Programmers are central agents in creating secure applications. However, software engineering and software security have historically worked in separate silos. DevSecOps is the practice of breaking down silos between development, operations, and quality assurance of security. To understand the state of art and challenges of DevSecOps, we interviewed six developers about their DevSecOps practices. We asked interview subjects about their security practices rooted in the four pillars of DevOps, namely culture, automation, sharing, and measurement. Results were analyzed by using qualitative methods. The results of the study show that it is necessary first to create a security culture. Several interviewees identified the importance of caring about security and issues in existing culture, such as how developers feel attacked by security engineers if they create vulnerable code. After establishing a security culture in the organization, development and operations need the necessary training and knowledge so that security automation tools can be utilized effectively. Measurements need to be applied continuously to keep track of identified vulnerabilities, the amount of training staff has received, and staffs general opinions regarding security.
[1]
Ivan Porres,et al.
DevOps: A Definition and Perceived Adoption Impediments
,
2015,
XP.
[2]
Liming Zhu,et al.
Continuous Integration, Delivery and Deployment: A Systematic Review on Approaches, Tools, Challenges and Practices
,
2017,
IEEE Access.
[3]
Pascale Carayon,et al.
Human and organizational factors in computer and information security: Pathways to vulnerabilities
,
2009,
Comput. Secur..
[4]
Gregory Tassey,et al.
Prepared for what
,
2007
.
[5]
Till J. Winkler,et al.
Closing the IT Development-Operations Gap: The DevOps Knowledge Sharing Framework
,
2017,
BIR Workshops.
[6]
A. Raman,et al.
An integrated approach to security in software development methodologies
,
2008,
2008 Canadian Conference on Electrical and Computer Engineering.
[7]
Ricardo Colomo Palacios,et al.
DevSecOps: A Multivocal Literature Review
,
2017,
SPICE.