隨著科技與企業需求的發展，雲原生技術逐漸成為主流，然而，基於雲原生三大核心：容器、微服務及DevOps，這種技術的分散性與自動化程度讓其更易受到攻擊，傳統的安全措施往往難以應對。因此，針對雲原生環境的DevOps和DevSecOps安全措施及流程的訂定與優化變得更加重要。
本研究旨在探討如何在雲原生開發環境中，將安全原則（Security）融入開發（Development）與運維（Operations）的實踐，即DevSecOps。我們將國際安全標準ISO 27001、OWASP、NIST SP 800-190、台灣的行政院資訊系統分級與資安防護基準作業規定及SSDLC，納入DevSecOps流程，制定相關的安全措施，並詳細討論了這些安全措施在雲原生領域的具體實踐方式，並量化了這些安全措施與整體安全性之間的關係。
本研究結果顯示，所提出的21項安全措施都對整體安全性有顯著的正面影響，並且本研究使用了標準化迴歸係數來評估21項安全措施對整體安全性的幫助程度，並將這些安全措施分為高、中、低三種類別。
透過本研究，我們期望學術界將獲得更多瞭解雲原生環境下DevSecOps的實踐和其對整體安全性幫助程度的知識。業界方面，尤其是正在面對雲原生安全挑戰的企業，可以透過本研究結果，去客製化一套更適合自己且有效的DevSecOps流程與安全措施。

With the advancement of technology and business needs, cloud-native technologies are gradually becoming mainstream. However, due to the three core components of cloud-native technologies: containers, microservices, and DevOps, their decentralized nature and high level of automation make them more susceptible to attacks. Traditional security measures often struggle to cope with these challenges. Thus, formulating and optimizing security measures and procedures for DevOps and DevSecOps in a cloud-native environment has become increasingly important.
The aim of this research is to investigate how to incorporate Security principles (Sec) into Development (Dev) and Operations (Ops) practices, i.e., DevSecOps, in a cloud-native development environment. We integrate international security standards, such as ISO 27001, OWASP, NIST SP 800 series, etc., into the DevSecOps process, formulate relevant security tasks, and discuss in detail the practical implementation of these tasks in the cloud-native domain, as well as quantifying the relationship between these tasks and overall security.
Our research results show that the proposed 21 tasks significantly positively influence the overall security. We use standardized regression coefficients to evaluate the degree of help that these 21 tasks provide for overall security and divide these tasks into high, medium, and low categories.
Through this research, we hope that academia will gain more understanding of the practice of DevSecOps in a cloud-native environment and its assistance in overall security, and be able to apply these understandings better to other fields or contexts. For industry, especially companies facing the challenge of cloud-native security, they can customize a more suitable and effective DevSecOps process and framework based on the results of this research.

Alobaidi, A. R., & Nuimi, Z. N. (2022). Cloud computing security based on OWASP. In 2022 5th International Conference on Computing and Informatics (ICCI) (pp. 022-028). IEEE. https://doi.org/10.1109/ICCI54321.2022.9756064
AWS. (2023). 什麼是雲原生？. https://aws.amazon.com/tw/what-is/cloud-native/
Azad, N. (2022). Understanding DevOps critical success factors and organizational practices 2022 IEEE/ACM International Workshop on Software-Intensive Business (IWSiB), Pittsburgh, PA, USA.
Azad, N., & Hyrynsalmi, S. (2023). DevOps critical success factors — A systematic literature review. DevOps critical success factors — A systematic literature review, 157.
Balalaie, A., Heydarnoori, A., & Jamshidi, P. (2016). Microservices Architecture Enables DevOps: Migration to a Cloud-Native Architecture. IEEE Software, 33, 42-52. https://doi.org/10.1109/MS.2016.64
Chen, Y. (2022). DevOps Practices in Digital Library Development. In Proceedings of the 22nd ACM/IEEE Joint Conference on Digital Libraries. Association for Computing Machinery. https://doi.org/10.1145/3529372.3533284
Chernyshev, M., Baig, Z., & Zeadally, S. (2021). Cloud-Native Application Security: Risks, Opportunities, and Challenges in Securing the Evolving Attack Surface. Computers, 54(11), 47-57. https://doi.org/10.1109/MC.2021.3076537
Dupont, S., Ginis, G., Malacario, M., Porretti, C., & Maunero, N. (2021). Incremental Common Criteria Certification Processes using DevSecOps Practices. In 2021 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) (pp. 12-23). IEEE. https://doi.org/10.1109/EuroSPW54576.2021.00009
Gannon, D., Barga, R., & Sundaresan, N. (2017). Cloud-Native Applications. IEEE Cloud Computing, 4, 16-21. https://doi.org/10.1109/MCC.2017.4250939
Goniwada, S. R. (2022). Enterprise Cloud Native Automation. In Cloud Native Architecture and Design. https://doi.org/10.1007/978-1-4842-7226-8_14
Group, I. (2023). DevOps Market: Global Industry Trends, Share, Size, Growth, Opportunity and Forecast 2023-2028. IMARC Services Private Limited https://www.gii.tw/report/imarc1206896-devops-market-global-industry-trends-share-size.html
Ibrahim, A., Yousef, A. H., & Medhat, W. (2022). DevSecOps: A Security Model for Infrastructure as Code Over the Cloud 2022 2nd International Mobile, Intelligent, and Ubiquitous Computing Conference (MIUCC),
Kumar, R., & Goyal, R. (2021). When Security Meets Velocity: Modeling Continuous Security for Cloud Applications using DevSecOps Innovative Data Communication Technologies and Application. Lecture Notes on Data Engineering and Communications Technologies, https://doi-org.ezproxy.lib.ntust.edu.tw/10.1007/978-981-15-9651-3_36
Malaysia, C. (2020). Guidelines for Secure Software Development Life Cycle (SSDLC) In.
Mayank, G., & Raju, S. (2021). DevOps: A Historical Review and Future Works. In 2021 International Conference on Computing, Communication, and Intelligent Systems (ICCCIS) (pp. p.366-371). https://doi.org/10.1109/ICCCIS51004.2021.9397235
Nadgowda, S., & Luan, L. (2021). tapiserí: Blueprint to modernize DevSecOps for real world. In Proceedings of the Seventh International Workshop on Container Technologies and Container Clouds (pp. 13–18). Association for Computing Machinery. https://doi.org/10.1145/3493649.3493655
OWASP. OWASP Web Security Testing Guide. In.
OWASP. (2021a). OWASP Application Security Verification Standard. In: OWASP.
OWASP. (2021b). OWASP Top 10 2021. OWASP. https://owasp.org/Top10/zh_TW/
OWSAP. (2018). OWASP Top 10 Proactive Controls 2018. In.
Perera, P., Silva, R., & Perera, I. (2017). Improve software quality through practicing DevOps 2017 Seventeenth International Conference on Advances in ICT for Emerging Regions (ICTer),
Rajapakse, R. N., Zahedi, M., Babar, M. A., & Shen, H. (2022). Challenges and solutions when adopting DevSecOps: A systematic review. Information and Software Technology, 141. https://doi.org/10.1016/j.infsof.2021.106700
Sánchez-Gordón, M., & Colomo-Palacios, R. (2020). Security as Culture: A Systematic Literature Review of DevSecOps. In Proceedings of the IEEE/ACM 42nd International Conference on Software Engineering Workshops (pp. 266–269). Association for Computing Machinery. https://doi.org/10.1145/3387940.3392233
Sojan, A., Rajan, R., & Kuvaja, P. (2021). Monitoring solution for cloud-native DevSecOps. In 2021 IEEE 6th International Conference on Smart Cloud (SmartCloud) (pp. 125-131). IEEE. https://doi.org/10.1109/SmartCloud52277.2021.00029
Technology, T. N. I. o. S. a. (2017). Application Container Security Guide. In M. S. (NIST), o. M. (Twistlock), & K. S. S. Cybersecurity) (Eds.).
Wikipedia, c. Iso/Iec 27001. In Wikipedia, The Free Encyclopedia.
Wikipedia, c. National Institute of Standards and Technology. In Wikipedia, The Free Encyclopedia.
Wikipedia, c. Owasp. In Wikipedia, The Free Encyclopedia.
Wikipedia, c. Pearson correlation coefficient. In Wikipedia, The Free Encyclopedia.
Wikipedia, c. Regression analysis. In Wikipedia, The Free Encyclopedia.
Zhou, X., Huang, H., Zhang, H., Huang, X., Shao, D., & Zhong, C. (2022). A Cross-Company Ethnographic Study on Software Teams for DevOps and Microservices: Organization, Benefits, and Issues 2022 IEEE/ACM 44th International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP),
行政院. 行政院資訊系統分級與資安防護基準作業規定. In.
溫福星. (2013). 社會科學研究中使用迴歸分析的五個重要概念. 管理學報, 30, 160-190.