Master's thesis

DevOps is not a goal, but a never-ending process of continual improvement [Kim et al. 2016]

DevOps is a software development methodology that promotes the integration between development and operational activities through various automations of development processes and monitoring of performance and availability.

Despite the known benefits of increasing release speed and improving software quality, DevOps faces limitations regarding traditional security tools.

In particular, existing security tools are effective when applied to single targets, but limited in their integration between them in order to provide an aggregate result.

And this is where the complexity lies regarding security analysis in microservice architectures, as due to fragmentation and technological diversity there are no solutions capable of providing a holistic assessment of the state of the system.

In this context, software assurance represents an effective solution as it consists of a set of practices aimed at providing a level of confidence that the software respects one or more non-functional properties.

The proposed methodology is configured as a continuous software assurance solution, designed for microservice infrastructures and which overcomes the limitations of existing security tools.

The proposed methodology was applied to a real case study: UrbanIoT, a remote management software for public lighting systems and smart cities, based on the Mainflux framework.

In particular, various security analysis procedures have been implemented, optimized for each technological layer, through MoonCloud, a platform for the continuous assessment of compliance and assurance for ICT applications and infrastructures.

The results of each technological layer are aggregated into a single one that provides different metrics for vulnerability assessment and three levels of risk: overall, for each CWE and for each threat.

Quantitative evaluation demonstrated the effectiveness of the proposed approach:

• 924 unique vulnerabilities (CVEs) detected across all layers.
• 143 distinct CWE classes identified, including high-impact ones like CWE-400, CWE-20, and CWE-287.
• 15 out of 25 threat families matched according to the defined threat model.
• 38/100 overall risk score computed by aggregating severity and CVSS V3 metrics.
• The most affected threat was Nefarious activity/abuse, scoring 40/100.
• Container image scans revealed 49 Critical and 131 High severity issues.
• The audited edge device reached a 60/100 hardening index, revealing areas for improvement.

Through this structured and extensible methodology, the system delivers a continuous, cross-layer view of software vulnerabilities, enabling more informed decisions and a tangible increase in assurance.