Homelab DevSecOps: Perancangan Kerangka Kerja Pengembangan Aplikasi yang Selaras dengan Pelindungan Data Pribadi pada Lingkungan Komputasi Terbatas
DOI:
https://doi.org/10.52436/1.jpti.1126Keywords:
DevSecOps, GDPR, HomeLab, UU PDPAbstract
Perkembangan teknologi aplikasi menuntut kecepatan dan efisiensi, mendorong adopsi DevOps sebagai model pengembangan aplikasi kolaboratif. Namun, inovasi ini beriringan dengan meningkatnya ancaman siber dan risiko kebocoran data pribadi, memicu perkembangan ke DevSecOps yang mengintegrasikan keamanan di seluruh siklus pengembangan aplikasi. Penelitian ini berupaya mengatasi tantangan tersebut dengan merancang model alur DevSecOps yang mematuhi regulasi perlindungan data pribadi, khususnya GDPR dan UU PDP Indonesia, dalam lingkungan komputasi terbatas (homelab). Metodologi penelitian meliputi lima tahap yaitu, studi literatur, perancangan, implementasi, pengujian dan validasi, serta penarikan kesimpulan. Berdasarkan analisa studi literatur, dihasilkan model alur DevSecOps dengan tujuh fase yaitu, Plan, Code, Build, Test, Deploy, Operate, dan Monitor. Setiap fase diperkuat dengan aktivitas keamanan yaitu Threat Modeling, Static Application Security Testing (SAST), Container Scanning, Dynamic Application Security Testing (DAST), Compliance Assessment, Vulnerability Assessment, serta File Integrity Monitoring (FIM) & Security Information and Event Management (SIEM). Aktivitas didukung perangkat selaras regulasi pelindungan data pribadi. Pengujian dilakukan pada tiga aplikasi dengan kerentanan keamanan yang disengaja (OWASP Juice Shop, DVWA, DVJA). Hasil pengujian berhasil mengidentifikasi celah keamanan seperti model ancaman, kerentanan kode, infrastruktur dan kontainer, dan ketidakpatuhan regulasi. Temuan ini menyediakan umpan balik bagi tim pengembang, keamanan, dan operasional untuk perbaikan berkelanjutan. Penelitian ini berkontribusi menyediakan model alur DevSecOps yang teruji, lengkap, relevan, dan terbukti dapat diimplementasikan dalam lingkungan komputasi terbatas. Model DevSecOps ini meningkatkan keamanan aplikasi sekaligus memastikan kepatuhan regulasi perlindungan data yang berlaku yang panduan penting bagi pengembangan aplikasi yang aman.
Downloads
References
R. Mao et al., “Preliminary Findings about DevSecOps from Grey Literature,” in Proceedings - 2020 IEEE 20th International Conference on Software Quality, Reliability, and Security, QRS 2020, Institute of Electrical and Electronics Engineers Inc., Dec. 2020, pp. 450–457. doi: 10.1109/QRS51102.2020.00064.
T. Rangnau, R. V. Buijtenen, F. Fransen, and F. Turkmen, “Continuous Security Testing: A Case Study on Integrating Dynamic Security Testing Tools in CI/CD Pipelines,” in Proceedings - 2020 IEEE 24th International Enterprise Distributed Object Computing Conference, EDOC 2020, Institute of Electrical and Electronics Engineers Inc., Oct. 2020, pp. 145–154. doi: 10.1109/EDOC49727.2020.00026.
K. Byrne and A. Cevenini, “Aligning DevOps Concepts with Agile Models of the Software Development Life Cycle (SLDC) in Pursuit of Continuous Regulatory Compliance,” 2023, pp. 359–374. doi: 10.1007/978-3-031-29078-7_32.
Surfshark, “Data Breach Statistics & Trends: Global & by Country,” May 2024. [Online]. Available: https://surfshark.com/research/data-breach-monitoring?country=id
M. Chen, B. Liang, and X. Lu, “The Practice and Application of a Novel DevSecOps Platform on Security,” in 2024 5th International Seminar on Artificial Intelligence, Networking and Information Technology, AINIT 2024, Institute of Electrical and Electronics Engineers Inc., 2024, pp. 558–562. doi: 10.1109/AINIT61980.2024.10581700.
A. Caniglia, V. Dentamaro, S. Galantucci, and D. Impedovo, “FOBICS: Assessing project security level through a metrics framework that evaluates DevSecOps performance,” Inf Softw Technol, vol. 178, Feb. 2025, doi: 10.1016/j.infsof.2024.107605.
J. Immaneni, “Securing Fintech with DevSecOps: Scaling DevOps with Compliance in Mind,” Journal of Big Data and Smart Systems, vol. 2, no. 1, pp. 1–8, 2021, [Online]. Available: https://universe-publisher.com/index.php/jbds/article/view/24
IBM, “Cost of a Data Breach Report 2023,” Jul. 2023. [Online]. Available: https://www.ibm.com/reports/data-breach
M. Asif, Y. Javed, and M. Hussain, “Automated Analysis of Pakistani Websites’ Compliance with GDPR and Pakistan Data Protection Act,” in 2021 International Conference on Frontiers of Information Technology (FIT), Islamabad, Pakistan, Dec. 2021, pp. 231–236. doi: 10.1109/FIT53090.2021.00050.
S. D. Rosadi, Undang-Undang Pelindungan Data Pribadi (UU PDP): UU RI NO. 27 Tahun 2022 Disertai Pembahasan. Jakarta, Indonesia: Sinar Grafika, 2023.
C. Feio, N. Santos, N. Escravana, and B. Pacheco, “An Empirical Study of DevSecOps Focused on Continuous Security Testing,” in Proceedings - 9th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2024, Institute of Electrical and Electronics Engineers Inc., 2024, pp. 610–617. doi: 10.1109/EuroSPW61312.2024.00074.
P. David, M. K. Kushwaha, and G. Suseela, “DevSecOps in Finance: Strengthening the Security Model of Applications,” in 2023 4th IEEE International Conference on Data Engineering and Communication Systems (ICDECS), Bangalore, India, Aug. 2023, pp. 1–6. doi: 10.1109/ICDECS59460.2023.10353518.
J. Martelleur and A. Hamza, “Security Tools in DevSecOps: A Systematic Literature Review,” Karlskrona, Sweden, 2022. [Online]. Available: http://urn.kb.se/resolve?urn=urn:nbn:se:bth-23260
W.-T. Lee and Z.-W. Liu, “Microservices-based DevSecOps Platform using Pipeline and Open Source Software,” Journal of Information Science and Engineering, vol. 39, no. 5, pp. 1117–1128, Sep. 2023, doi: 10.6688/JISE.202309_39(5).0007.
M. A. Aljohani and S. S. Alqahtani, “A Unified Framework for Automating Software Security Analysis in DevSecOps,” in International Conference on Smart Computing and Application, ICSCA 2023, Institute of Electrical and Electronics Engineers Inc., 2023. doi: 10.1109/ICSCA57840.2023.10087568.
M. Marandi, A. Bertia, and S. Silas, “Implementing and Automating Security Scanning to a DevSecOps CI/CD Pipeline,” in 2023 World Conference on Communication and Computing, WCONF 2023, Institute of Electrical and Electronics Engineers Inc., 2023. doi: 10.1109/WCONF58270.2023.10235015.
