Revisit security in the era of DevOps: An evidence‐based inquiry into DevSecOps industry
Abstract By adopting agile and lean practices, DevOps aims to achieve rapid value delivery by speeding up development and deployment cycles, which however lead to more security concerns that cannot be fully addressed by an isolated security role only in the final stage of development. DevSecOps prom...
Saved in:
| Main Authors: | , , , , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Wiley
2023-08-01
|
| Series: | IET Software |
| Subjects: | |
| Online Access: | https://doi.org/10.1049/sfw2.12132 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1849471175952957440 |
|---|---|
| author | Xin Zhou Runfeng Mao He Zhang Qiming Dai Huang Huang Haifeng Shen Jingyue Li Guoping Rong |
| author_facet | Xin Zhou Runfeng Mao He Zhang Qiming Dai Huang Huang Haifeng Shen Jingyue Li Guoping Rong |
| author_sort | Xin Zhou |
| collection | DOAJ |
| description | Abstract By adopting agile and lean practices, DevOps aims to achieve rapid value delivery by speeding up development and deployment cycles, which however lead to more security concerns that cannot be fully addressed by an isolated security role only in the final stage of development. DevSecOps promotes security as a shared responsibility integrated into the DevOps process that seamlessly intertwines development, operations, and security from the start throughout to the end of cycles. While some companies have already begun to embrace this new strategy, both industry and academia are still seeking a common understanding of the DevSecOps movement. The goal of this study is to report the state‐of‐the‐practice of DevSecOps, including the impact of DevOps on security, practitioners' understanding of DevSecOps, and the practices associated with DevSecOps as well as the challenges of implementing DevSecOps. The authors used a mixed‐methods approach for this research. The authors carried out a grey literature review on DevSecOps, and surveyed the practitioners of DevSecOps in industry of China. The status quo of DevSecOps in industry is summarized. Three major software security risks are identified with DevOps, where the establishment of DevOps pipeline provides opportunities for security‐related activities. The authors classify the interpretations of DevSecOps into three core aspects of DevSecOps capabilities, cultural enablers, and technological enablers. To materialise the interpretations into daily software production activities, the recommended DevSecOps practices from three perspectives—people, process, and technology. Although a preliminary consensus is that DevSecOps is regarded as an extension of DevOps, there is a debate on whether DevSecOps is a superfluous term. While DevSecOps is attracting an increasing attention by industry, it is still in its infancy and more effort needs to be invested to promote it in both research and industry communities. |
| format | Article |
| id | doaj-art-cff0e956710e4369ba77c3eb634d52bb |
| institution | Kabale University |
| issn | 1751-8806 1751-8814 |
| language | English |
| publishDate | 2023-08-01 |
| publisher | Wiley |
| record_format | Article |
| series | IET Software |
| spelling | doaj-art-cff0e956710e4369ba77c3eb634d52bb2025-08-20T03:24:55ZengWileyIET Software1751-88061751-88142023-08-0117443545410.1049/sfw2.12132Revisit security in the era of DevOps: An evidence‐based inquiry into DevSecOps industryXin Zhou0Runfeng Mao1He Zhang2Qiming Dai3Huang Huang4Haifeng Shen5Jingyue Li6Guoping Rong7State Key Laboratory for Novel Software Technology Software Institute Nanjing University Nanjing ChinaState Key Laboratory for Novel Software Technology Software Institute Nanjing University Nanjing ChinaState Key Laboratory for Novel Software Technology Software Institute Nanjing University Nanjing ChinaHuatai Securities Co., Ltd. Nanjing ChinaState Grid Nanjing Power Supply Company Nanjing ChinaPeter Faber Business School Australian Catholic University Sydney New South Wales AustraliaNorwegian University of Science and Technology Trondheim NorwayState Key Laboratory for Novel Software Technology Software Institute Nanjing University Nanjing ChinaAbstract By adopting agile and lean practices, DevOps aims to achieve rapid value delivery by speeding up development and deployment cycles, which however lead to more security concerns that cannot be fully addressed by an isolated security role only in the final stage of development. DevSecOps promotes security as a shared responsibility integrated into the DevOps process that seamlessly intertwines development, operations, and security from the start throughout to the end of cycles. While some companies have already begun to embrace this new strategy, both industry and academia are still seeking a common understanding of the DevSecOps movement. The goal of this study is to report the state‐of‐the‐practice of DevSecOps, including the impact of DevOps on security, practitioners' understanding of DevSecOps, and the practices associated with DevSecOps as well as the challenges of implementing DevSecOps. The authors used a mixed‐methods approach for this research. The authors carried out a grey literature review on DevSecOps, and surveyed the practitioners of DevSecOps in industry of China. The status quo of DevSecOps in industry is summarized. Three major software security risks are identified with DevOps, where the establishment of DevOps pipeline provides opportunities for security‐related activities. The authors classify the interpretations of DevSecOps into three core aspects of DevSecOps capabilities, cultural enablers, and technological enablers. To materialise the interpretations into daily software production activities, the recommended DevSecOps practices from three perspectives—people, process, and technology. Although a preliminary consensus is that DevSecOps is regarded as an extension of DevOps, there is a debate on whether DevSecOps is a superfluous term. While DevSecOps is attracting an increasing attention by industry, it is still in its infancy and more effort needs to be invested to promote it in both research and industry communities.https://doi.org/10.1049/sfw2.12132software development managementsoftware engineering |
| spellingShingle | Xin Zhou Runfeng Mao He Zhang Qiming Dai Huang Huang Haifeng Shen Jingyue Li Guoping Rong Revisit security in the era of DevOps: An evidence‐based inquiry into DevSecOps industry IET Software software development management software engineering |
| title | Revisit security in the era of DevOps: An evidence‐based inquiry into DevSecOps industry |
| title_full | Revisit security in the era of DevOps: An evidence‐based inquiry into DevSecOps industry |
| title_fullStr | Revisit security in the era of DevOps: An evidence‐based inquiry into DevSecOps industry |
| title_full_unstemmed | Revisit security in the era of DevOps: An evidence‐based inquiry into DevSecOps industry |
| title_short | Revisit security in the era of DevOps: An evidence‐based inquiry into DevSecOps industry |
| title_sort | revisit security in the era of devops an evidence based inquiry into devsecops industry |
| topic | software development management software engineering |
| url | https://doi.org/10.1049/sfw2.12132 |
| work_keys_str_mv | AT xinzhou revisitsecurityintheeraofdevopsanevidencebasedinquiryintodevsecopsindustry AT runfengmao revisitsecurityintheeraofdevopsanevidencebasedinquiryintodevsecopsindustry AT hezhang revisitsecurityintheeraofdevopsanevidencebasedinquiryintodevsecopsindustry AT qimingdai revisitsecurityintheeraofdevopsanevidencebasedinquiryintodevsecopsindustry AT huanghuang revisitsecurityintheeraofdevopsanevidencebasedinquiryintodevsecopsindustry AT haifengshen revisitsecurityintheeraofdevopsanevidencebasedinquiryintodevsecopsindustry AT jingyueli revisitsecurityintheeraofdevopsanevidencebasedinquiryintodevsecopsindustry AT guopingrong revisitsecurityintheeraofdevopsanevidencebasedinquiryintodevsecopsindustry |