Applying the safe methodology to integrate cybersecurity in large-scale it projects
Article Sidebar
Main Article Content
Abstract
This study examines the integration of cybersecurity practices into the Scaled Agile Framework (SAFe) as a structured approach for securing large-scale IT projects. The research analyzes how DevSecOps activities—such as SAST, DAST, SCA, container scanning, and configuration control—enhance the security of the Continuous Delivery Pipeline by enabling continuous vulnerability detection and reducing human-factor risks. Threat modeling methods, including STRIDE, PASTA, and LINDDUN, are evaluated for their effectiveness in identifying security risks at early design stages and informing architectural decisions. The study also highlights the role of Zero Trust principles, Architecture Decision Records, and Security Enablers in ensuring resilient system architecture. Additional mechanisms, such as Security Backlog Items, enhanced Definition of Done criteria, and compliance tasks aligned with ISO/IEC 27001, GDPR, PCI DSS, and HIPAA, were shown to support regulatory adherence. The involvement of Security Champions significantly improves communication between development teams and security experts, fostering a stronger security culture. Overall, the findings demonstrate that SAFe provides a comprehensive foundation for integrating cybersecurity across organizational levels, thereby improving product reliability and operational resilience.
Article Details
Issue
Section
This work is licensed under a Creative Commons Attribution 4.0 International License.
References
1. Cybersecurity Ventures. (2023). 2023 Official Cybercrime Report: Cybersecurity market data, insights & statistics. https://cybersecurityventures.com/cybercrime-report/
2. Gartner. (2024). Gartner forecast: Security and risk management trends in agile and DevSecOps. Gartner Research. https://www.gartner.com.
3. VersionOne. (2023). 17th Annual State of Agile Report. Digital.ai. https://digital.ai/resources/state-of-agile-report.
4. State Service of Special Communications and Information Protection of Ukraine. (2024). Annual cybersecurity report of Ukraine 2022–2024. https://cip.gov.ua.
5. ESET. (2024). ESET Threat Report 2024: Global trends in cyberattacks. ESET Research. https://www.eset.com/int/security-report.
6. IT Ukraine Association. (2023). Ukrainian IT industry report: Outsourcing market overview and security compliance requirements. https://itukraine.org.ua.
7. Deloitte. (2024). Deloitte Cyber Report 2024: Global challenges in integrating security into Agile and DevSecOps. Deloitte Insights. https://www2.deloitte.com.
8. Shahid, J., Hameed, M. K., Javed, I. T., Qureshi, K. N., Ali, M., & Crespi, N. (2020). Integrating security into agile software development processes. IEEE. https://doi.org/10.1109/ACCESS.2020.2968524
9. Moyon, F., Mendez Fernandez, D., Beckers, K., Klepper, S. (2021). How to integrate security compliance requirements with agile software engineering at scale? arXiv preprint arXiv:2105.13404. https://doi.org/10.48550/arXiv.2105.13404
10. WithSecure. (2022). Using SAFe to align cyber security and executive goals. https://www.withsecure.com/content/dam/withsecure/global/en/white-papers/using-safe-to-align-cyber-security-and-executive-goals.pdf
11. LarkSuite. (n.d.). Scaled Agile Framework (SAFe) for cybersecurity teams. https://www.larksuite.com/en_us/static/docs/safe_cybersecurity.pdf
12. Aljuneidi, A., et al. (2021). DevSecOps: Integrating security into DevOps. ACM Computing Surveys. https://doi.org/10.1145/3453151
13. Kaur, A., & Chatterjee, I. (2020). Secure DevOps: A systematic literature review. Information and Software Technology, 130. https://doi.org/10.1016/j.infsof.2020.106412
14.Chehaba, A., et al. (2019). Built-in security in agile projects: Challenges and solutions. Springer. https://doi.org/10.1007/978-3-030-06019-0_18.
15. Sabaliauskaite, G., et al. (2022). Security activities in scaled agile: An empirical study. ICSOB Conference. https://doi.org/10.1007/978-3-031-07245-3_10.
16. Shostack, A. (2021). Threat modeling in Agile and DevOps. Microsoft Research. https://doi.org/10.48550/arXiv.2106.13353
17. DevOps Institute. (2020). Continuous security: Automating secure software delivery. https://www.devopsinstitute.com/wp-content/uploads/Continuous-Security.pdf
18. Bass, J. M. (2019). Security challenges in large-scale agile development. ACIS 2019. https://aisel.aisnet.org/cgi/viewcontent.cgi?article=1006&context=acis2019
19. National Institute of Standards and Technology. (2020). Zero Trust Architecture (NIST SP 800-207). https://doi.org/10.6028/NIST.SP.800-207
20. Ali, S., et al. (2021). Security-by-design: A comprehensive survey. Computers & Security, 111. https://doi.org/10.1016/j.cose.2021.102357
21. Ahmad, I., et al. (2021). Agile DevSecOps for cloud-native applications. IEEE. https://doi.org/10.1109/ACCESS.2021.3054527
22. Martins, R., et al. (2020). Security automation in CI/CD pipelines. Software Engineering Journal. https://doi.org/10.1109/MSEC.2020.3014683
23 Stadnyk, M., Palamar, A. (2022). Project management features in the cybersecurity area. Scientific Journal of the Ternopil National Technical University, 2(106), 54–62. https://doi.org/10.33108/visnyk_tntu2022.02.054