Challenges and solutions when adopting DevSecOps: A systematic review

被引：42

作者：

Rajapakse, Roshan N. ^{[1
,2
]}

Zahedi, Mansooreh ^{[1
]}

Babar, M. Ali ^{[1
,2
]}

Shen, Haifeng ^{[3
]}

机构：

[1] Univ Adelaide, Sch Comp Sci, CREST Ctr Res Engn Software Technol, Adelaide, SA, Australia

[2] Cyber Secur Cooperat Res Ctr, Joondalup, WA, Australia

[3] Australian Catholic Univ, Peter Faber Business Sch, HilstLab, Sydney, NSW, Australia

来源：

INFORMATION AND SOFTWARE TECHNOLOGY | 2022年 / 141卷

关键词：

DevOps; Security; DevSecOps; Continuous Software Engineering; Systematic Literature Review; CONTINUOUS DELIVERY; DEVOPS;

D O I：

10.1016/j.infsof.2021.106700

中图分类号：

TP [自动化技术、计算机技术];

学科分类号：

0812 ;

摘要：

Context: DevOps (Development and Operations) has become one of the fastest-growing software development paradigms in the industry. However, this trend has presented the challenge of ensuring secure software delivery while maintaining the agility of DevOps. The efforts to integrate security in DevOps have resulted in the DevSecOps paradigm, which is gaining significant interest from both industry and academia. However, the adoption of DevSecOps in practice is proving to be a challenge. Objective: This study aims to systemize the knowledge about the challenges faced by practitioners when adopting DevSecOps and the proposed solutions reported in the literature. We also aim to identify the areas that need further research in the future. Method: We conducted a Systematic Literature Review of 54 peer-reviewed studies. The thematic analysis method was applied to analyze the extracted data. Results: We identified 21 challenges related to adopting DevSecOps, 31 specific solutions, and the mapping between these findings. We also determined key gap areas in this domain by holistically evaluating the available solutions against the challenges. The results of the study were classified into four themes: People, Practices, Tools, and Infrastructure. Our findings demonstrate that tool-related challenges and solutions were the most frequently reported, driven by the need for automation in this paradigm. Shift-left security and continuous security assessment were two key practices recommended for DevSecOps. People-related factors were considered critical for successful DevSecOps adoption but less studied. Conclusions: We highlight the need for developer-centered application security testing tools that target the continuous practices in DevSecOps. More research is needed on how the traditionally manual security practices can be automated to suit rapid software deployment cycles. Finally, achieving a suitable balance between the speed of delivery and security is a significant issue practitioners face in the DevSecOps paradigm.

引用

页数：22

共 61 条

[1] [Anonymous], 2021, WHAT IS SHIFT LEFT T
[2] Ba K., 2007, GUIDELINES PERFORMIN, V2
[3] Bass L., 2015, DEVOPS SOFTWARE ARCH
[4] Bird J., 2016, DevOpsSec: Securing Software Through Continuous Delivery
[5] Bosch J., 2014, CONTINUOUS SOFTWARE, P3
[6] Braun V., 2006, Qualitative research in psychology, V3, P77, DOI [10.1191/1478088706qp063oa, doi:10.1191/1478088706qp063oa, DOI 10.1191/1478088706QP063OA]
[7] Bushwick S, 2020, GIANT U S COMPUTER S
[8] Checkmarx, 2020, INTEGRATED APPROACH
[9] Chen L., 2010, Towards an evidencebased understanding of electronic data sources
[10] Chen LP, 2015, IEEE SOFTWARE, V32, P49

← 1 2 3 4 5 6 7 →