of DevOps in China. Ruan Jian Xue Bao/Journal of Software, 2019,30(10):
32063226 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/5796.htm [doi: 10.13328/j.cnki.jos.005796]
[12] Forsgren N, Smith D, Humble J, Frazelle J. 2019 accelerate state of DevOps. Technical Report, DORA & Google Cloud, 2019.
[13] Feitelson D, Frachtenberg E, Beck K. Development and deployment at Facebook. IEEE Internet Computing, 2013,17(4):817.
[14] Fesenko I. DevOps in practice. 2019. https://docs.microsoft.com/en-us/archive/blogs/uktechnet/devops-in-practice
[15] Rahman AAU, Williams L. Software security in DevOps: Synthesizing practitioners’ perceptions and practices. In: Proc. of the
2016 IEEE/ACM Int’l Workshop on Continuous Software Evolution and Delivery (CSED). IEEE, 2016. 7076.
[16] Jaatun MG. Software security activities that support incident management in secure DevOps. In: Proc. of the 13th Int’l Conf. on
Availability, Reliability and Security. ACM, 2018. 16.
[17] Klijnsma Y. Inside the magecart breach of British airways: How 22 lines of code claimed 380000 victims. 2018. https://www.
riskiq.com/blog/labs/magecart-british-airways-breach/
[18] McGraw G. Software Security: Building Security In. Addison-Wesley Professional, 2006.
[19] Katal A, Bajoria V, Dahiya S. DevOps: Bridging the gap between development and operations. In: Proc. of the 3rd Int’l Conf. on
Computing Methodologies and Communication (ICCMC). IEEE, 2019. 17.
[20] MacDonald N. DevOps needs to become DevOpsSec. 2012. https://blogs.gartner.com/neil_macdonald/2012/01/17/devops-needs-to-
become-devopssec/
[21] Myrbakken H, Colomo-Palacios R. DevSecOps: A multivocal literature review. In: Proc. of the Int’l Conf. on Software Process
Improvement and Capability Determination. Springer-Verlag, 2017. 1729.
