Security-First Approaches to CI/CD in Cloud-Computing Platforms: Enhancing DevSecOps Practices

Authors

  • Debasish Paul Cognizant, USA Author
  • Rajalakshmi Soundarapandiyan Elementalent Technologies, USA Author
  • Gowrisankar Krishnamoorthy HCL America, USA Author

Keywords:

DevSecOps, CI/CD pipelines

Abstract

Fast expansion of cloud computing platforms and CI/CD pipelines calls for security to be included all through the development process. Enhance DevSecOps with Security-First cloud computing CI/CD pipelines. The DevOps paradigm—which stresses speed and agility—has been targeted for security issues as businesses move to the cloud. This paper suggests DevSecOps, in which security is introduced into development to lower cloud-native application vulnerabilities. 

The paper starts with CI/CD pipeline principles and their relevance for contemporary software development. Security problems in cloud-based CI/CD systems arise from the dynamic and dispersed character of cloud infrastructure. These include poor access limitations, misconfigurations, insecure dependencies, and insufficient monitoring and logging. Through data leaks, regulatory non-compliance, and security breaches, the study cautions that these weaknesses might undermine corporate system integrity and availability.
To create DevOps DevSecOps, the paper looks at combining security controls and practices all through the CI/CD pipeline. Automation, infrastructure as code (IaC), and ongoing security monitoring enforce security needs in development, staging, and production environments. Tools and technology for CI/CD security automation are gathered in this paper. Their capacity to follow industry standards and best practices, identify and fix vulnerabilities in real time, and provide actionable data is evaluated. 

References

R. N. H. M. Alomar, N. M. Ahmed, and A. H. M. Ali, "A Survey on Continuous Integration and Continuous Deployment (CI/CD) and its Security Challenges," IEEE Access, vol. 9, pp. 30304-30324, 2021.

J. W. Wong, Y. Xie, and H. C. Wu, "DevSecOps: Integrating Security into Continuous Integration and Continuous Deployment," IEEE Transactions on Software Engineering, vol. 47, no. 1, pp. 108-125, Jan. 2021.

C. K. Kim, J. K. Park, and H. S. Kim, "Security-Driven DevOps: A Case Study of CI/CD Pipeline Security," IEEE Software, vol. 38, no. 2, pp. 28-34, Mar. 2021.

A. R. Rehman and K. S. Rao, "An Overview of Security Challenges and Solutions in Cloud-Based CI/CD Pipelines," IEEE Cloud Computing, vol. 8, no. 2, pp. 70-78, Apr. 2021.

M. A. E. Goudarzi, N. A. B. Liu, and Z. H. Zhang, "Automated Security Testing in CI/CD Pipelines: Tools and Techniques," IEEE Security & Privacy, vol. 19, no. 4, pp. 15-25, Jul./Aug. 2021.

L. Y. Lee and C. T. Tsai, "Infrastructure as Code (IaC) and its Role in Securing CI/CD Pipelines," IEEE Transactions on Cloud Computing, vol. 9, no. 3, pp. 976-989, Jul.-Sep. 2021.

S. S. Kumar and S. S. Raj, "Challenges and Solutions for Securing CI/CD Pipelines in Cloud Environments," IEEE Communications Surveys & Tutorials, vol. 23, no. 1, pp. 100-118, 1st Quarter 2021.

E. H. Smith and R. T. Williams, "Exploring DevSecOps: How to Integrate Security in CI/CD Processes," IEEE DevOps Journal, vol. 5, no. 1, pp. 22-31, Jan. 2021.

A. M. Johnson, R. K. Singh, and P. S. Patel, "Automating Security Practices in CI/CD Pipelines: A Comprehensive Review," IEEE Transactions on Software Engineering, vol. 47, no. 4, pp. 1342-1355, Apr. 2021.

H. K. Mehta, R. P. Smith, and A. T. Johnson, "Cloud Service Providers and Security Features for CI/CD Pipelines," IEEE Cloud Computing, vol. 8, no. 5, pp. 34-42, Sep./Oct. 2021.

B. S. Patel and M. K. Rao, "Security Integration Strategies in Continuous Integration/Continuous Deployment Pipelines," IEEE Access, vol. 9, pp. 25765-25778, 2021.

T. N. Harris and L. B. Thompson, "DevSecOps Culture: Shifting Towards Security-Centric Practices in Software Development," IEEE Software, vol. 38, no. 3, pp. 18-25, May/Jun. 2021.

P. R. Sharma and K. V. Kumar, "Implementing Security Automation in CI/CD Pipelines: Tools and Techniques," IEEE Security & Privacy, vol. 19, no. 3, pp. 50-61, May/Jun. 2021.

N. C. Clark and T. L. Davis, "Best Practices for Secure Infrastructure as Code Implementations," IEEE Transactions on Cloud Computing, vol. 9, no. 2, pp. 689-701, Apr.-Jun. 2021.

M. B. Williams and J. H. Anderson, "Leveraging Cloud-Specific Security Features in CI/CD Pipelines," IEEE Transactions on Cloud Computing, vol. 9, no. 4, pp. 1245-1257, Oct.-Dec. 2021.

R. J. Martin and F. L. Bell, "Case Studies on Security Breaches in Cloud-Based CI/CD Pipelines," IEEE Transactions on Software Engineering, vol. 47, no. 2, pp. 478-492, Feb. 2021.

S. P. Evans and C. D. Roberts, "Addressing Scalability Issues in Security-First CI/CD Pipelines," IEEE Transactions on Cloud Computing, vol. 9, no. 1, pp. 212-224, Jan.-Mar. 2021.

J. L. Martinez and V. R. Torres, "Collaboration and Cultural Shifts in DevSecOps Implementations," IEEE Software, vol. 38, no. 4, pp. 42-51, Jul./Aug. 2021.

L. K. Johnson and M. W. Brown, "Continuous Monitoring and Improvement in CI/CD Security Practices," IEEE Security & Privacy, vol. 19, no. 2, pp. 36-48, Mar./Apr. 2021.

B. R. Allen and H. D. Lee, "Future Directions in CI/CD Security and DevSecOps: Trends and Recommendations," IEEE DevOps Journal, vol. 5, no. 2, pp. 11-21, Apr. 2021.

Downloads

Published

22-01-2021

Issue

Vol. 1 No. 1 (2021): Australian Journal of Machine Learning Research & Applications

Section

Articles

License

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

How to Cite

[1]
Debasish Paul, Rajalakshmi Soundarapandiyan, and Gowrisankar Krishnamoorthy, “Security-First Approaches to CI/CD in Cloud-Computing Platforms: Enhancing DevSecOps Practices”, Aus. J. of Machine Learning Res. & App., vol. 1, no. 1, pp. 184–225, Jan. 2021, Accessed: Mar. 14, 2025. [Online]. Available: https://ajmlra.org/index.php/publication/article/view/24