The intersection of quality and security, DevSecOps with ROS and Gazebo

Following a series of funded efforts to improve the overall security of robotics software (and particularly ROS’s), I’m happy to open up and bring to discussion a first preliminar technical report Alias Robotics has released touching into how to add security to the development and operations cycle of roboticists (DevSecOps). The main objective of our work is to answer the following question: how do we integrate both security and quality in the robotics development cycle?

We launched a blog post summarizing our work so far. The technical report is also available here. Briefly, this first release provides a discussion (from a theoretical perspective, future efforts will extend it) on the current state, depicts a flow for secure development in robotics and puts together a series of recommendations and common practices from literature.

This work aligns to some extend with the ongoing discussion at REP-2004 and the work both the QA and Security WG are pushing. As pointed out, this first release is being extended with the use of such flow for the development of a real robotics application using ROS and Gazebo. It’s still unclear if we’ll be allowed to disclose the full results but we hope to at least collect further input and partially give back to the community some consolidated conclusions.

To fully implement this DevSecOps cycle, while developing, we are currently collecting input and evaluating different tools (some of which we pointed out a while ago here). We’d appreciate community input in the following aspects:

  • What’s your view on the intersection of quality and security? (see section 3 of our technical report for more background on our view, disagreements specially encouraged)
  • Which tools do you use for static analysis? and for dynamic analysis?
  • Which tools and practices do you employ to manage flaws in your robotic developments?
  • Which monitoring tools do you use in your robotic applications? and which ones for analysis of data?

Thanks!

6 Likes