{"title":"Integrating Security Controls in DevSecOps: Challenges, Solutions, and Future Research Directions","authors":"Maysa Sinan, Mojtaba Shahin, Iqbal Gondal","doi":"10.1002/smr.70029","DOIUrl":null,"url":null,"abstract":"<p>Cybersecurity has become a top priority for most organizations to protect their applications. The rapid increase in cyberattacks has necessitated a comprehensive repositioning of how security should be implemented within the software development lifecycle (SDLC). Development, Security, Operations (DevSecOps) is one of the trendy security methodologies and fastest growing development methods promoting shared responsibility for security and automating security practices at every step of the SDLC. DevSecOps is a cultural shift that integrates security controls into DevOps pipelines aiming to upscale overall security. Therefore, many organizations started to incorporate security controls within the deployment of DevSecOps through conducting continuous practices, for example, automated security testing, infrastructure as code (IaC), compliance as code, and continuous monitoring. This study aims to organize the knowledge and shed light on challenges concerning security controls during the adoption of DevSecOps, along with associated solutions and remediation workarounds reported in the literature. Further, the study aims to provide clear insights into the areas that require further investigation and research in the future. A systematic literature review (SLR) of 45 primary studies was carried out to extract data, and subsequently, the extracted data was analyzed using the thematic analysis method. This paper identifies 19 challenges related to security controls that could be experienced by security practitioners while implementing a DevSecOps model, along with 18 solutions and remediation actions suggested in literature to address and overcome some of the enlisted challenges. In addition, some gap areas are identified as opportunities for future research in this domain with the aim of improving the integration of security controls in a DevSecOps environment. Based on findings, this paper points out the importance of automation in software engineering practices, for example, continuous automation, continuous delivery, and continuous feedback, to embed security controls at the early stages of the development process.</p>","PeriodicalId":48898,"journal":{"name":"Journal of Software-Evolution and Process","volume":"37 6","pages":""},"PeriodicalIF":1.8000,"publicationDate":"2025-06-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://onlinelibrary.wiley.com/doi/epdf/10.1002/smr.70029","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Software-Evolution and Process","FirstCategoryId":"94","ListUrlMain":"https://onlinelibrary.wiley.com/doi/10.1002/smr.70029","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}
引用次数: 0
Abstract
Cybersecurity has become a top priority for most organizations to protect their applications. The rapid increase in cyberattacks has necessitated a comprehensive repositioning of how security should be implemented within the software development lifecycle (SDLC). Development, Security, Operations (DevSecOps) is one of the trendy security methodologies and fastest growing development methods promoting shared responsibility for security and automating security practices at every step of the SDLC. DevSecOps is a cultural shift that integrates security controls into DevOps pipelines aiming to upscale overall security. Therefore, many organizations started to incorporate security controls within the deployment of DevSecOps through conducting continuous practices, for example, automated security testing, infrastructure as code (IaC), compliance as code, and continuous monitoring. This study aims to organize the knowledge and shed light on challenges concerning security controls during the adoption of DevSecOps, along with associated solutions and remediation workarounds reported in the literature. Further, the study aims to provide clear insights into the areas that require further investigation and research in the future. A systematic literature review (SLR) of 45 primary studies was carried out to extract data, and subsequently, the extracted data was analyzed using the thematic analysis method. This paper identifies 19 challenges related to security controls that could be experienced by security practitioners while implementing a DevSecOps model, along with 18 solutions and remediation actions suggested in literature to address and overcome some of the enlisted challenges. In addition, some gap areas are identified as opportunities for future research in this domain with the aim of improving the integration of security controls in a DevSecOps environment. Based on findings, this paper points out the importance of automation in software engineering practices, for example, continuous automation, continuous delivery, and continuous feedback, to embed security controls at the early stages of the development process.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
