Framework for IT DevSecOps Governance to enable Continuous Security - ON-121

Preferred Disciplines and Level: Computer Science, Computer Engineering, Electrical Engineering, PhD
Company: Security Compass
Project Length: 6 months (1 unit)
Desired start date: April 2018
Location: Toronto, Ontario
No. of Positions: 2 interns
Preferences: University of Toronto, University of Waterloo, University of Ottawa, Carleton University, University of New Brunswick. Language: English          

About the Company: 

Security Compass is a leader in helping businesses proactively make their software secure and reduce the risk of cyber security breaches. Offering advisory services, training, and SD Elements, the leading Application Security Requirements and Threat Modeling (ASRTM) platform, Security Compass enables development teams to rapidly and efficiently deliver software that’s secure by default. Security Compass serves some of the world's largest businesses including seven of the 15 largest financial institutions and four of the 10 largest technology companies in North America.

Project Description:

We want to create an enterprise wide DevSecOps framework that enables the development and execution of IT procedures from security and compliance policies. We want to understand what governance and controls need to be in place for this to be realized in very large, complex organizations.

Research Objectives:​

  • Develop a governance framework (roles, processes, escalations)
  • Apply the framework in a real client setting
  • Collect objective and subjective data on what did and did not work


  • Conduct a landscape review of existing DevOps governance, Software/Infrastructure Security governance, and IT GRC frameworks
  • Tag the literature with relevant concepts to create an ontological model of the domain
  • Extend the ontology to address gaps and create a framework from that ontology
  • Conduct a proof of concept with a real client
  • Conduct a survey of client participants and collect observable data
  • Publish the results of the findings

Expertise and Skills Needed:

  • Understanding of Security, Software Development, and/or Infrastructure/Operations domains
  • Formulation of IT strategy and IT governance
  • IT GRC (nice to have)

For more info or to apply to this applied research position, please

  1. Check your eligibility and find more information about open projects.

  2. Interested students need to get the approval from their supervisor and send their CV along with a link to their supervisor’s university webpage by applying through the webform.