A DevSecOps approach for releasing a security-hardened IRIS integrated platform

Undoubtedly, system integration of a large-scale project has been traditionally complex and challenging, even more so for a cybersecurity project posing strict additional security requirements.  Continuous development, integration and testing tasks of such projects such as IRIS should be driven by the highest security standards

Netcompany-Intrasoft S.A (INTRA) leads Workpackage 6 of the IRIS project dealing with the “IRIS platform Integration and Testing” adopting a DevSecOps approach. Netcompany – Intrasoft is a leading European IT Solutions and Services Group with strong international presence and vast experience in H2020 projects with key roles such as Project Coordinator, Technical Coordinator, System Architect, System Integrator, among other.

The aim of WP6 is to define the adequate continuous integration, testing (CI) and delivery (CD) framework and supporting CI/CD tools to facilitate automation and effectiveness of relevant activities towards delivering stable and mature IRIS platform releases. In addition, in the context of WP6, IRIS adopts a DevSecOps approach to augment the development, integration, testing and delivery tasks with security testing tasks, that are required and contribute to ensuring trust towards the integrated IRIS platform by its target end users, being Security Operators of Critical/Services Infrastructures and CERT/CSIRT authorities. The DevSecOps approach, short for development, security and operations, automates the integration of security at every phase of the software development lifecycle, as shown below, compared to the standard DevOps one.

DevSecOps incorporates security vulnerabilities testing practices, among other, within the well-known DevOps approach. Such testing methods comprise of Static Application Security Testing (SAST), applied to the source code of the module or platform, and Dynamic Application Security Testing (DAST), applied to the built modules or platform in operation.

SAST (white-box testing) is utilized to check the source code on potential vulnerabilities and back doors without the need to execute it. SAST helps discover expected weaknesses in the source code, whilst DAST (black-box testing) can determine security vulnerabilities that are linked to the operational deployment of an application.

WP6 has started in April 2022 with activities focused in preparing the relevant cloud computing infrastructure hosting the CI/CD tools, including SAST and DAST ones,  as well as installing and configuring the latter to be further used by the IRIS component developers throughout the entire software development lifecycle of the integrated IRIS platform.