Towards LowDevSecOps Framework for Low-Code Development: Integrating Process-Oriented Recommendations for Security Risk Management
Pages 886 - 894
Abstract
The increasing demand for software solutions in the coming years will surpass the availability of IT talent, driving interest in citizen development and low-code approaches. However, the lack of technical insight among citizen developers poses potential security risks. This research aims to support businesses adopting citizen development by providing a framework that helps to proactively identify security risks by also linking them to specific actors and tools needed during the system design and development process to mitigate those risks. Additionally, this framework helps to address knowledge gaps by outlining actionable steps to ensure secure low-code development practices. The research aims to answer the question: "How can contextual information be modeled in low-code platforms to proactively identify and address security-related issues, acting as a virtual mentor for citizen / low-code developers?". To answer this question, our research conceptualizes security risks from established frameworks and operational security methodologies into a practical framework that allows mapping security risks to the context of low-code development. This framework serves as a foundational platform for designing and integrating active process-oriented guidance within low-code platforms using model-based automated prompts. This approach additionally aligns with DevSecOps principles that allows enhancing the capacity for low-code approach and citizen development in areas that currently may include manual coding and integrations.
References
[1]
Rokis, K., & Kirikova, M. (2022, September). Challenges of low-code/no-code software development: A literature review. In International Conference on Business Informatics Research (pp. 3--17). Cham: Springer International Publishing.
[2]
Di Ruscio, D., Kolovos, D., de Lara, J., Pierantonio, A., Tisi, M., & Wimmer, M. (2022). Low code development and model-driven engineering: Two sides of the same coin?. Software and Systems Modeling, 21(2), 437--446.
[3]
Sedrakyan, G., & Snoeck, M. (2014). Lightweight semantic prototyper for conceptual modeling. In Advances in Conceptual Modeling: ER 2014 Workshops, ENMO, MoBiD, MReBA, QMMQ, SeCoGIS, WISM, and ER Demos, Atlanta, GA, USA, October 27--29, 2014. Proceedings 33 (pp. 298--302). Springer International Publishing.
[4]
Sedrakyan, G., & Snoeck, M. (2013, February). A PIM-to-Code requirements engineering framework. In International Conference on Model-Driven Engineering and Software Development (Vol. 2, pp. 163--169). SciTePress.
[5]
Sedrakyan, G., Poelmans, S., & Snoeck, M. (2017). Assessing the influence of feedback-inclusive rapid prototyping on understanding the semantics of parallel UML statecharts by novice modellers. Information and Software Technology, 82, 159--172.
[6]
Sedrakyan, G., & Snoeck, M. (2017). Cognitive feedback and behavioral feedforward automation perspectives for modeling and validation in a learning context. In Model-Driven Engineering and Software Development: 4th International Conference, MODELSWARD 2016, Rome, Italy, February 19--21, 2016, Revised Selected Papers 4 (pp. 70--92). Springer International Publishing.
[7]
Sedrakyan, G., & Snoeck, M. (2013, June). Feedback-enabled MDA-prototyping effects on modeling knowledge. In International Workshop on Business Process Modeling, Development and Support (pp. 411--425). Berlin, Heidelberg: Springer Berlin Heidelberg.
[8]
Ruiz, J., Sedrakyan, G., & Snoeck, M. (2015, September). Generating user interface from conceptual, presentation and user models with JMermaid in a learning approach. In Proceedings of the XVI International Conference on Human Computer Interaction (pp. 1--8).
[9]
Sedrakyan, G., & Snoeck, M. (2014). Do we need to teach testing skills in courses on requirements engineering and modelling. In CEUR workshop proceedings (Vol. 1217, pp. 40--44). CEUR-WS. org.
[10]
The Open Group. (2022). TOGAF® Version 10. The Open Group. Retrieved from https://publications.opengroup.org/standards/togaf/specifications
[11]
ISO/IEC/IEEE International Standard - Systems and software engineering - Life cycle processes - Requirements engineering," in ISO/IEC/IEEE 29148:2018(E), vol., no., pp.1--104, 30 Nov. 2018
[12]
Mansfield-Devine, S. (2018). DevOps: finding room for security. Network security, 2018(7), 15--20.
[13]
Kim, G., Humble, J., Debois, P., Willis, J., & Forsgren, N. (2021). The DevOps handbook: How to create world-class agility, reliability, & security in technology organizations. It Revolution.
[14]
Khan, R. A., Khan, S. U., Khan, H. U., & Ilyas, M. (2022). Systematic literature review on security risks and its practices in secure software development. ieee Access, 10, 5456--5481.
[15]
Sedrakyan, G., Järvelä, S., & Kirschner, P. (2016). Conceptual framework for feedback automation and personalization for designing learning analytics dashboards. In Conference EARLI SIG (Vol. 27).
Index Terms
- Towards LowDevSecOps Framework for Low-Code Development: Integrating Process-Oriented Recommendations for Security Risk Management
Recommendations
Towards People Maturity for Secure Development and Operations: A vision
EASE '24: Proceedings of the 28th International Conference on Evaluation and Assessment in Software EngineeringDevOps (development and operations) is a set of collaborative practices that automate continuous delivery of new software versions with an aim to reduce the development life cycle and produce quality software products. Security is an important attribute ...
Product Incremental Security Risk Assessment Using DevSecOps Practices
Computer Security. ESORICS 2022 International WorkshopsAbstractSecurity risk assessment is often a heavy manual process, making it expensive to perform. DevOps, that aims at improving software quality and speed of delivery, as well as DevSecOps that augments DevOps with the automation of security activities, ...
Implementing Secure DevOps assessment for highly regulated environments
ARES '17: Proceedings of the 12th International Conference on Availability, Reliability and SecuritySecure DevOps has become a standard option for entities seeking to streamline and increase comprehensive participation by all stakeholders in their secure Security Development Lifecycle (SDLC)[1]. In most case in industry, academia, and government, ...
Comments
Information & Contributors
Information
Published In
September 2024
1261 pages
ISBN:9798400706226
DOI:10.1145/3652620
- Chairs:
- Manuel Wimmer,
- Alexander Egyed,
- Program Chairs:
- Benoit Combemale,
- Marsha Chechik
Copyright © 2024 Copyright is held by the owner/author(s). Publication rights licensed to ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
- SIGSOFT: ACM Special Interest Group on Software Engineering
- Johannes Kepler University Linz
- IEEE CS
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 31 October 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
MODELS Companion '24
Sponsor:
MODELS Companion '24: ACM/IEEE 27th International Conference on Model Driven Engineering Languages and Systems
September 22 - 27, 2024
Linz, Austria
Acceptance Rates
Overall Acceptance Rate 144 of 506 submissions, 28%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 84Total Downloads
- Downloads (Last 12 months)84
- Downloads (Last 6 weeks)31
Reflects downloads up to 03 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in