Designing the CI/CD Security Maturity Model
Master thesis
Permanent lenke
https://hdl.handle.net/11250/3143420Utgivelsesdato
2024Metadata
Vis full innførselSamlinger
Sammendrag
With the rise of DevOps, the automation of software development processes like CI/CD, particularly in integration and operation has increased significantly. Organizations are leveraging these advancements to accelerate development and increase the frequency of deployments. However, despite the emphasis on speed, the integration of security practices within CI/CD pipelines often lags, posing significant risks as exemplified by high-profile breaches like SolarWinds. The existing literature and industry tools lack comprehensive frameworks for adequately assessing the security posture of CI/CD pipelines. Although some frameworks exist, they often fail to thoroughly address all necessary security aspects in depth.
To address this gap, we have developed a model based on design science principles that allows organizations to assess the security of their CI/CD pipelines. This is achieved through a structured spreadsheet that converts responses into numerical scores, facilitating a bottomup assessment of security across various focus areas. This model enables the visualization of security levels through multiple layers of abstraction, each representing a different aspect of security.
Our research included three multivocal literature reviews (MLRs). The first MLR identified critical focus areas essential for a security-oriented maturity model. The second MLR mapped specific security practices to different maturity levels. The third MLR investigated whether any existing security-oriented maturity models could be adapted. Our model, the CI/CD Security Maturity Model (CICDSecMM), is grounded in these literature reviews and enriched by insights from numerous interviews and a case study. Through iterative cycles of building, evaluating, and refining the model based on interview feedback, we conducted a final case study to validate the model in a real-world setting.