Resilient cloud cluster with DevSecOps security model, automates a data analysis, vulnerability search and risk calculation

Automated, secure software development is an important digitalization task, solved with the DevSecOps approach. An important part of the DevSecOps approach is continuous risk assessment, which is necessary to identify and evaluate risk factors. Combining the development cycle with continuous risk assessment creates software development and operation synergies and minimizes vulnerabilities. The article presents the main methods of deploying web applications and ways to increase information security at all stages of product development. It also compares different types of infrastructures and cloud computing providers and analyzes modern tools used to automate processes. The cloud cluster was deployed using Terraform and the Jenkins pipeline, written in the Groovy programming language, which checks program code for vulnerabilities and allows you to fix violations at the earliest stages of developing secure web applications. The developed cluster implements the proposed algorithm for automated risk assessment based on the calculation (modeling) of cloud infrastructure threats and vulnerabilities, which operates in real-time, periodically collecting all information and adjusting the system according to the risk and applied controls. The algorithm for calculating risk and losses is based on statistical data and FAIR information risk assessment methodology. The risk value obtained using the proposed method is quantitative, which allows more efficient forecasting of information security costs in software development.