Automating Cybersecurity Compliance in DevSecOps with Open Information Model for Security as Code

Channel:
Eclipse Foundation
Subscribers:
24,000
Published on ● Video Link: https://www.youtube.com/watch?v=swfCGXVWSU4


Duration: 0:00
63 views
2

"Software development teams meet increasing requirements to implement cybersecurity management in compliance with standards and regulations. However, adopting a compliant cybersecurity management system and DevSecOps practices as part of a software development process has turned out to be tedious and expensive in practice. Open-source communities and open ecosystems, which lack tools and realistic practices for compliant cybersecurity management, face these difficulties as well.

This paper suggests a set of requirements and a solution that are based on long-term experience in adopting standard compliant DevSecOps processes in industry. The proposed solution, called Cyberismo, facilitates the adoption of compliance and cybersecurity management, improves collaboration on cybersecurity in company internal projects, cross-company projects, and open-source projects, and automates the compliance and cybersecurity management in software development by way of an open information model representation format, and an open-source tool to manage the information model. As the information model uses a simple plain text format that can be managed by automated DevSecOps tool chains, it can be understood as an instance of the Everything as Code and Security as Code paradigms.

The proposed solution is designed as modular, tailorable to the organisation and its existing tools, and flexible enough to model both process- and technology-related information. It automates both the validation of how compliance requirements have been met and the gathering and archiving of evidence of compliance.

The information model is mapped to a logic program conforming to the Answer Set Programming (ASP) paradigm for knowledge representation. The mapping enables flexible query evaluation and reasoning, including the calculation of performance measures and automated policy checks. However, developers, product owners and other end-users of the solution do not necessarily need to know how to write logic programs, as logic programs can be encapsulated in content modules made available for the users. By putting the ease of adoption of compliant DevSecOps processes by the practitioners in the spotlight, this paper concludes that it is both necessary and possible to meet all the proposed requirements."



Other Videos By Eclipse Foundation


2024-12-11Theia IDE: The Why, the How and the Future
2024-12-10Open Source Facing European Regulation: What's the Plan? - OCX 2024
2024-12-10Eyes Wide Open, AIs Wide Open - Or How to Remain in Control in the Age of AI - OCX 2024
2024-12-10Enhancing Software Supply Chain Security: Approaches to Software Composition Analysis - OCX 2024
2024-12-10Zero Install Embedded CC++ Development Running GDB in the Browser with WebAssembly
2024-12-10TMLL Trace Server Machine Learning Library, Use AI for Trace Analysis
2024-12-10Listening, Learning, Leading: The Road to the Open Source AI Definition - OCX 2024
2024-12-09Christofer Dutz on Fostering Open Source in Industrial Automation
2024-12-08Francisco Carneiro on Why Joining the Eclipse Foundation and Open Source Benefits Businesses
2024-12-08What is next? Towards Dataspace Interoperability: Open standardisation and implementation
2024-12-05Automating Cybersecurity Compliance in DevSecOps with Open Information Model for Security as Code
2024-12-02Eclipse IDE November 2024 Community Call: Engage and Shape the Future of SWT
2024-12-02Industrial Toolchains in the Era of Generative AI - OCX 2024
2024-12-02Mastering Target Platform Migrations: Challenges, Resources, and Best Practices - OCX 2024
2024-12-02Eclipse Theia - News from the Next Gen Tools Platform - OCX 2024
2024-12-02Enhancing Custom IDEs with AI: Strategies, Use Cases, and Pitfalls - OCX 2024
2024-12-02Integrating AI with Domain-Specific Tools: Practical Insights and Techniques - OCX 2024
2024-12-02The State of the Eclipse Foundation - OCX 2024
2024-12-02Eclipse ThreadX: A Star is (Re)born - OCX 2024
2024-12-02Hello World+ projects to test and benchmark software composition analysis tools - OCX 2024
2024-12-01The future of cybersecurity, today: Free and open source tools for CRA compliance for SMEs - OCX 24