Toward successful DevSecOps in software development organizations: A decision-making framework

Context: Development and Operations (DevOps) is a methodology that aims to establish collaboration between programmers and operators to automate the continuous delivery of new software to reduce the development life cycle and produce quality software. Development, Security, and Operations (DevSecOps) is developing the DevOps concept, which integrates security methods into a DevOps process. DevSecOps is a software development process where security is built in to ensure application confidentiality, integrity, and availability. Objective: This paper aims to identify and prioritize the challenges associated with implementing the DevSecOps process. Method: We performed a multivocal literature review (MLR) and conducted a questionnaire-based survey to identify challenges associated with DevSecOps-based projects. Moreover, interpretive structure modeling (ISM) was applied to study the relationships among the core categories of the challenges. Finally, we used the fuzzy technique for order preference by similarity to an ideal solution (TOPSIS) to prioritize the identified challenges associated with DevSecOps projects. Results: We identified 18 challenges for the DevSecOps process and mapped them to 10 core categories. The ISM results indicate that the "standards" category has the most decisive influence on the other nine core categories of the identified challenges. Moreover, the fuzzy TOPSIS indicates that "lack of secure coding standards," "lack of automated testing tools for security in DevOps," and "ignorance in static testing for security due to lack of knowledge" are the highest priority challenges for the DevSecOps paradigm. Conclusion: Organizations using DevOps should consider the identified challenges in developing secure software.