3034                                 Journal of Software  软件学报 Vol.32, No.10, October 2021

                [48]    Dobran B. How DevOps security best practices delivers more secure software. 2019. https://phoenixnap.com/blog/devops-security-
                     best-practices
                [49]    Ferrante D. Software licensing models: What’s out there? IT Professional, 2006,8(6):2429.
                [50]    United States Court of  Appeals. Federal  Circuit. JACOBSEN v.  KATZER. 2018. https://www.leagle.com/decision/
                     infco20080813083
                [51]    Million T, Adatia R, McCann A, Vinen N. Secure flexible plugin software architecture. U.S. Patent No. 6,742,176. 2014-05-15.
                [52]    National  Cyber Security  Centre. Secure development  and deployment guidance. 2018. https://www.ncsc.gov.uk/collection/
                     developers-collection
                [53]    Baum T, Liskin O, Niklas K, Schneider K. A faceted classification scheme for change-based industrial code review processes. In:
                     Proc. of the 2016 IEEE Int’l Conf. on Software Quality, Reliability and Security (QRS). Vienna: IEEE, 2016. 7485.
                [54]    Plank M. DevOps+security=DevSecOps. 2017. https://www.dynatrace.com/news/blog/devops-security-devsecops/
                [55]    Chess B, West J. Secure Programming with Static Analysis. Pearson Education, 2007.
                [56]    Ratliff E. Establishing correspondence  between an application and  its  source code.  2016.  https://www.securityweek.com/
                     establishing-correspondence-between-application-and-its-source-code
                [57]    Mansfield-Devine S. DevOps: Finding room for security. Network Security, 2018,2018(7):1520.
                [58]    Nuseibeh R. An introduction to IAST. 2017. https://www.checkmarx.com/2017/07/13/an-introduction-to-iast/
                [59]    Newman H. Hacker lexicon: What is application shielding? 2019. https://www.wired.com/story/what-is-application-shielding/
                [60]    Poolsappasit N, Dewri R, Ray I. Dynamic security risk management using bayesian attack graphs. IEEE Trans. on Dependable and
                     Secure Computing, 2011,9(1):6174.
                [61]    Vernon M. DevSecOps: The intersection of DevOps and security. 2019. https://victorops.com/blog/devsecops-the-intersection-of-
                     devops-and-security
                [62]    Twain T. From agile to DevSecOps. 2019. https://thenewstack.io/from-agile-to-devsecops/
                [63]    Combe T, Martin A, Pietro R. To docker or not to docker: A security perspective. IEEE Cloud Computing, 2016,3(5):5462.
                [64]    Basiri A, Behnam N, De Roogi R, et al. Chaos engineering. IEEE Software, 2016,33(3):3541.
                [65]    DXC. Take  a risk-based  approach to DevSecOps:  Embedding  cyber security in  application development. https://www.dxc.
                     echnology/security/insights/144315-take_a_risk_based_approach_to_devsecops_embedding_cyber_security_in_application_
                     development.html
                [66]    Brown N, Cai Y, Guo Y, et al. Managing technical debt in software-reliant systems. In: Proc. of the FSE/SDP Workshop on Future
                     of Software Engineering Research. 2010. 4752.
                [67]    Liao HJ, Lin CHR, Lin YC,  et  al.  Intrusion  detection  system: A comprehensive review.  Journal of  Network and Computer
                     Applications, 2013,36(1):1624.
                [68]    Microsoft. Threat modeling. https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling
                [69]    Rose  M. Shifting to  DevSecOps,  with software security testing built in. 2019. https://www.checkmarx.com/blog/devsecops-
                     software-security-testing
                [70]    OWASP. Security champions. 2019. https://www.owasp.org/index.php/Security_Champions
                [71]    Cardoza  C.  DevSecOps:  Baking security  into development. SDTimes. 2017. https://sdtimes.com/collabnet/devsecops-baking-
                     security-devops/
                [72]    Hornbeek M. 9  pillars of  continuous security best practices. 2019. https://devops.com/9-pillars-of-continuous-security-best-
                     practices/
                [73]    Wicket J. The DevOps RoadMap for security. Technical Report, Signal Sciences, 2016.
                [74]    Chicoski B. Orchestrating DevSecOps: Security at speed. 2018. https://www.cloudbees.com/blog/orchestrating-devsecops-security-
                     speed/
                [75]    GiladMaayan. DevSecOps:  Security and DevOps working  together.  2019.  https://developer.ibm.com/recipes/tutorials/devsecops-
                     security-and-devops-working-together/
                [76]    Chaudhry A. What is DevSecOps? 2018. https://dev.to/aditichaudhry92/what-is-devsecops-gge
                [77]    Crouch A. DevSecOps: Incorporate security into DevOps to reduce software risk. 2017. https://www.agileconnection.com/article/
                     devsecops-incorporate-security-devops-reduce-software-risk
                [78]    Sumo Logic. The state of modern applications & DevSecOps in the cloud. Technical Report, 2018.
                [79]    Ghosh S. Time to move from DevOps to DevSecOps, finds latest CIO survey. 2019. https://www.aithority.com/ait-featured-posts/
                     time-to-move-from-devops-to-devsecops-finds-latest-cio-survey/
                [80]    Shackleford D. A DevSecOps playbook. Technical Report, SANS Institute, 2016.