{"title":"FOBICS: Assessing project security level through a metrics framework that evaluates DevSecOps performance","authors":"Alessandro Caniglia, Vincenzo Dentamaro, Stefano Galantucci, Donato Impedovo","doi":"10.1016/j.infsof.2024.107605","DOIUrl":null,"url":null,"abstract":"<div><h3>Context:</h3><div>In today’s software development landscape, the DevSecOps approach has gained traction due to its focus on the software development process and bolstering security measures in projects, a task in light of the ever-evolving cybersecurity threats.</div></div><div><h3>Objective:</h3><div>This study aims to address the lack of metrics for quantitatively assessing its efficacy from both security and business logic perspectives.</div></div><div><h3>Methods:</h3><div>To tackle this issue, the research introduces the Framework of Business Index Concerning Security (FOBICS), a set of metrics designed to enable transparent evaluations of project security. FOBICS considers various perspectives relevant to DevSecOps practices. It includes factors such as project duration and financial outcomes, making it appealing for implementation in business settings.</div></div><div><h3>Results:</h3><div>The effectiveness of FOBICS is validated theoretically and empirically via its application in two real-world projects: the results from these implementations show a correlation between FOBICS metrics and the security strategies employed as the development methodologies adopted by diverse teams throughout the projects.</div></div><div><h3>Conclusion:</h3><div>Hence, FOBICS emerges as a tool for assessing and continuously monitoring project security, offering insights into areas of strength and areas that may require enhancement. FOBICS is shown to be effective in assessing the level of DevSecOps implementation. The ease of calculating FOBICS metrics makes them easily interpretable and continuously verifiable. Moreover, FOBICS summarizes most of the other quantitative and qualitative metrics in the literature.</div></div>","PeriodicalId":54983,"journal":{"name":"Information and Software Technology","volume":"178 ","pages":"Article 107605"},"PeriodicalIF":3.8000,"publicationDate":"2024-10-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Information and Software Technology","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0950584924002106","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0
Abstract
Context:
In today’s software development landscape, the DevSecOps approach has gained traction due to its focus on the software development process and bolstering security measures in projects, a task in light of the ever-evolving cybersecurity threats.
Objective:
This study aims to address the lack of metrics for quantitatively assessing its efficacy from both security and business logic perspectives.
Methods:
To tackle this issue, the research introduces the Framework of Business Index Concerning Security (FOBICS), a set of metrics designed to enable transparent evaluations of project security. FOBICS considers various perspectives relevant to DevSecOps practices. It includes factors such as project duration and financial outcomes, making it appealing for implementation in business settings.
Results:
The effectiveness of FOBICS is validated theoretically and empirically via its application in two real-world projects: the results from these implementations show a correlation between FOBICS metrics and the security strategies employed as the development methodologies adopted by diverse teams throughout the projects.
Conclusion:
Hence, FOBICS emerges as a tool for assessing and continuously monitoring project security, offering insights into areas of strength and areas that may require enhancement. FOBICS is shown to be effective in assessing the level of DevSecOps implementation. The ease of calculating FOBICS metrics makes them easily interpretable and continuously verifiable. Moreover, FOBICS summarizes most of the other quantitative and qualitative metrics in the literature.
期刊介绍:
Information and Software Technology is the international archival journal focusing on research and experience that contributes to the improvement of software development practices. The journal''s scope includes methods and techniques to better engineer software and manage its development. Articles submitted for review should have a clear component of software engineering or address ways to improve the engineering and management of software development. Areas covered by the journal include:
• Software management, quality and metrics,
• Software processes,
• Software architecture, modelling, specification, design and programming
• Functional and non-functional software requirements
• Software testing and verification & validation
• Empirical studies of all aspects of engineering and managing software development
Short Communications is a new section dedicated to short papers addressing new ideas, controversial opinions, "Negative" results and much more. Read the Guide for authors for more information.
The journal encourages and welcomes submissions of systematic literature studies (reviews and maps) within the scope of the journal. Information and Software Technology is the premiere outlet for systematic literature studies in software engineering.