Toward successful DevSecOps in software development organizations: A decision-making framework

https://doi.org/10.1016/j.infsof.2022.106894Get rights and content
Under a Creative Commons license
open access

Abstract

Context

Development and Operations (DevOps) is a methodology that aims to establish collaboration between programmers and operators to automate the continuous delivery of new software to reduce the development life cycle and produce quality software. Development, Security, and Operations (DevSecOps) is developing the DevOps concept, which integrates security methods into a DevOps process. DevSecOps is a software development process where security is built in to ensure application confidentiality, integrity, and availability.

Objective

This paper aims to identify and prioritize the challenges associated with implementing the DevSecOps process.

Method

We performed a multivocal literature review (MLR) and conducted a questionnaire-based survey to identify challenges associated with DevSecOps-based projects. Moreover, interpretive structure modeling (ISM) was applied to study the relationships among the core categories of the challenges. Finally, we used the fuzzy technique for order preference by similarity to an ideal solution (TOPSIS) to prioritize the identified challenges associated with DevSecOps projects.

Results

We identified 18 challenges for the DevSecOps process and mapped them to 10 core categories. The ISM results indicate that the “standards” category has the most decisive influence on the other nine core categories of the identified challenges. Moreover, the fuzzy TOPSIS indicates that “lack of secure coding standards,” “lack of automated testing tools for security in DevOps,” and “ignorance in static testing for security due to lack of knowledge” are the highest priority challenges for the DevSecOps paradigm.

Conclusion

Organizations using DevOps should consider the identified challenges in developing secure software.

Keywords

DevOps
DevSecOps
Challenges
Multivocal literature review
Fuzzy analytical hierarchy process

Cited by (0)