Smart Contract and DevSecOps

Recent years have brought significant changes in software development practices. The demand for continuous development has given rise to DevOps methodologies, which emphasise iterative and ongoing practices over sequential activities. Therefore, automation for development and operation practices have become widely adopted in enterprise scenarios, enabling individuals with different roles and responsibility to perform actions on the pipeline that regulate software development. With the automation of security measures and controls (DevSecOps), these actions and roles have gained increased importance and liability. The automation of security processes can lead to increased risk, both for the delivered product and the DevOps infrastructure as a whole. Unauthorised access, for instance, may result in unapproved changes reaching the production environment. Therefore, the purpose of this thesis work was to apply "security by design" principle through the use of modern technologies in order to mitigate these threats. To further improve system security and accountability for each entity's action, smart contracts were identified as a suitable solution. To validate the feasibility of the proposed approach, a proof of concept was built in association with a cybersecurity team of Security Reply. The presented system involves designing a permissioned blockchain network which can communicate with an enterprise-grade DevSecOps platform, secure digital assets and record executed operations. To enable the smart contract to receive off-chain information, a custom oracle was implemented that would relay received data to the network. Given the potential target of such a solution, and to provide an additional layer of security, an Hardware Security Module has been integrated in the proposed architecture to act as a Root of Trust and securely store sensitive information.