Files and links (2)
Published (Version of record)CC BY-NC-ND V4.0, Open Access
Published (Version of record)CC BY-NC-ND V4.0, Open
Journal article
Revisit security in the era of DevOps: An evidence-based inquiry into DevSecOps industry
IET software, Vol.17(4), pp.435-454
08/2023
Metrics
3 File views/ downloads
42 Record Views
Abstract
By adopting agile and lean practices, DevOps aims to achieve rapid value delivery by speeding up development and deployment cycles, which however lead to more security concerns that cannot be fully addressed by an isolated security role only in the final stage of development. DevSecOps promotes security as a shared responsibility integrated into the DevOps process that seamlessly intertwines development, operations, and security from the start throughout to the end of cycles. While some companies have already begun to embrace this new strategy, both industry and academia are still seeking a common understanding of the DevSecOps movement. The goal of this study is to report the state-of-the-practice of DevSecOps, including the impact of DevOps on security, practitioners' understanding of DevSecOps, and the practices associated with DevSecOps as well as the challenges of implementing DevSecOps. The authors used a mixed-methods approach for this research. The authors carried out a grey literature review on DevSecOps, and surveyed the practitioners of DevSecOps in industry of China. The status quo of DevSecOps in industry is summarized. Three major software security risks are identified with DevOps, where the establishment of DevOps pipeline provides opportunities for security-related activities. The authors classify the interpretations of DevSecOps into three core aspects of DevSecOps capabilities, cultural enablers, and technological enablers. To materialise the interpretations into daily software production activities, the recommended DevSecOps practices from three perspectives-people, process, and technology. Although a preliminary consensus is that DevSecOps is regarded as an extension of DevOps, there is a debate on whether DevSecOps is a superfluous term. While DevSecOps is attracting an increasing attention by industry, it is still in its infancy and more effort needs to be invested to promote it in both research and industry communities.
Details
- Title
- Revisit security in the era of DevOps: An evidence-based inquiry into DevSecOps industry
- Creators
- Xin Zhou - Nanjing UniversityRunfeng Mao - Nanjing UniversityHe Zhang - Nanjing UniversityQiming Dai - Huatai Securities Co., Ltd.Huang Huang - State Grid Nanjing Power Supply Company (Nanjing, China)Haifeng Shen - Australian Catholic UniversityJingyue Li - Norwegian University of Science and TechnologyGuoping Rong - Nanjing University
- Publication Details
- IET software, Vol.17(4), pp.435-454
- Publisher
- Wiley
- Number of pages
- 20
- Grant note
- Innovation Project and Overseas Open Project of State Key Laboratory for Novel Software Technology (Nanjing University). Grant Numbers: KFKT2022A09, ZZKT2022A25 National Key Research and Development Program of China. Grant Number: 2019YFE0105500 Research Council of Norway. Grant Number: 309494 National Natural Science Foundation of China. Grant Numbers: 62072227, 62202219 Key Research and Development Program of Jiangsu Province. Grant Number: BE2021002-2
- Identifiers
- 991013173313402368
- Copyright
- © 2023 The Authors. IET Software published by John Wiley & Sons Ltd on behalf of The Institution of Engineering and Technology. This is an open access article under the terms of the Creative Commons Attribution-NonCommercial-NoDerivs License.
- Academic Unit
- Faculty of Science and Engineering
- Language
- English
- Resource Type
- Journal article