Cloud-Native DevSecOps: A Framework for Secure Continuous Delivery
DOI:
https://doi.org/10.47941/ijce.3104Keywords:
DevSecOps, Cloud-Native Security, Continuous Integration, Security Automation, Kubernetes Security, GitOps, Container Security, Identity and Access Management (IAM)Abstract
The shift to cloud-native architectures and continuous delivery pipelines has amplified the need for integrated, automated security practices. Traditional security models, which operate as isolated stages late in the development lifecycle, are insufficient to address the speed and complexity of modern software delivery. DevSecOps a cultural and technical shift aims to embed security into every phase of the DevOps pipeline. This paper presents a comprehensive framework for implementing DevSecOps in cloud-native environments, emphasizing secure automation, Infrastructure as Code (IaC), and continuous compliance. The proposed framework integrates static and dynamic code analysis, container and dependency scanning, identity and access management, and runtime monitoring across CI/CD workflows. I explore key tools and practices that enable policy enforcement and threat detection without hindering development velocity. A case study on Kubernetes with GitOps highlights practical implementation, while evaluations demonstrate improved security posture and reduced time-to-remediation. The framework offers a scalable, repeatable approach to secure software delivery, ensuring regulatory compliance and resilience against emerging threats. Our findings underscore the critical importance of treating security as a shared responsibility, automated and codified across the software lifecycle.
Downloads
References
M. Fowler and J. Lewis, "Microservices," martinfowler.com, 2014.
N. M. Joshi et al., "DevSecOps: Integrating Security in DevOps," IEEE Access, vol. 8, pp. 146310–146321, 2020.
OWASP, "DevSecOps Maturity Model," OWASP.org, 2021.
R. Chandramouli and S. Rose, "DevSecOps Practices," NIST Special Publication 800-204B, May 2021.
J. Humble and D. Farley, Continuous Delivery: Reliable Software Releases through Build, Test, and Deployment Automation, Addison-Wesley, 2010.
D. Bellomo et al., "Toward a Secure DevOps Process," IEEE Software, vol. 35, no. 5, pp. 44–52, Sept.–Oct. 2018.
B. Burns et al., Kubernetes: Up and Running, 2nd ed., O’Reilly Media, 2019.
H. Combe, A. Martin, and R. Di Pietro, "To Docker or Not to Docker: A Security Perspective," IEEE Cloud Computing, vol. 4, no. 2, pp. 54–62, Mar.–Apr. 2017.
S. K. Rathore and A. K. Soni, "Security Assessment of Containerized Applications: A Review," IEEE Access, vol. 10, pp. 39878–39893, 2022.
OWASP Foundation, "OWASP Top Ten 2021," OWASP.org, 2021.
J. Allspaw and P. Hammond, "10+ Deploys per Day: Dev and Ops Cooperation at Flickr," in Proc. Velocity Conference, 2009.
D. Merkel, "Docker: Lightweight Linux Containers for Consistent Development and Deployment," Linux J., vol. 2014, no. 239, pp. 2, 2014.
T. Coupaye et al., "Policy-based Management of Cloud Services," in Proc. IEEE Intl. Conf. Cloud Eng., pp. 112–119, 2015.
Y. Wang et al., "IaC Misconfigurations: An Empirical Study," in Proc. IEEE/ACM Intl. Conf. Automated Software Eng., pp. 364–376, 2021.
HashiCorp, "Vault: Identity-Based Security for Infrastructure," http://www.vaultproject.io, 2021.
Red Hat, "OpenSCAP Security Guide," access.redhat.com, 2020.
C. Richardson, Microservices Patterns, Manning Publications, 2018.
C. Cornford, "GitOps: What You Need to Know," The New Stack, 2021.
T. Brennan et al., "Policy as Code for Kubernetes," in Proc. USENIX Security Symposium, pp. 181–196, 2021.
A. Martin, "A Survey of Container Security: Issues, Solutions, and Challenges," ACM Comput. Surv., vol. 53, no. 1, 2021.
Sysdig Inc., "Falco: Cloud Native Runtime Security," (https://falco.org), 2021.
L. Nussbaum et al., "Service Meshes: Survey and Future Directions," in Proc. IEEE Intl. Conf. Cloud Eng., pp. 163–170, 2021.
G. Kim, J. Humble, and G. Willis, The DevOps Handbook, IT Revolution Press, 2016.
A. D. Brown and K. L. Brown, "Continuous Compliance in DevSecOps Environments," in Proc. ACM Workshop on Cybersecurity Automation, pp. 45–52, 2021.
R. Hutter and M. Lichtenstern, "DevSecOps Integrating Security into DevOps," in Proc. Intl. Conf. Software Process Improvement, pp. 68–80, Springer, 2019.
N. M. Joshi et al., "DevSecOps: Integrating Security in DevOps," IEEE Access, vol. 8, pp. 146310–146321, 2020.
A. Miller, "Navigating DevSecOps Tool Overload," DevOps.com, 2021.
M. Ali Babar et al., "Challenges and Practices in DevOps: A Multivocal Literature Review," IEEE Software, vol. 37, no. 1, pp. 72–80, Jan.–Feb. 2020.
S. S. Saha, "Adopting DevSecOps in Hybrid Cloud: Strategies and Challenges," in Proc. IEEE Intl. Conf. Cloud Computing, pp. 101–108, 2021.
H. T. Nguyen and D. Thang, "AI-Based Anomaly Detection in Cloud-Native Infrastructure," in Proc. IEEE Intl. Conf. Big Data, pp. 1749–1754, 2021.
NIST, "Zero Trust Architecture," NIST Special Publication 800-207, Aug. 2020.
A. Gupta et al., "Security in Edge Computing: Challenges and Solutions," IEEE Internet of Things Journal, vol. 8, no. 6, pp. 4604–4612, Mar. 2021.
OpenTelemetry, "Open Standards for Observability," https://opentelemetry.io, 2021.
A. Khalid et al., "Securing Multi-Cloud and Hybrid Cloud Environments: A Policy-Based Approach," in Proc. IEEE Intl. Conf. Cloud Engineering, pp. 190–197, 2020.
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2023 Rajesh Nadipalli
This work is licensed under a Creative Commons Attribution 4.0 International License.
Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution (CC-BY) 4.0 License that allows others to share the work with an acknowledgment of the work's authorship and initial publication in this journal.
