ABSTRACT
DevOps goes beyond automation, continuous integration and delivery processes, since it also encompasses people. In fact, DevOps promotes the collaboration between the development team and the operations team. When security comes into DevOps routines, people play an even more relevant role involving the collaboration between those teams and security team. Moreover, security is especially relevant while developing critical systems where we need to manage goals, risks and evidences. After implementing security into the DevOps toolchain, work only starts. We also need to start with behavioral changes in order to create a security culture. Several authors underlined DevSecOps, as one of the proposals for solving or, at least, minimizing this challenge. However, to date, the characterization of such a culture remains unclear. In this paper, a Systematic Literature Review was carried out to provide a better understanding of this topic from the human factor's perspective. However it raises the following question: Is DevSecOps going to become mainstream?
- Justin F Brunelle, AJ Bognar, Vibha Dhawan, Nicole Gong Parrish, Andrew King, Vidyababu Kuppusamy, and Mano Malayanur. 2018. Federal Cloud & Data Center Summit Report. The MITRE Corporation. Retrieved from https://www.mitre.org/sites/default/files/publications/PRS18-2725-1_june2018_federal_cloud__data_center_summit_report.pdfGoogle Scholar
- Justin F Brunelle, Cameron Boozarjomehri, David Hansen, Christine Kim, R Scott Paul, Quang Nguyen, Rock Sabetto, Gavin Schmidt, Mari Spina, Joseph Walter, Katy Warren, Adam Yee, and Tom Suder. 2019. Federal Cloud & Infrastructure Summit Report. The MITRE Corporation. Retrieved from https://atarc.org/wp-content/uploads/2019/08/Cloud-White-Paper-Cover-Letter-merged.pdfGoogle Scholar
- Kim Carter. 2017. Francois Raynaud on DevSecOps. IEEE Softw. 34, 5 (2017), 93--96. DOI:https://doi.org/10.1109/MS.2017.3571578Google ScholarCross Ref
- Sara Carturan and Denise Goya. 2019. Major Challenges of Systems-of-Systems with Cloud and DevOps -- A Financial Experience Report. In 2019 IEEE/ACM 7th International Workshop on Software Engineering for Systems-of-Systems and 13th Workshop on Distributed Software Development, Software Ecosystems and Systems-of-Systems, Montreal, QC, Canada, 10--17. DOI:https://doi.org/10.1109/SESoS/WDES.2019.00010Google Scholar
- Michelle Casagni, Melissa Heeren, Rick Cagle, Richard Eng, Jennifer Flamm, Seth Goldrich, Diane Hanf, Michael Kristan, Justin F Brunelle, Tim Harvey, and Tom Suder. 2018. Federal DevOps Summit Report. The MITRE Corporation. Retrieved from https://atarc.org/wpcontent/uploads/2019/01/2018-03-01-ATARC-Federal-DevOps-Summit-White-Paper-1.pdfGoogle Scholar
- Rebecca Deck. 2019. Adapting AppSec to a DevOps World. Retrieved from https://pdfs.semanticscholar.org/74c3/ce0f45a4624b9a0d67051d8ea305c3b8be78.pdfGoogle Scholar
- Shamayel M. Farooqui. 2018. Conclusion: The New Era. In Enterprise DevOps Framework: Transforming IT Operations, Shamayel M. Farooqui (ed.). Apress, Berkeley, CA, 107--117. DOI:https://doi.org/10.1007/978-1-4842-3612-3_10Google ScholarCross Ref
- Clemente Izurieta and Mary Prouty. 2019. Leveraging SecDevOps to Tackle the Technical Debt Associated with Cybersecurity Attack Tactics. In 2019 IEEE/ACM International Conference on Technical Debt (TechDebt), 33--37. DOI:https://doi.org/10.1109/TechDebt.2019.00012Google ScholarDigital Library
- Gene Kim, Patrick Debois, John Willis, and Jez Humble. 2016. The DevOps Handbook: How to create world-class agility, reliability, & security in technology organizations (First edition ed.). IT Revolution Press, LLC, Portland, OR.Google Scholar
- Barbara Kitchenham and S. Charters. 2007. Guidelines for performing Systematic Literature Reviews in Software Engineering. School of Computer Science and Mathematics, Keele University.Google Scholar
- Andi Mann, Michael Stahnke, Alanna Brow, and Nigel Kersten. 2019. 2019 State of DevOps Report. PuppetLabs. CircleCI and Splunk. Retrieved from https://puppet.com/resources/report/state-of-devops-report/Google Scholar
- Steve Mansfield-Devine. 2018. DevOps: finding room for security. Netw. Secur. 2018, 7 (July 2018), 15--20. DOI:https://doi.org/10.1016/S1353-4858(18)30070-9Google ScholarCross Ref
- Gary McGraw. 2018. Silver Bullet Talks with Tanya Janca. IEEE Secur. Priv. 16, 5 (September 2018), 7--11. DOI:https://doi.org/10.1109/MSP.2018.3761705Google Scholar
- Havard Myrbakken and Ricardo Colomo-Palacios. 2017. DevSecOps: A Multivocal Literature Review. In International Conference on Software Process Improvement and Capability Determination, Springer, 17--29.Google Scholar
- Jessica Nguyen and Marc Dupuis. 2019. Closing the Feedback Loop Between UX Design, Software Development, Security Engineering, and Operations. In Proceedings of the 20th Annual SIG Conference on Information Technology Education - SIGITE '19, ACM Press, Tacoma, WA, USA, 93--98. DOI:https://doi.org/10.1145/3349266.3351420Google ScholarDigital Library
- Pulasthi Perera, Roshali Silva, and Indika Perera. 2017. Improve software quality through practicing DevOps. In 2017 Seventeenth International Conference on Advances in ICT for Emerging Regions (ICTer), 1--6. DOI:https://doi.org/10.1109/ICTER.2017.8257807Google ScholarCross Ref
- Akond Ashfaque Ur Rahman and Laurie Williams. 2016. Software Security in DevOps: Synthesizing Practitioners' Perceptions and Practices. In 2016 IEEE/ACM International Workshop on Continuous Software Evolution and Delivery (CSED), 70--76. DOI:https://doi.org/10.1109/CSED.2016.021Google ScholarDigital Library
- Mary Sánchez-Gordón and Ricardo Colomo-Palacios. 2018. Characterizing DevOps Culture: A Systematic Literature Review. In Software Process Improvement and Capability Determination (Communications in Computer and Information Science), Springer International Publishing, Cham, 3--15. DOI:https://doi.org/10.1007/978-3-030-00623-5_1Google Scholar
- Sanjeev Sharma. 2017. The DevOps Adoption Playbook: A Guide to Adopting DevOps in a Multi-Speed IT Enterprise | Wiley. John Wiley & Sons Inc. Retrieved January 7, 2020 from https://www.wiley.com/en-us/The+DevOps+Adoption+Playbook%3A+A+Guide+to+Adopting+DevOps+in+a+Multi+Speed+IT+Enterprise-p-9781119310761Google Scholar
- Nora Tomas, Jingyue Li, and Huang Huang. 2019. An Empirical Study on Culture, Automation, Measurement, and Sharing of DevSecOps. In 2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security), 1--8. DOI:https://doi.org/10.1109/CyberSecPODS.2019.8884935Google ScholarCross Ref
Index Terms
- Security as Culture: A Systematic Literature Review of DevSecOps
Recommendations
Challenges and solutions when adopting DevSecOps: A systematic review
Abstract Context:DevOps (Development and Operations) has become one of the fastest-growing software development paradigms in the industry. However, this trend has presented the challenge of ensuring secure software delivery while ...
Towards a systematic survey of industrial IoT security requirements: research method and quantitative analysis
IoT-Fog '19: Proceedings of the Workshop on Fog Computing and the IoTIndustry 4.0 and, in particular, Industrial Internet of Things (IIoT) represent two of the major automation and data exchange trends of the 21st century, driving a steady increase in the number of smart embedded devices used by industrial applications. ...
Infiltrating security into development: exploring the world’s largest software security study
ESEC/FSE 2021: Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software EngineeringRecent years have seen rapid increases in cybercrime. The use of effective software security activities plays an important part in preventing the harm involved. Objective research on industry use of software security practices is needed to help ...
Comments