Paper Type

Complete

Abstract

Internal developer platforms are emerging as a means of reducing the cognitive burden on software developers. They integrate independent DevOps tools into a unified framework and present a streamlined path to code publication. Forward-looking organizations have begun to adopt internal developer platforms in order to improve the efficiency and work experience among their software teams. This transition significantly alters the organization’s software development and deployment architecture. The purpose of this research is to examine the architectural changes in terms of risk management. A semi-quantitative risk analysis of the old and new architectures is performed. The architectures are compared in terms of 74 specific threat vectors. Two high-level implications are: (1) the internal developer platform provides the security team with a centralized point of control over network and authentication parameters and (2) it expands the software attack surface and creates a priority target for attackers. Further implications are discussed.

Paper Number

1412

Author Connect URL

https://authorconnect.aisnet.org/conferences/AMCIS2024/papers/1412

Comments

SIGSEC

Author Connect Link

Share

COinS
 
Aug 16th, 12:00 AM

Analyzing Risks to Internal Developer Platforms

Internal developer platforms are emerging as a means of reducing the cognitive burden on software developers. They integrate independent DevOps tools into a unified framework and present a streamlined path to code publication. Forward-looking organizations have begun to adopt internal developer platforms in order to improve the efficiency and work experience among their software teams. This transition significantly alters the organization’s software development and deployment architecture. The purpose of this research is to examine the architectural changes in terms of risk management. A semi-quantitative risk analysis of the old and new architectures is performed. The architectures are compared in terms of 74 specific threat vectors. Two high-level implications are: (1) the internal developer platform provides the security team with a centralized point of control over network and authentication parameters and (2) it expands the software attack surface and creates a priority target for attackers. Further implications are discussed.

When commenting on articles, please be friendly, welcoming, respectful and abide by the AIS eLibrary Discussion Thread Code of Conduct posted here.