Product Incremental Security Risk Assessment using DevSecOps Practices

Security risk assessment is often a heavy manual process, making it expensive to perform. DevOps, that aims at improving software quality and speed of delivery, as well as DevSecOps that augments DevOps with the automation of security activities, provide tools and procedures to automate the risk assessment. We propose a solution to integrate risk assessment with the DevSecOps activities and processes in order to make the risk assessment more continuous and automated. The solution is illustrated on a use case where a rewall is updated on robot vehicles while risk assessment is done in an iterative manner. This approach aims at making assessment (and certication such as EUCC) processes easier.