{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,10]],"date-time":"2026-06-10T16:14:55Z","timestamp":1781108095353,"version":"3.54.1"},"reference-count":40,"publisher":"IGI Global Scientific Publishing","issue":"1","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2018,1]]},"abstract":"<jats:p>In this article, the authors discuss enhancing a DevOps implementation in a highly regulated environment (HRE) with security principles. DevOps has become a standard option for entities seeking to streamline and increase participation by all stakeholders in their Software Development Lifecycle (SDLC). For a large portion of industry, academia, and government, applying DevOps is a straight forward process. There is, however, a subset of entities in these three sectors where applying DevOps can be very challenging. These are entities mandated by security policies to conduct all, or a portion, of their SDLC activities in an HRE. Often, the reason for an HRE is protection of intellectual property and proprietary tools, methods, and techniques. Even if an entity is functioning in a highly regulated environment, its SDLC can still benefit from implementing DevOps as long as the implementation conforms to all imposed policies. A benefit of an HRE is the existence of security policies that belong in a secure DevOps implementation. Layering an existing DevOps implementation with security will benefit the HRE as a whole. This work is based on the authors extensive experience in assessing and implementing DevOps across a diverse set of HREs. First, they extensively discuss the process of performing a DevOps assessment and implementation in an HRE. They follow this with a discussion of the needed security principles a DevOps enhanced SDLC should include. For each security principle, the authors discuss their importance to the SDLC and their appropriate placement within a DevOps implementation. They refer to a security enhanced DevOps implementation in an HRE as HRE-DevSecOps.<\/jats:p>","DOI":"10.4018\/ijsssp.2018010102","type":"journal-article","created":{"date-parts":[[2019,1,7]],"date-time":"2019-01-07T16:28:07Z","timestamp":1546878487000},"page":"18-46","source":"Crossref","is-referenced-by-count":3,"title":["Weaving Security into DevOps Practices in Highly Regulated Environments"],"prefix":"10.4018","volume":"9","author":[{"given":"Jose Andre","family":"Morales","sequence":"first","affiliation":[{"name":"Software Engineering Institute, Carnegie Mellon University, Pittsburgh, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Hasan","family":"Yasar","sequence":"additional","affiliation":[{"name":"Software Engineering Institute, Carnegie Mellon University, Pittsburgh, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Aaron","family":"Volkmann","sequence":"additional","affiliation":[{"name":"Software Engineering Institute, Carnegie Mellon University, Pittsburgh, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"2432","reference":[{"key":"IJSSSP.2018010102-0","doi-asserted-by":"publisher","DOI":"10.1109\/MS.2003.1159030"},{"key":"IJSSSP.2018010102-1","first-page":"280","article-title":"Organizational silos: Horizontal organizational fragmentation.","author":"S.Allcorn","year":"2002","journal-title":"Psychoanalysis, Culture & Society"},{"key":"IJSSSP.2018010102-2","doi-asserted-by":"crossref","unstructured":"Artac, M. (2017). DevOps: Introducing Infrastructure-as-Code. In IEEE\/ACM 39th International Conference on Software Engineering (ICSE-C) (pp. 497\u2013498).","DOI":"10.1109\/ICSE-C.2017.162"},{"key":"IJSSSP.2018010102-3","author":"L.Bass","year":"2015","journal-title":"DevOps: A Software Architect\u2019s Perspective"},{"key":"IJSSSP.2018010102-4","doi-asserted-by":"publisher","DOI":"10.1016\/S0098-1354(00)00388-4"},{"key":"IJSSSP.2018010102-5","doi-asserted-by":"publisher","DOI":"10.1109\/32.29489"},{"key":"IJSSSP.2018010102-6","unstructured":"Bruza, M. R. (2018). An Analysis of Multi-Domain Command and Control and the Development of Software Solutions through DevOps Toolsets and Practices. Air Force Institute of Technology Wright-Patterson AFB OH. Retrieved from http:\/\/www.dtic.mil\/dtic\/tr\/fulltext\/u2\/1055982.pdf"},{"key":"IJSSSP.2018010102-7","doi-asserted-by":"publisher","DOI":"10.1145\/2492007.2492018"},{"key":"IJSSSP.2018010102-8","article-title":"DevOps for Federal Acquisition.","author":"R.Cagle","year":"2015","journal-title":"IEEE Software Technology Conference"},{"key":"IJSSSP.2018010102-9","doi-asserted-by":"publisher","DOI":"10.1109\/IPCC.2014.7020388"},{"key":"IJSSSP.2018010102-10","unstructured":"Dioguino, T. (2016). DevOps: Transforming Military Application Delivery Lifecycles. Hewlett Packard Enterprises. Retrieved from http:\/\/www.fedinsider.com"},{"key":"IJSSSP.2018010102-11","doi-asserted-by":"crossref","unstructured":"Dullmann, T. F., Paule, C., & Hoorn, A. V. (2018). Exploiting DevOps Practices for Dependable and Secure Continuous Delivery Pipelines. In IEEE\/ACM 4th International Workshop on Rapid Continuous Software Engineering (pp. 27\u201330).","DOI":"10.1145\/3194760.3194763"},{"key":"IJSSSP.2018010102-12","doi-asserted-by":"publisher","DOI":"10.1086\/260549"},{"key":"IJSSSP.2018010102-13","doi-asserted-by":"publisher","DOI":"10.1109\/MILCOM.2014.54"},{"key":"IJSSSP.2018010102-14","unstructured":"United States Federal Communications Commission (FCC). (n.d.). Retrieved from Error! Hyperlink reference not valid.https:\/\/www.fcc.gov\/"},{"key":"IJSSSP.2018010102-15","unstructured":"United States Food and Drug Administration (FDA). (n.d.). Retrieved from Error! Hyperlink reference not valid.https:\/\/www.fda.gov\/"},{"key":"IJSSSP.2018010102-16","doi-asserted-by":"publisher","DOI":"10.1109\/ICSM.2003.1235403"},{"key":"IJSSSP.2018010102-17","first-page":"436","author":"N.Forsgren","year":"2017","journal-title":"DORA Platform: DevOps Assessment and Benchmarking"},{"key":"IJSSSP.2018010102-18","first-page":"1","article-title":"Software Process. In","author":"A.Fuggetta","year":"2014","journal-title":"Proceedings of the on Future of Software Engineering"},{"key":"IJSSSP.2018010102-19","doi-asserted-by":"publisher","DOI":"10.1145\/1292414.1292416"},{"key":"IJSSSP.2018010102-20","article-title":"Automated whitebox fuzz testing.","author":"P.Godefroid","year":"2008","journal-title":"Proceedings of the Network and Distributed Systems Security Symposium"},{"key":"IJSSSP.2018010102-21","doi-asserted-by":"publisher","DOI":"10.1080\/02678370110113226"},{"key":"IJSSSP.2018010102-22","doi-asserted-by":"publisher","DOI":"10.1145\/2970276.2970358"},{"key":"IJSSSP.2018010102-23","unstructured":"Hoffman, K. (2016). Environment Parity. O\u2019Reilly Media."},{"key":"IJSSSP.2018010102-24","doi-asserted-by":"publisher","DOI":"10.2307\/2392666"},{"key":"IJSSSP.2018010102-25","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-4302-4570-4"},{"key":"IJSSSP.2018010102-26","author":"WHummer","year":"2013","journal-title":"Testing Idempotence for Infrastructure as Code"},{"key":"IJSSSP.2018010102-27","author":"W.LaPlante","year":"2018","journal-title":"Design and Acquisition of Software for Defense Systems"},{"key":"IJSSSP.2018010102-28","article-title":"Secdevops: Is it a marketing buzzword?","author":"V.Mohan","year":"2016","journal-title":"Second International Workshop on Agile Secure Software Development"},{"key":"IJSSSP.2018010102-29","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-67383-7_2"},{"key":"IJSSSP.2018010102-30","unstructured":"Nuclear Energy Institute (NEI). (n.d.). Nuclear Power Plant Security and Access Control. Retrieved from https:\/\/www.nei.org\/Nuclear-Power-Plant-Security-and-Access-Control"},{"key":"IJSSSP.2018010102-31","first-page":"24","article-title":"Secure DevOps Foundations for Large-Scale Software Systems.","author":"D.O\u2019Neill","year":"2017","journal-title":"Crosstalk"},{"key":"IJSSSP.2018010102-32","doi-asserted-by":"publisher","DOI":"10.1109\/AGILE.2009.50"},{"key":"IJSSSP.2018010102-33","doi-asserted-by":"publisher","DOI":"10.1145\/2904354.2904372"},{"key":"IJSSSP.2018010102-34","unstructured":"Schwartz, P. M., & Solove, D. J. (2011). The PII problem: Privacy and a new concept of personally identifiable information. NYUL rev., 86, 1814."},{"key":"IJSSSP.2018010102-35","unstructured":"United States Securities and Exchange Commission. (n.d.). Retrieved from https:\/\/www.sec.gov\/"},{"key":"IJSSSP.2018010102-36","doi-asserted-by":"publisher","DOI":"10.1007\/s00766-004-0194-4"},{"key":"IJSSSP.2018010102-37","article-title":"How Security can be the Next Force Multiplier in DevOps.","author":"A.Storms","year":"2015","journal-title":"RSA Conference"},{"key":"IJSSSP.2018010102-38","doi-asserted-by":"publisher","DOI":"10.1109\/INTECH.2015.7173368"},{"key":"IJSSSP.2018010102-39","doi-asserted-by":"publisher","DOI":"10.4018\/IJSSE.2016100103"}],"container-title":["International Journal of Systems and Software Security and Protection"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.igi-global.com\/viewtitle.aspx?TitleId=221157","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,5,5]],"date-time":"2022-05-05T18:22:08Z","timestamp":1651774928000},"score":1,"resource":{"primary":{"URL":"http:\/\/services.igi-global.com\/resolvedoi\/resolve.aspx?doi=10.4018\/IJSSSP.2018010102"}},"subtitle":[""],"short-title":[],"issued":{"date-parts":[[2018,1]]},"references-count":40,"journal-issue":{"issue":"1"},"URL":"https:\/\/doi.org\/10.4018\/ijsssp.2018010102","relation":{},"ISSN":["2640-4265","2640-4273"],"issn-type":[{"value":"2640-4265","type":"print"},{"value":"2640-4273","type":"electronic"}],"subject":[],"published":{"date-parts":[[2018,1]]}}}