Integrating DevSecOps into the software development lifecycle: A comprehensive model for securing containerized and cloud-native environments ⋆ Bohdan Leshchenko1,*,†, Bohdan Snisar1,†, Anton Stupak1,† and Viacheslav Osadchyi2,† 1 Zhytomyr Polytechnic State University, 103 Chudnivsyka str., 10005 Zhytomyr, Ukraine 2 Borys Grinchenko Kyiv Metropolitan University, 18/2 Bulvarno-Kudriavska str., 04053 Kyiv, Ukraine Abstract The increased use of containerized and cloud-native environments necessitates integrating security measures throughout the entire Software Development Lifecycle (SDLC). This study proposes a comprehensive DevSecOps model designed to address modern infrastructures’ security challenges. Our model prioritizes the continuous inclusion of security measures from the initial planning stages to the secure decommissioning of applications. Key elements of the model are improved governance of security, frequent auditing, disaster recovery planning, and a focus on continuous innovation within SDLC. The proposed approach offers a robust basis for protecting development processes, ensuring resilience, and maintaining compliance in rapidly evolving technological environments by integrating these activities into the DevOps framework. The practical applicability of the model is validated by comparing it against the existing frameworks and its prospective capacity to significantly enhance security posture within organizations working with containerized and cloud-native environments. Keywords DevSecOps, Software Development Lifecycle, SDLC, containerized environments, cloud-native security, security governance, continuous integration 1 1. Introduction vulnerable components. Furthermore, containers may contain unneeded software, which expands the attack surface 1.1. Relevance of the topic and poses significant security threats if not adequately controlled [3]. In today’s fast-paced IT landscape, incorporating security As more organizations move to containerized systems, practices into development and operational workflows is the requirement for integrated security solutions grows. critical, giving rise to the DevSecOps approach. DevSecOps Containers make installing and scaling programs easier but is an evolution of traditional DevOps methodology that may also provide entry sites for malicious attacks if not emphasizes embedding security controls early in the SDLC, properly secured. The significance of safeguarding these addressing potential security issues from the start. This environments is clear as organizations strive to secure their proactive integration is critical because it ensures that applications and data from possible breaches [4]. security is not an afterthought but a fundamental part of the Several issues arise when traditional security measures development process. are combined with the DevOps model. These include The problems created by traditional security incompatibilities with quick development cycles, challenges approaches, which frequently fail to keep up with modern in automating security processes, tool complexity and IT systems’ quick deployment cycles, drive the change to integration concerns, configuration management issues, DevSecOps. By adding security measures into continuous container vulnerabilities, and cultural and organizational integration and continuous deployment (CI/CD) pipelines, hurdles. Addressing these difficulties is critical for the DevSecOps improves the capacity to discover and remediate successful implementation of DevSecOps, which allows vulnerabilities early, minimizing security breach risk [1, 2]. organizations to develop safe software quickly and While containers provide agility and efficiency, they are effectively [5]. vulnerable to certain security flaws. These include DevSecOps practices are essential for improving the vulnerabilities in container images, misconfigurations, and security of containerized environments, as they address unsafe runtime environments. Containers frequently employ unique security challenges, ensure a more secure and images from public sources, which may include obsolete or CPITS-II 2024: Workshop on Cybersecurity Providing in Information 0009-0001-5781-3518 (B. Leshchenko); and Telecommunication Systems II, October 26, 2024, Kyiv, Ukraine 0009-0007-0091-0943 (B. Snisar); ∗ Corresponding author. 0009-0008-1247-5990 (A. Stupak); † These authors contributed equally. 0000-0001-5659-4774 (V. Osadchyi) zogyyy1@gmail.com (B. Leshchenko); © 2024 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). b.snisar@ukr.net (B. Snisar); s2pak.anton@gmail.com (A. Stupak); v.osadchyi@kubg.edu.ua (V. Osadchyi) CEUR Workshop ceur-ws.org ISSN 1613-0073 153 Proceedings resilient IT infrastructure, and ultimately improve was critical in determining the design of the new, expanded cybersecurity in modern software development. DevSecOps model suggested in this study. The third part of the research concluded with the 1.2. Research objectives and goals development of a new model. Drawing on the findings of the literature study and comparative analysis, the expanded This research aims to model all the practices under the model was created to fill the gaps in current frameworks. framework and integrate them into the more extensive The new model’s structure is purposefully linked with software development process, emphasizing cloud-native the SDLC to ensure easy incorporation into existing security. Our approach aims to enhance security by development processes, making it both practical and integrating security measures with DevSecOps in mind at successful. each phase of development and operations. Identifying and The research uses these methodologies to establish a addressing security vulnerabilities early on aims to reduce robust and adaptive DevSecOps model that organizations the risk of potential data breaches and other security can use to improve the security of their software threats. Ultimately, the research aims to establish best development processes, particularly in containerized and practices for implementing DevSecOps in a cloud-native cloud-native environments. environment. Enhancing overall security posture and resilience is crucial. This research has several goals: identification and analysis 1.4. Practical significance of the current challenges. This includes examining the This research offers a comprehensive DevSecOps model for limitations of current security methodologies. organizations to integrate security into their software Additionally, the research will focus on developing development processes. This model helps mitigate risks and strategies for integrating security measures seamlessly into enhance overall security posture in modern cloud the development process. By understanding the current infrastructures. challenges and limitations, the goal is to create a more Our research will introduce an extended DevSecOps robust and proactive security framework that can adapt to model, incorporating security governance, regular auditing, the evolving threat landscape. Ultimately, the aim is to disaster recovery planning, and continuous innovation. This provide organizations with practical guidance on model ensures that security is integrated into development implementing DevSecOps effectively in a cloud-native and maintained as the organization evolves. environment, ensuring that security is prioritized from the Its alignment with real-world operational practices outset of the development process. further reinforces the model’s practical applicability. Its We focus on developing an expanded DevSecOps model design should be easily integrated into existing DevOps that includes additional stages and practices such as security workflows, allowing organizations to adopt it without governance, disaster recovery, continuous innovation, and significantly disrupting their current processes. This ease of secure decommissioning. integration is essential for encouraging widespread adoption, as it reduces the barriers to implementing 1.3. Research methods comprehensive security measures in cloud-native environments. Our work uses a complex methodological approach to Our research should provide a scalable, adaptable, and create a complete DevSecOps model. The model should be comprehensive security model for organizations to protect designed specifically for protecting containerized and their containerized cloud-native environments, enhancing cloud-based environments. The research methodologies security during development and ensuring ongoing were devised to address the study's objectives and goals protection against emerging threats. methodically. The first method involves a thorough literature review, which is the foundation for understanding existing 2. Literature review and theoretical DevSecOps methods and unique security problems. This foundations review included academic journals, conference papers, and business publications. “Gray” literature and materials from 2.1. Software development life cycle third-party vendors were also used in our work. The literature Understanding the Software Development Lifecycle (SDLC) research gave crucial insights into the growth of security is essential as it offers an organized system for overseeing procedures in modern IT infrastructures and gaps in existing software development, guaranteeing productivity, security, models, which influenced the succeeding phases of the and appropriate resource use at every project stage. SDLC research. provides an organized technique for developing software, Based on the findings of the literature overview, a ensuring that every stage—from design and planning to comparative analysis was performed to assess the efficiency implementation and upkeep—carefully handles essential of existing DevSecOps models and frameworks. This details. Researchers and practitioners can significantly investigation thoroughly evaluated various models based on improve the security of containerized applications, factors such as security integration into the SDLC, adaptation including security considerations at every level. to cloud-native environments, and scalability in complex IT Several studies [6, 7] have examined the phases and ecosystems. The comparison research highlighted substantial models of various approaches of different SDLCs. Fig. 1 strengths and limitations in the existing models, enabling the illustrates the salient features of these studies. identification of particular areas for development. This stage 154 Consequently, the process used to design, develop, and test 2.2. DevSecOps software is called the SDLC. Planning, design, implementation, testing, deployment, and maintenance are Today, most teams recognize that security is integral to the some of the phases that make it up. Specific tasks, like software development lifecycle. Security can be addressed gathering requirements, coding, testing for bugs, and throughout the development lifecycle by following software deployment, are part of each phase. DevSecOps practices and conducting security assessments Models such as waterfall, iterative, spiral, and agile offer throughout the entire SDLC process. different approaches to structuring these phases to In their research [10], Rafiq Ahmad et al. classified maximize development. By offering a methodical significant studies through a systematic literature review. framework and enhancing planning, visibility, risk They have identified 145 security risks and 424 best management, and customer satisfaction, the SDLC helps practices for managing security via DevSecOps. They manage software development. proposed the following six phases of DevSecOps: By comprehending the advantages and drawbacks of requirement engineering (RE), design, development/coding, each methodology, software development teams can make testing, deployment, and maintenance. well-informed decisions and adopt the most sustainable Using these phases, researchers and practitioners can approach, thereby enhancing the likelihood of successful create robust security plans that tackle the difficulties project outcomes in the long run [8]. presented by containerized environments, ultimately producing more resilient and secure applications. The term DevSecOps (an organizational software Plan engineering culture) means the processes of development (Dev), security (Sec), and operations (Ops). The ultimate goal Design of DevSecOps is to achieve safe and rapid code release. Security was traditionally seen as a distinct stage that came Implement after the development cycle and occasionally even after Phases deployment. However, with the introduction of DevSecOps, Test security procedures are now integrated into the whole software development lifecycle, completely changing the Deploy original strategy. Continuous security involves persistent monitoring and real-time insight into security vulne- Maintain rabilities at every stage of the DevSecOps lifecycle [11]. DevSecOps’ primary idea is based on the principle of Waterfall “shifting left” [5], which involves incorporating security early in the development process. This technique enables Iterative the early discovery and remediation of vulnerabilities, Software Models lowering the cost and complexity of addressing security Development concerns later in the development cycle. Fig. 2 portrays Lifecycle (SDLC) Spiral DevSecOps as DevOps with continuous security assurance, where security controls may be included throughout the Agile DevOps workflow [12]. Kumar and R. Goyal described the stages of the Security DevSecOps continuous security process in their paper [12]. Their Systematic concept consists of 12 points, which expand upon our prior management SDLC phases. Fig. 3 illustrates a short explanation of their phases. Increased visibility DevSecOps is a significant progression in IT operations that combines the speed and agility of DevOps with strong Importance Efficient planning security safeguards. Its importance in containerized architectures cannot be emphasized, as it improves security Risk management and increases cooperation and efficiency among development and operational teams. DevSecOps adoption Customer satisfaction will be critical to ensure safe, robust, and high-performing IT systems as organizations increasingly embrace cloud- Figure 1: Key Aspects of the SDLC native technologies and complex microservice application architectures. As suggested by Olorunshola et al., utilizing two or more methods within a single project is recommended because 2.3. Cloud security choosing a specific method can be challenging for a company [9]. Containers and associated orchestration software used Unfortunately, their suggestions do not cover all in cloud systems provide new security challenges. Bader modern SDLC. Despite the numerous techniques and Alouffi et al. [13] did a literature study underlining the models suggested, incorporating security remains a critical and ongoing issues in cloud computing security, challenge. emphasizing the need for further research and development. 155 Figure 2: Common representation of DevSecOps [12] the integrity and confidentiality of cloud-stored data, Plan: Analyze requirements and adopt Code: Follow secure necessitating the development of increasingly complex code development an adaptive security security procedures [14]. guidelines. architecture. Significant weaknesses exist in containerized cloud infrastructures, such as data tampering, unauthorized changes to stored data, data leaks, and the unauthorized Commit: Check-in code in a source repository Build: Compile source exposure of sensitive information. The frequency of these code and trigger static with automatic version weaknesses in the studied literature indicates that current code analysis. control. security solutions are insufficient to properly defend cloud systems from all sorts of attackers. As a result, there is an obvious and immediate need for continued research to Package: Bundle Integrate: Conduct application binaries and improve cloud security protocols. system integration and store them in an artifact security tests. repository. Furthermore, the topic of data outsourcing—the transfer of control over sensitive data from users to cloud service providers (CSPs) remains a significant worry. This power transfer creates possible weaknesses, notably in data Release: Deliver the Configure: Configure the confidentiality and integrity. The evaluation emphasizes the packaged application to application for a staging environment. acceptance testing. significance of creating more robust security. 2.4. Culture Accept: Perform Deploy: Deploy the Culture is critical to effective DevSecOps workflow [15], application in the functional and non- production determining how security is integrated into the software functional testing. environment. development lifecycle. The DevSecOps culture emphasizes teamwork, with development, operations, and security teams working together to integrate security into all aspects Adapt: Scale of software development. This collaborative strategy breaks Operate: Monitor the infrastructure on deployed applications demand and replace down traditional silos, allowing for proactive control of continuously. compromised environments. security concerns. A DevSecOps culture [16] is distinguished by Figure 3: Continuous security workflow by Kumar and continuous improvement, in which teams regularly refine Goyal [12] their security practices in response to evolving threats, and shared responsibility ensures that all team members, not Сloud-based system security becomes increasingly just security specialists, are accountable for upholding important as cloud computing’s importance in commercial security standards. Communication is also essential for and consumer contexts grows. The analysis identified seven enabling open conversation across teams to handle security significant security dangers, with data manipulation and risks promptly and effectively. leaking being the most urgent issues. These attacks threaten 156 DevSecOps is critical for managing the complexity of successful deployment of ISG frameworks. Information modern programs that use microservices and containers. It security governance at the highest organizational levels incorporates security into CI/CD pipelines to assure guarantees that security measures are not seen as separate ongoing protection and promotes a shared security IT problems but integrated into strategic decision-making, responsibility across development, operations, and security reinforcing the organization’s entire risk management teams. Without an established security culture, developers approach. will “take shortcuts” [17]. ISG also ensures compliance with applicable laws, So, the keys to defining DevSecOps culture are regulations, and industry best practices. Compliance will recognising the importance of cooperation, continuous ensure that security practices within an organization have been improvement, shared accountability, communication, and attested to regulatory standards and follow well-known best trust. These cultural components are vital for integrating practices. AlGhamdi et al. [20] emphasize that compliance is security into the fabric of software development, ensuring critical for legal protection and improving the organization’s that security is not an afterthought but rather a necessary reputation and credibility. component of the development process. Organizations can reduce the risks of noncompliance, such as legal penalties and reputational damage, by adhering 2.5. Regular security audits to regulatory frameworks and ensuring that security controls are consistently deployed and reviewed [5]. Cybersecurity audits have evolved as a critical element of the overall cyber risk management strategy, mainly as organizations rely more on digital technologies that expose 2.7. Secure decommissioning them to a broader range of cyber threats. The success of Securely decommissioning IT assets, particularly storage cybersecurity audits (CSA) is critical for organizations devices containing sensitive information, is crucial to data seeking to protect their digital assets’ integrity, security. Unfortunately, it is often overlooked and can pose confidentiality, and availability [18]. significant security risks and legal obligations. The quality of these cybersecurity audits directly As the literature further shows, one of the key impacts the effectiveness of an organization’s cyber threat challenges in IT asset disposal (ITAD) is ensuring that all defense mechanisms. Understanding and quantifying audit data stored on devices is irretrievably erased before the quality, as described in Rajgopal, Srinivasan, and Zheng’s hardware is repurposed, sold, or disposed of. The study by [19] study on audit quality in financial audits, can provide Debnath et al. [21] emphasizes the potential threats posed valuable insights into improving the robustness of by improper decommissioning of IT assets, particularly cybersecurity audits. among middle card players, such as small- and medium- Rajgopal et al. [19] present a comprehensive framework sized enterprises (SMEs), institutions, and individuals. for assessing audit quality by examining audit problems These entities often lack the resources or expertise to reported in enforcement proceedings and litigation cases. implement stringent data sanitization processes, making Their findings highlight the importance of particular them particularly vulnerable to data breaches when their IT proxies for audit quality, such as restatements and the audit assets enter the e-waste supply chain [21]. fee-to-total fee ratio. Using similar approaches in In the e-waste supply chain, improper decommissioning cybersecurity audits could help organizations detect and can escalate the risk even further. IT assets are difficult to address flaws in their security policies more effectively. track, and unauthorized parties may be able to retrieve However, organizations should realize that audits can be sensitive information due to a lack of proper disposal only one part of the cybersecurity puzzle. They must be methods, including the physical components that can retain integrated with other defensive methods to effectively combat recoverable data even after standard deletion procedures. the evolving landscape of cyber threats. Integrating secure decommissioning practices into As a result, the ongoing improvement of cybersecurity Information Security Management Systems (ISMS), such as audit procedures, guided by research and best practices, is ISO/IEC 27001, is critical for managing information security crucial for organizations that strive to protect their digital risks, including those related to IT asset end-of-life, and resources and remain resilient to cyber threats in the long preventing unauthorized data recovery. term. Secure decommissioning is a governance challenge, not just a technical issue. Organizations should establish clear 2.6. Security governance and compliance policies for ITAD, including certified data destruction services and certificates, to ensure sensitive data is securely Information Security Governance (ISG) is a strategic handled and reduce legal risks associated with data framework that connects an organization’s information breaches. security policies with its overall business objectives. It Secure decommissioning is an essential part of IT asset ensures essential assets are protected while protecting the management. It ensures an organization’s security from organization’s value and reputation [20]. This alignment is breaches and unauthorized access. Compliance with set necessary to maintain organizational resilience against the standards and a strong policy on ITAD can ensure that data evolving cyber threat. security prevails throughout the lifecycle of IT assets. If practical, ISG is more than just a technology requirement—it is a critical business function in which senior management has to get involved. As noted by 2.8. Continuous innovation in security AlGhamdi et al. [20], the research emphasizes the need for Innovation within DevOps is continuous and pervasive senior management support and dedication in driving the throughout the software development and operation 157 lifecycle. Continuous innovation in DevOps is the ongoing conferences. Agile frameworks and DevOps practices drive ability to respond to new requirements and market changes the software development industry, which often fails to while keeping the software up-to-date, efficient, and integrate security concerns during deployment. Standard competitive [22]. safety measures are sometimes ignored in continuous DevOps practices, including CI/CD, automation, and integration settings, leading to insecure Docker registries and cross-functional collaboration, help organizations maintain the potential theft of a company’s entire source code. The agility and innovate quickly to respond to changing market foundation aims to address these challenges by promoting conditions [23]. open-source software projects, ensuring security, and supporting collaborative conferences. They have created the 3. Existing classifications DevSecOps Maturity Model for better security planning. The DevSecOps Maturity Model, as shown in Fig. 4, There are several kinds of literature on continuous security demonstrates the security controls applied when frameworks. The most important among them is presented implementing DevOps practices and how they can be by Xiaofan Zhao et al.’s study [24]. Their Challenge- benchmarked. DevOps practices can also enhance security Practice-Tool-Metric (CPTM) approach offers a complete by evaluating each part of a Docker image, such as framework for successfully integrating security into application and operating system libraries, for known DevOps operations. This model is developed based on a vulnerabilities. Attackers are intelligent and creative, Multi-vocal Literature Review (MLR) and illustrates the constantly evolving with new technologies and goals. correlations between challenges, processes, tools, and Guided by the visionary DevSecOps Maturity Model, metrics in the DevSecOps lifecycle. relevant ideas and actions are being implemented to Key obstacles to adopting DevSecOps identified using mitigate threats [26]. the CPTM model are organizational resistance, integration complexities, and the need for perpetual compliance. These struggles are further classified under organizational, procedural, technological, and business-related difficulties, providing a solid understanding of what stands in the way of successfully deploying DevSecOps. The model emphasizes integrating these technologies into current processes to improve efficiency and security. It provides a variety of commercial and open-source solutions that enable these techniques. This guarantees that the right instruments are applied to successfully handle certain security requirements. The ADOC model [12] introduces a framework that integrates development, security, and operational activities to ensure that security practices are incorporated at each stage of the DevOps pipeline. OSS and cloud technologies enable this model, which incorporates six dimensions, nine guidelines, a twelve-stage process, and seven practice areas. The ADOC model presented in Fig. 3 provides a way Figure 4: DevSecOps Maturity Model example of forward for organizations intending to apply DevSecOps Identification of the degree of the implementation [26] principles through OSS when deploying in the cloud. This ensures built-in security at every stage of development and As we can see from the information provided, “white” and is applied through automation, making it far more “grey” researchers are not adhering to a single stagnant achievable to deliver securely and cost-effectively classification for the Software Development Lifecycle in developed high-quality software. The twelve-step process securing containerized and cloud-native environments. This ensures that security does not become an afterthought but suggests that diverse perspectives and orientations are is considered an integral part of the DevOps lifecycle, thus being pursued in this research, leading to a broader model. raising the organization’s overall security posture. It also indicates that the process of integrating DevSecOps Another great source of categorization information is into software development lifecycles is complex and the GitHub repository by Sottlmarek, a popular and well- multifaceted. organized resource in the DevSecOps community library [25] with over 5,300 stars. It offers a vast library of tools and 3.1. Comparative analysis of models approaches for integrating security into the DevOps In this section, we conduct a comparative analysis of four lifecycle, primarily focused on cloud cybersecurity and prominent models: the Continuous Planning and Testing DevSecOps best practices. It categorizes tools into pre- Model (CPTM), the DevSecOps Maturity Model, the commit time, secret management, OSS and dependency Application Delivery and Operations Control (ADOC) management, supply chain security, SAST, DAST, model, and a generic DevSecOps library approach. continuous deployment security, Kubernetes, and container security. The OWASP® Foundation supports software security through community-led projects, global chapters, and 158 Table 1 into the continuous integration/continuous deployment Comparison of existing models (CI/CD) pipeline. The Maintenance phase is CPTM The DevSecOps ADOC [12] DevSecOps comprehensive, covering Package, Release, Configure, model [24] Maturity Model [26] library [25] Accept, Deploy, Operate, and Adapt activities, ensuring security is maintained and adapted to changing Plan Requirements Plan Plan Gathering environments and threats. Create Design Code Code The DevSecOps Library takes a broader approach to DevSecOps, reflecting its practices in a more generalized Verify Development Commit Build way. It closely aligns with the traditional Software Preprod Testing Build Test Development Life Cycle (SDLC) stages while strongly focusing on integrating security measures throughout each Release Deployment Integrate Release phase. Planning involves the identification and integration Prevent Maintenance Package Deploy of security requirements. Code reflects secure coding Detect Release Operate practices, while Build focuses on embedding security into the build process. The Test phase emphasizes thorough Respond Configure Monitor security testing, ensuring vulnerabilities are identified and Predict Accept addressed before deployment. Release in this approach involves the secure deployment of the software. Adapt Deploy Maintenance includes deploying, operating, and Operate monitoring activities to ensure continuous security Adapt throughout the software’s operational life. The comparative examination (Table 1) of these models demonstrates that, while each framework has distinct Continuous Planning and Testing Model (CPTM) strengths and emphasis areas, they all strive for the same illustrates a cyclical approach to security that underlies the goal: seamless security integration into the SDLC. By SDLC. It begins with the Planning phase, where security comparing these models, we obtain significant insights into requirements are specified, followed by the creation phase, how security might be systematically integrated into which focuses on the design of secure systems. The model software development processes, improving the security emphasizes continuous Verification during the posture of modern software systems. As the threat Implementation phase. In the Testing phase, the need to landscape evolves, adopting and enhancing these models identify security vulnerabilities is prioritized before will be critical for organizations seeking to maintain strong deployment, and the Release phase highlights secure security across the software lifecycle. release practices. CPTM presents a continuous loop of Prevent, Detect, Respond, Predict, and Adapt activities 3.2. Expanding existing models during the Maintenance phase, underscoring the Following our research, we identified additional areas for importance of ongoing vigilance and adaptability to improvement in existing models and their classification. maintain secure operations. Extra phases can be introduced to address the problems and DevSecOps Maturity Model provides a structured practices discussed earlier. One key recommendation is to approach to scaling security practices in the SDLC. It starts emphasize the importance of continuous education, with requirements gathering in the planning phase, ensuring all team members are regularly trained on security where security needs are deeply embedded in project best practices, tools, and emerging threats. This helps a planning. In the Design phase, security is integrated into security-conscious culture within the organization, where system architecture, making it a fundamental part of the every stakeholder plays a role in maintaining security. design process. The Implementation phase focuses on Incorporating disaster recovery and business continuity secure Development, emphasizing secure coding and measures is also essential. Developing and testing plans that regular security assessments. Rigorous Testing ensures that allow business operations to recover swiftly after a security testing is an integral part of quality assurance. The significant incident or system failure ensures resilience. Deployment phase incorporates security into the Additionally, regular security audits should be deployment pipeline, making security checks a continuous conducted to assess the effectiveness of security measures. part of software releases. Finally, Maintenance ensures These audits should be automated and integrated into that security remains a top priority throughout the the CI/CD pipeline whenever possible to maintain software’s lifecycle. alignment with current standards and compliance Application Delivery and Operations Control requirements. (ADOC) introduces a unique approach concentrating on As applications grow, security measures must scale delivery and operational management. The Planning accordingly. Adapting security strategies to the increasing phase aligns with strategic security planning, while the complexity of container orchestration and cloud Code phase emphasizes secure coding practices as part of environments is vital. the design. During the Implementation phase, Commit Moreover, implementing governance frameworks activities ensure that code commits are secure and reliable. helps ensure that all security practices comply with Build and Integrate activities in the Testing and regulatory and organizational standards. These policies and Deployment phases to ensure that security is integrated 159 procedures are crucial for guiding applications’ secure throughout the entire software lifecycle. It can also be used development, deployment, and maintenance. to develop and automate deployments of enterprise security Secure decommissioning processes are equally subsystems, as in our previous research [28]. important when applications or components end their The model addresses all phases of the SDLC and lifecycle. This involves securely removing data, dismantling integrates security considerations at every stage, ensuring a infrastructure, and ensuring no residual vulnerabilities are comprehensive approach to secure software development in left behind. modern, cloud-native environments. Lastly, encouraging continuous innovation in security practices and technologies keeps the organization 4. Conclusions ahead of emerging threats. Adopting new tools, methodologies, and approaches helps to navigate the ever- This study proposes a complete DevSecOps model designed evolving challenges within the DevSecOps landscape. to solve the security problems of containerized and cloud- Our extended model (Table 2) contains 20 elements, native environments. By incorporating security practices which cover the whole range of actions required for the safe throughout the SDLC, the model provides a solid foundation development, deployment, and operation of contemporary for organizations to improve their security posture. The software systems. By including extra stages such as suggested model incorporates essential aspects such as monitoring, reaction, recovery, auditing, and education, this security governance, disaster recovery planning, frequent model provides a complete framework that handles the audits, and secure decommissioning to ensure that security technical components of security and the cultural and is an ongoing and integrated part of the development procedural factors required to maintain a strong security process. posture. The comparison with existing frameworks shows that the expanded model fills gaps in current practices and Table 2 provides a scalable solution that syncs with the dynamic Proposed extended model nature of modern IT environments. The model’s emphasis Phase Description on continual innovation and adaptation helps organizations stay ahead of emerging threats and changing security Educate Continuously train and educate team members. requirements. Plan Strategic planning, defining project objectives, gathering requirements, and identifying security Empirical validation of the effectiveness and scalability risks. of the suggested DevSecOps approach through Govern Establish security governance frameworks and implementation in actual applications across several ensure compliance with regulatory standards. sectors. Automated security tool integration is another Code Implement secure coding practices. possible area to explore how these tools might be integrated Commit Use secure version control practices, protecting into the suggested paradigm, particularly inside the CI/CD code commits. pipeline. Potential pathways for further study might include Build Integrate automated security testing into the examining organizational and cultural obstacles to adopting build process. DevSecOps methods and how training initiatives and Integrate Ensure secure integration of components with strategic change management can help remove these automated testing and validation. Package Package the application securely. barriers. Configure Manage configurations securely, applying best As technology advances, future studies should assess practices to ensure consistency and security. the model’s adaptability to new frameworks, such as Release Conduct final security checks and validations serverless computing and AI-driven development processes. before releasing the application to production. Another approach is to examine how the suggested Deploy Automate deployment with integrated security model affects efficiency and performance, especially in checks, ensuring secure, validated code reaches terms of development teams’ resource allocation and time production. to market. Operate Implement continuous monitoring and real-time Lastly, future research must focus on matching the security operations. Monitor Automated tools are used for continuous model with different regulatory frameworks and security monitoring and anomaly detection [27]. investigating the possibility of automating compliance Respond Establish incident response protocols. checks inside DevSecOps procedures. Audit Perform regular security audits to assess the Once addressed, these research topics will enrich and effectiveness of security measures and ensure modify the proposed model to suit the changing needs of ongoing compliance. the software development industry and, hence, go a long Accept Conduct security acceptance testing. way toward contributing to the development of secure and Scale Adapt security strategies to accommodate resilient IT infrastructures. growth and increased complexity. Adapt Regularly review and update security practices. References Innovate Adopting new technologies and methodologies. Decommission Securely retire applications or components. [1] D. Berestov, et al., Analysis of Features and Prospects of Application of Dynamic Iterative Assessment of Information Security Risks, in: Cybersecurity This expanded model is especially well-suited for Providing in Information and Telecommun. Systems, addressing the complexities of containerized, cloud-native CPITS, vol. 2923 (2021) 329–335. environments, ensuring that security is integrated 160 [2] S. Shevchenko, et al., Information Security Risk Security and Protection of Digital Services, UK (2019) Management using Cognitive Modeling, in: 1–8. doi: 10.1109/cybersecpods.2019.8884935. Cybersecurity Providing in Information and [16] M. Sánchez-Gordón, R. Colomo-Palacios, Security as Telecommun. Systems II, CPITS-II, vol. 3550 (2023) Culture: A Systematic Literature Review of 297–305. DevSecOps, in: IEEE/ACM 42nd International [3] B. Kaur, et al., An Analysis of Security Vulnerabilities Conference on Software Engineering Workshops in Container Images for Scientific Data Analysis, (ICSEW'20). Association for Computing Machinery GigaScience, 10(6) (2021). doi: 10.1093/gigascience/ (2020) 266–269. doi: 10.1145/3387940.3392233. giab025. [17] S. Sultan, I. Ahmad, T. Dimitriou, Container Security: [4] F. Khan, et al., Data Breach Management: An Issues, Challenges, and the Road Ahead, IEEE Access Integrated Risk Model, Inf. Manag. 58(1) (2021) 103392. 7 (2019). 52976–52996. doi: 10.1109/access.2019. doi: 10.1016/j.im.2020.103392. 2911732. [5] R. N. Rajapakse, et al., Challenges and Solutions when [18] H. Hulak, et al., Dynamic model of guarantee capacity Adopting DevSecOps: A Systematic Review, J. Inf. and cyber security management in the critical Software Technol. 141 (2022) 106700. doi: automated systems, in: 2nd International Conference 10.1016/j.infsof.2021.106700. on Conflict Management in Global Information [6] N. Dwivedi, D. Katiyar, G. Goel, A Comparative Study Networks, vol. 3530 (2022) 102-111. of Various Software Development Life Cycle Models, [19] S. Rajgopal, S. Srinivasan, X. Zheng, Measuring audit Int. J. Res. Eng. Sci. Manag. 5(3) (2022). 141–144. quality, Review of Accounting Studies 26 (2021). 559– [7] B. Acharya, P. K. Sahu, Software Development Life 619. doi: 10.1007/s11142-020-09570-9. Cycle Models: A Review Paper, Int. J. Adv. Res. Eng. [20] S. AlGhamdi, K. T. Win, E. Vlahu-Gjorgievska, Technol. 11 (2020). 169–176. doi: 10.34218/ijaret. Information Security Governance Challenges and 11.12.2020.019. Critical Success Factors: Systematic Review, Comput. [8] S. Pargaonkar, A Comprehensive Research Analysis Secur. 99 (2020). 102030. doi: 10.1016/j.cose.2020. of Software Development Life Cycle (SDLC) Agile & 102030. Waterfall Model Advantages, Disadvantages, and [21] B. Debnath, et al., An Analysis of Data Security and Application Suitability in Software Quality Potential Threat from IT Assets for Middle Card Engineering, Int. J. Sci. Res. Publ. 13 (2023) 120–124. Players, Institutions and Individuals, Sustainable doi: 10.29322/ijsrp.13.08.2023.p14015. Waste Management: Policies and Case Studies (2019) [9] O. E. Olorunshola, F. N. Ogwueleka, Review of 403–419. doi: 10.1007/978-981-13-7071-7_36. System Development Life Cycle (SDLC) Models for [22] A. Wiedemann, et al., Implementing the Planning Effective Application Delivery, Information and Process within DevOps Teams to Achieve Continuous Communication Technology for Competitive Innovation, in: 52nd Hawaii International Conference Strategies (ICTCS 2020), LNNS 191 (2021) 281–289. on System Sciences (2019) 7017–7026. doi: doi: 10.1007/978-981-16-0739-4_28. 10.24251/hicss.2019.841. [10] R. A. Khan, et al., Systematic Literature Review on [23] G. Auth, R. Alt, C. Kögler, Continuous Innovation Security Risks and Its Practices in Secure Software with DevOps: IT Management in the Age of Development, IEEE Access 10 (2022) 5456–5481. doi: Digitalization and Software-defined Business, 10.1109/access.2022.3140181. Springer Cham (2021). doi: 10.1007/978-3-030-72705-5. [11] Solutions — DevSecOps — Addressing Security [24] X. Zhao, T. Clear, R. Lal, Identifying the Primary Challenges in a Fast Evolving Landscape White Paper Dimensions of DevSecOps: A Multi-Vocal Literature (2022). URL: https://www.cisco.com/c/en/us/ Review, J. Syst. Software 214 (2024) 112063. doi: solutions/collateral/executive-perspectives/ 10.1016/j.jss.2024.112063. devsecops-addressing-security-challenges.html [25] GitHub. sottlmarek/DevSecOps: Ultimate DevSecOps [12] R. Kumar, R. Goyal, Modeling Continuous Security: A Library. URL: https://github.com/sottlmarek/ Conceptual Model for Automated DevSecOps using DevSecOps Open-Source Software over Cloud, Comput. Secur. 97 [26] OWASP Devsecops Maturity Model | OWASP (2020) 101967. doi: 10.1016/j.cose.2020.101967. Foundation. URL: https://owasp.org/www-project- [13] B. Alouffi, et al., A Systematic Literature Review on devsecops-maturity-model/ Cloud Computing Security: Threats and Mitigation [27] O. V. Talaver, T. A. Vakaliuk, Telemetry to Solve Strategies, IEEE Access 9 (2021) 57792–57807. doi: Dynamic Analysis of a Distributed System, J. Edge 10.1109/access.2021.3073203. Comput. 3 (2024) 87–109. doi: 10.55056/jec.728. [14] P. Anakhov, et al., Protecting Objects of Critical [28] B. Leshchenko, et al., Model of a Subsystem for Information Infrastructure from Wartime Cyber Securing E-Mail Against Loss using Mail Transport Attacks by Decentralizing the Telecommunications Agents based on Containerized Environments, in: Network, in: Cybersecurity Providing in Information Cybersecurity Providing in Information and and Telecommun. Systems, vol. 3050 (2023) 240-245. Telecommunication Systems II co-located with [15] N. Tomas, J. Li, H. Huang, An Empirical Study on International Conference on Problems of Culture, Automation, Measurement, and Sharing of Infocommunications. Science and Technology (PICST DevSecOps, in: International Conference on Cyber 2023), vol. 3550 (2023) 14–28. 161