dc.description.abstract | With the rise of DevOps, the automation of software development processes like CI/CD,
particularly in integration and operation has increased significantly. Organizations are
leveraging these advancements to accelerate development and increase the frequency of
deployments. However, despite the emphasis on speed, the integration of security practices
within CI/CD pipelines often lags, posing significant risks as exemplified by high-profile
breaches like SolarWinds. The existing literature and industry tools lack comprehensive
frameworks for adequately assessing the security posture of CI/CD pipelines. Although some
frameworks exist, they often fail to thoroughly address all necessary security aspects in
depth.
To address this gap, we have developed a model based on design science principles that
allows organizations to assess the security of their CI/CD pipelines. This is achieved through
a structured spreadsheet that converts responses into numerical scores, facilitating a bottomup assessment of security across various focus areas. This model enables the visualization of
security levels through multiple layers of abstraction, each representing a different aspect of
security.
Our research included three multivocal literature reviews (MLRs). The first MLR identified
critical focus areas essential for a security-oriented maturity model. The second MLR
mapped specific security practices to different maturity levels. The third MLR investigated
whether any existing security-oriented maturity models could be adapted. Our model, the
CI/CD Security Maturity Model (CICDSecMM), is grounded in these literature reviews and
enriched by insights from numerous interviews and a case study. Through iterative cycles of
building, evaluating, and refining the model based on interview feedback, we conducted a
final case study to validate the model in a real-world setting. | |