DevSecOps in Robotics

Quality in software is often understood as "execution according to design purpose" whereas security means that "software will not put data or computing systems at risk of unauthorized access." There seems to be a connection between these two aspects but, how do we integrate both of them in the robotics development cycle? In this article we introduce DevSecOps in Robotics, a set of best practices designed to help roboticists implant security deep in the heart of their development and operations processes. First, we briefly describe DevOps, introduce the value added with DevSecOps and describe and illustrate how these practices may be implemented in the robotics field. We finalize with a discussion on the relationship between security, quality and safety, open problems and future research questions.

[1]  Amiangshu Bosu,et al.  Characteristics of the vulnerable code changes identified through peer code review , 2014, ICSE Companion.

[2]  Onur Ozdemir,et al.  Automated Vulnerability Detection in Source Code Using Deep Representation Learning , 2018, 2018 17th IEEE International Conference on Machine Learning and Applications (ICMLA).

[3]  Karen Mercedes Goertzel Software Survivability: Where Safety and Security Converge , 2009 .

[4]  Robert C. Seacord,et al.  Secure coding in C and C , 2005 .

[5]  David D. Ward,et al.  MISRA Standards for Automotive Software , 2006 .

[6]  Gorka Olalde Mendia,et al.  Towards an open standard for assessing the severity of robot security vulnerabilities, the Robot Vulnerability Scoring System (RVSS) , 2018, ArXiv.

[7]  Bernhard Dieber,et al.  Introducing the Robot Vulnerability Database (RVD) , 2019, ArXiv.

[8]  Robert C. Seacord The CERT C Secure Coding Standard , 2008 .

[9]  Andrew Blyth,et al.  Secure coding — principles and practices , 2004 .

[10]  Roberto Bagnara MISRA C, for Security's Sake! , 2017, ArXiv.

[11]  Jeffrey C. Carver,et al.  Peer Code Review to Prevent Security Vulnerabilities: An Empirical Evaluation , 2013, 2013 IEEE Seventh International Conference on Software Security and Reliability Companion.

[12]  James Roche,et al.  Adopting DevOps practices in quality assurance , 2013, CACM.

[13]  Lotfi Ben Othmane,et al.  SecDevOps: Is It a Marketing Buzzword? - Mapping Research on Security in DevOps , 2016, 2016 11th International Conference on Availability, Reliability and Security (ARES).

[14]  Erik Tews,et al.  Introducing the Robot Security Framework (RSF), a standardized methodology to perform security assessments in robotics , 2018, ArXiv.

[15]  Abhinav Rastogi,et al.  Secure Coding: Building Security into the Software Development Life Cycle , 2004, Inf. Secur. J. A Glob. Perspect..

[16]  Anshul Gupta,et al.  Intelligent code reviews using deep learning , 2018 .

[17]  Elisabetta Di Nitto,et al.  A software architecture framework for quality-aware DevOps , 2016, QUDOS@ISSTA.

[18]  Martin Pinzger,et al.  Can I Depend on you? Mapping the Dependency and Quality Landscape of ROS Packages , 2019, 2019 Third IEEE International Conference on Robotic Computing (IRC).

[19]  Koushik Sen,et al.  DeepBugs: a learning approach to name-based bug detection , 2018, Proc. ACM Program. Lang..

[20]  Bart Meyers,et al.  A Model-Driven Engineering Framework to Support the Functional Safety Process , 2019, 2019 ACM/IEEE 22nd International Conference on Model Driven Engineering Languages and Systems Companion (MODELS-C).

[21]  A. White VULNERABILITY MANAGEMENT , 2013 .

[22]  Jan Bosch,et al.  Towards DevOps in the Embedded Systems Domain: Why is It So Hard? , 2016, 2016 49th Hawaii International Conference on System Sciences (HICSS).

[23]  Karen Scarfone,et al.  Common Vulnerability Scoring System , 2006, IEEE Security & Privacy.

[24]  Hans-Peter Fröschle DevOps , 2017, HMD Praxis der Wirtschaftsinformatik.

[25]  Morten Goodwin Olsen,et al.  Predicting Source Code Quality with Static Analysis and Machine Learning , 2014, NIK.