Politecnico di Torino (logo)

Definition of a DevSecOps Operating Model for software development in a large Enterprise

Valentina Tortoriello

Definition of a DevSecOps Operating Model for software development in a large Enterprise.

Rel. Luca Ardito, Francesco Floris. Politecnico di Torino, Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering), 2022

PDF (Tesi_di_laurea) - Tesi
Licenza: Creative Commons Attribution Non-commercial No Derivatives.

Download (6MB) | Preview

Information Technology landscape is one of the fastest moving, with new products released everyday made available to millions of users: it is then very important for Technology companies to keep up with this pace if they want to be competitive. A determining factor in the success of a software development company is the adopted methodology: the trend is to switch from Waterfall and sequential methodologies, which are slow and expensive, towards Agile and iterative methodologies, that allow faster software development reducing the products’ time to market. Among Agile methodologies, we will deep dive into DevOps: the aim of this strategy is to break down the siloed organization between Development and Operations teams, by composing instead cross-functional teams which have end-to-end responsibility for the product lifecycle. This is achieved through processes automation, which is key to improve the speed of development and release and also reduces human errors that are introduced in lengthy and repetitive tasks: tools are used to implement CI/CD (Continuous Integration/Continuous Delivery) of new software and functionalities, which are released more frequently and are more maintainable. Faster development and release of software must not come at the expenses of quality and security of the product: security was often seen as an obstacle to the release of the product to the market and the consequent revenue. If in traditional sequential models the security team had the opportunity to block the release of a product as part of the “secure by design” process, in Agile models, particularly in DevOps, these security controls are more difficult to be put in place due to CD, where software and its updates are released in an almost automatic way. While Development and Operations team break down walls between them, the Security team remains isolated in its siloed structure. A DevSecOps strategy is then necessary: the aim is to make security an integrated part of DevOps processes, by considering it in each step of the SDLC. The main target of DevSecOps is not only to integrate security analysis tools in a CI/CD pipeline, but to have a real cultural shift towards a more collaborative approach to software development, mainly among Development, Operations and Security teams: the work done by one team must not be “thrown over the wall” to the other team, but every individual involved must take full responsibility on every aspect of his work, meaning that developers and operations people must be responsible of security aspects, with the support of proper professionals. This thesis work has been carried out in the context of the Cyber Security team of Vodafone Italia, one of the main players in the telecommunications industry worldwide, which is now aiming at become a Tech Company with a multi-year strategic program: part of this strategy includes the adoption of a DevSecOps methodology across all of the software development teams, with the insourcing of software development activities to develop products in a fast and secure way. The aim of this work has been to study the current Company setup, tools and processes and identify potential area of improvement to achieve Company DevSecOps targets. The main achievement has been the definition of a DevSecOps Operating Model made of people, processes and technologies which identify roles, responsibilities and interactions among all of the involved entities with the final goal of improving products security.

Relators: Luca Ardito, Francesco Floris
Academic year: 2021/22
Publication type: Electronic
Number of Pages: 129
Corso di laurea: Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering)
Classe di laurea: New organization > Master science > LM-32 - COMPUTER SYSTEMS ENGINEERING
Aziende collaboratrici: VODAFONE ITALIA SPA
URI: http://webthesis.biblio.polito.it/id/eprint/23649
Modify record (reserved for operators) Modify record (reserved for operators)