Implementacja Praktyk DevSecOps w Środowiskach Chmurowych dla Infrastruktury Krytycznej: Analiza Integracji Bezpieczeństwa z Procesami CI/CD

Tomasz Janczewski

doi:10.58683/dnswsb.2064

Published : 2025-08-01

Vol. 108 No. 1 (2025)

Implementation of DevSecOps Practices in Critical Cloud-based Infrastructure: An Analysis of the Safety of CI/CD Processes

Tomasz Janczewski

DOI: https://doi.org/10.58683/dnswsb.2064

Abstract

Objective: This article aims to analyze the implementation of DevSecOps practices in cloud environments, with a particular focus on their application in critical infrastructure in the context of escalating cybersecurity threats.

Methods: The study includes a systematic review of the literature on DevSecOps, an analysis of security incidents in cloud applications, and an evaluation of security testing tools such as Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Software Composition Analysis (SCA), and Interactive Application Security Testing (IAST) within CI/CD pipelines.

Results: The findings indicate that integrating DevSecOps practices in cloud environments for critical infrastructure contributes to reducing the number of vulnerabilities detected in production and shortening the response time to security incidents. Furthermore, the automation of security testing in CI/CD pipelines enables the early detection and elimination of vulnerabilities while maintaining continuous software delivery.

Conclusions: The implementation of DevSecOps practices is a key factor in ensuring the security of critical infrastructure in cloud environments. A systematic approach to integrating security mechanisms throughout the software development lifecycle, the use of automated security testing tools, and continuous monitoring of the Software Bill of Materials (SBOM) form the foundation of an effective cybersecurity strategy. A significant challenge remains balancing security requirements with the need for rapid software delivery.

Keywords:

DevSecOps, cloud security, critical infrastructure, SAST, DAST, SCA, IAST, SBOM, CI/CD

Details

References

Statistics

Authors

Download files

pdf (Język Polski)

Citation rules

Janczewski, T. (2025). Implementation of DevSecOps Practices in Critical Cloud-based Infrastructure: An Analysis of the Safety of CI/CD Processes. Zeszyty Naukowe Wyższej Szkoły Bankowej W Poznaniu, 108(1). https://doi.org/10.58683/dnswsb.2064

Altmetric indicators

Cited by / Share

References

Alshamrani, A., Myneni, S., Chowdhary, A. i Huang, D. (2019). A survey on advanced persistent

threats: Techniques, solutions, challenges, and research opportunities. IEEE

Communications Surveys & Tutorials, 21(2), 1851–1877.

AmberTeam Testing. (2024). Testy bezpieczeństwa: Static Application Security Testing (SAST).

https://amberteam.pl/testy-bezpieczenstwa/sast/

Bass, L., Weber, I. i Zhu, L. (2015). DevOps: A software architect’s perspective. Addison-Wesley

Professional.

CISA. (2023). How to Proactively use an SBOM for Vulnerability Monitoring. Cybersecurity

and Infrastructure Security Agency. https://www.cisa.gov/sites/default/files/2023-02/

How%20to%20Proactively%20use%20an%20SBOM%20for%20Vulnerability%20Monitoring%

c.pdf

European Parliament and Council. (2022, 27 grudnia). Directive (EU ) 2022/2555 on measures

for a high common level of cybersecurity across the Union, amending Regulation (EU )

No 910/2014 and Directive (EU ) 2018/1972, and repealing Directive (EU ) 2016/1148 (NIS2

Directive). Official Journal of the European Union, L 333, 80–152.

Forward Security. (2020). SAST, SCA, DAST, IAST, RASP: What They Are and How You Can

Automate Application Security. Forward Security. https://forwardsecurity.com/sast-sca-

-dast-iast-rasp-what-they-are-and-how-you-can-automate-application-security/

Gartner. (2021). Magic Quadrant for Application Security Testing, May 2021. Gartner Research.

Hashizume, K., Rosado, D.G., Fernandez-Medina, E., & Fernandez, E.B. (2013). An analysis

of security issues for cloud computing. Future Generation Computer Systems, 29(3),

–1231. https://doi.org/10.1016/j.future.2012.06.006

Leppanen, T., Honkaranta, A. i Costin, A. (2022). Trends for the DevOps Security: A Systematic

Literature Review. W: B. Shishkov (red.), Business Modeling and Software

Design (s. 200–217). Springer International Publishing. https://doi.org/10.1007/978-3-

-11510-3_12

Mahmood, R. i Mahmoud, Q.H. (2018). Evaluation of Static Analysis Tools for Finding Vulnerabilities

in Java and C/C++ Source Code. arXiv preprint arXiv:1805.09040. https://arxiv.

org/abs/1805.09040

Makani, S.T. i Jangampeta, S. (2021). DevOps Security Tools Evaluating Effectiveness in

Detecting and Fixing Security Holes. International Journal of DevOps (IJDO), 1(2), 1–12.

https://iaeme.com/Home/issue/IJDO?Volume=1&Issue=2

Mohan, V. i Othmane, L.B. (2016). SecDevOps: Is it a marketing buzzword? Mapping research

on security in DevOps. In Proceedings of the International Conference on Availability,

Reliability and Security (ARES) (s. 542–547). IEEE. https://doi.org/10.1109/ARES.2016.10

Myrbakken, H. i Colomo-Palacios, R. (2017). DevSecOps: A multivocal literature review.

W: R.V. O’Connor, R. Conboy, R.V.B. Machado, M.M.A. Barry, & B.K.O. Conchuir (red.),

Software Process Improvement and Capability Determination (s. 17–29). Communications

in Computer and Information Science, 770. Springer. https://doi.org/10.1007/978-3-

-67383-7_2

OWASP. (2021). OWASP Top Ten 2021. Open Web Application Security Project. https://owasp.

org/Top10/

OWASP. (2023). Interactive Application Security Testing (IAST) — OWASP DevSecOps Guideline.

Open Web Application Security Project. https://owasp.org/www-project-devsecops-

-guideline/latest/02c-Interactive-Application-Security-Testing

Rajapakse, R.N., Zahedi, M., Babar, M.A. i Shen, H. (2022). Challenges and solutions when

adopting DevSecOps: A systematic review. Information and Software Technology, 141,

https://doi.org/10.1016/j.infsof.2021.106700

Rittinghouse, J.W. i Ransome, J.F. (2010). Cloud computing: Implementation, management,

and security. CRC Press.

Tondel, I.A., Line, M.B. i Jaatun, M.G. (2015). Current practices and challenges in industrial

control organizations regarding information security incident management — Does

size matter? International Journal of Critical Infrastructure Protection, 12, 1–11. https://

doi.org/10.1016/j.ijcip.2015.12.003

U.S. Senate Committee on Homeland Security and Governmental Affairs. (2018). How Equifax

neglected cybersecurity and suffered a devastating data breach. United States Senate

Report. https://www.hsgac.senate.gov/wp-content/uploads/imo/media/doc/FINAL%20

Equifax%20Report.pdf