Abstract
DevSecOps is the extension of DevOps with security aspects and tools throughout all the stages of the software development life cycle. DevOps has become a popular way of developing modern software, especially in the Internet of Things arena, due to its focus on rapid development, with short cycles, involving the user/client very closely. Security classification methods, on the other hand, are heavy and slow processes that require high expertise in security, the same as in other similar areas like risk analysis or certification. As such, security classifications are not compatible with the DevSecOps, which primarily goes away from the traditional white-hat hacker team style of penetration testing that is done only when the software product is in the final stages or already deployed.
In this work, we first identify five requirements for a security classification to be DevOps-ready, two of which are the focus for the rest of the report, namely to be tool-based and easy to use for non-security experts, like ordinary developers or system architects. We then proceed to exemplify how one can make a security classification methodology DevOps-ready. We do this through a prototyping process, where we create and evaluate the usability of a tool supporting (or implementing) the chosen methodology. Such work seems to be new within the usable security community, let alone in the software development (DevOps) community. Therefore, we present our process as a recipe that others can follow when making DevOps-ready their own security methodologies, which we believe to be valuable since it would both make the methodology more user friendly for themselves at the same time as widening the range of population that can take in using their methodology. The tool that we built is more of a byproduct contribution of the above, even though it can be independently used, extended, and/or integrated by developer teams into their DevSecOps processes, most probably during the testing phase where the security class would be one of the metrics used to evaluate the quality of their software.