Security as Culture: A Systematic Literature Review of DevSecOps

DevOps goes beyond automation, continuous integration and delivery processes, since it also encompasses people. In fact, DevOps promotes the collaboration between the development team and the operations team. When security comes into DevOps routines, people play an even more relevant role involving the collaboration between those teams and security team. Moreover, security is especially relevant while developing critical systems where we need to manage goals, risks and evidences. After implementing security into the DevOps toolchain, work only starts. We also need to start with behavioral changes in order to create a security culture. Several authors underlined DevSecOps, as one of the proposals for solving or, at least, minimizing this challenge. However, to date, the characterization of such a culture remains unclear. In this paper, a Systematic Literature Review was carried out to provide a better understanding of this topic from the human factor's perspective. However it raises the following question: Is DevSecOps going to become mainstream?

[1]  Ricardo Colomo Palacios,et al.  DevSecOps: A Multivocal Literature Review , 2017, SPICE.

[2]  Kim Carter,et al.  Francois Raynaud on DevSecOps , 2017, IEEE Software.

[3]  Ricardo Colomo-Palacios,et al.  Characterizing DevOps Culture: A Systematic Literature Review , 2018 .

[4]  Sanjeev Sharma The DevOps Adoption Playbook: A Guide to Adopting DevOps in a Multi-Speed IT Enterprise , 2017 .

[5]  Clemente Izurieta,et al.  Leveraging SecDevOps to Tackle the Technical Debt Associated with Cybersecurity Attack Tactics , 2019, 2019 IEEE/ACM International Conference on Technical Debt (TechDebt).

[6]  Pearl Brereton,et al.  Performing systematic literature reviews in software engineering , 2006, ICSE.

[7]  Jessica Nguyen,et al.  Closing the Feedback Loop Between UX Design, Software Development, Security Engineering, and Operations , 2019, SIGITE.

[8]  Laurie Williams,et al.  Software Security in DevOps: Synthesizing Practitioners’ Perceptions and Practices , 2016, 2016 IEEE/ACM International Workshop on Continuous Software Evolution and Delivery (CSED).

[9]  Steve Mansfield-Devine DevOps: finding room for security , 2018, Netw. Secur..

[10]  Indika Perera,et al.  Improve software quality through practicing DevOps , 2017, 2017 Seventeenth International Conference on Advances in ICT for Emerging Regions (ICTer).

[12]  Gary McGraw Silver Bullet Talks with Tanya Janca , 2018, IEEE Secur. Priv..

[13]  Denise H. Goya,et al.  Major Challenges of Systems-of-Systems with Cloud and DevOps – A Financial Experience Report , 2019, 2019 IEEE/ACM 7th International Workshop on Software Engineering for Systems-of-Systems (SESoS) and 13th Workshop on Distributed Software Development, Software Ecosystems and Systems-of-Systems (WDES).

[14]  Jingyue Li,et al.  An Empirical Study on Culture, Automation, Measurement, and Sharing of DevSecOps , 2019, 2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security).