Abstract
Involving security in DevOps has been a challenge because traditional security methods have been unable to keep up with DevOps’ agility and speed. DevSecOps is the movement that works on developing and integrating modernized security methods that can keep up with DevOps. This study is meant to give an overview of what DevSecOps is, what implementing DevSecOps means, the benefits gained from DevSecOps and the challenges an organization faces when doing so. To that end, we conducted a multivocal literature review, where we reviewed a selection of grey literature. We found that implementing security that can keep up with DevOps is a challenge, but it can gain great benefits if done correctly.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Mell, P.M., Grance, T.: The NIST definition of cloud computing. Special Publications (NIST SP)-800-145, 7 P. NIST Definitions on Cloud Computing, September 2011
Fitzgerald, B., Stol, K.J.: Continuous software engineering: a roadmap and agenda. J. Syst. Softw. 123, 176–189 (2017)
Svensson, R.B., Claps, G.G., Aurum, A.: On the journey to continuous deployment: technical and social challenges along the way. Inf. Softw. Technol. 57, 21–31 (2015)
Humble, J., Joanne, M.: Why enterprises must adopt devops to enable continuous delivery. J. Inf. Technol. Manage. 24, 7 (2011)
Hernantes, J., Ebert, C., Gallardo, G., Serrano, N.: Devops. IEEE Softw. 33(3), 94–100 (2016)
Yankel, J., Cois, C.A., Connell, A.: Modern devops: optimizing software development through effective system interactions. In: 2014 IEEE International Professional Communication Conference (IPCC), pp. 1–7, October 2014
Callanan, M., Spillane, A.: Devops: making it easy to do the right thing. IEEE Softw. 33(3), 53–59 (2016)
Spinellis, D.: Being a devops developer. IEEE Softw. 33(3), 4–5 (2016)
Hewlett Packard Enterprise: Application security and devops. Technical report, Hewlett Packard Enterprise (2016)
MacDonald, N., Head, I.: DevSecOps: How to Seamlessly Integrate Security Into DevOps. Technical report, Gartner (2016)
Mohan, V., Othmane, L.B.: Secdevops: is it a marketing buzzword? - mapping research on security in devops. In: 2016 11th International Conference on Availability, Reliability and Security (ARES), pp. 542–547, August 2016
Ashfaque, A., Rahman, U., Williams, L.: Software security in devops: synthesizing practitioners’ perceptions and practices. In: Proceedings of the International Workshop on Continuous Software Evolution and Delivery, CSED 2016, pp. 70–76. ACM, New York (2016)
Oivo, M., Karvonen, T., Behutiye, W., Kuvaja, P.: Systematic literature review on the impacts of agile release engineering practices. Inf. Softw. Technol. 86, 87–100 (2017)
Lwakatare, L.E., Teppola, S., Suomalainen, T., Eskeli, J., Karvonen, T., Kuvaja, P., Verner, J.M., Rodríguez, P., Haghighatkhah, A., Oivo, M.: Continuous deployment of software intensive products and services: a systematic mapping study. J. Syst. Softw. 123, 263–291 (2017)
Ståhl, D., Bosch, J.: Modeling continuous integration practice differences in industry software development. J. Syst. Softw. 87, 48–59 (2014)
Ogawa, R.T., Malen, B.: Towards rigor in reviews of multivocal literatures: applying the exploratory case study method. Rev. Educ. Res. 61(3), 265–286 (1991)
Garousi, V., Mäntylä, M.V.: When and what to automate in software testing? a multi-vocal literature review. Inf. Softw. Technol. 76, 92–117 (2016)
Junior, H.J., de França, B.B.N., Travassos, G.H.: Characterizing devops by hearing multiple voices. In: Proceedings of the 30th Brazilian Symposium on Software Engineering, SBES 2016, pp. 53–62. ACM, New York (2016)
Felderer, M., Garousi, V., Hacaloğlu, T.: Software test maturity assessment and test process improvement: a multivocal literature review. Inf. Softw. Technol. 85, 16–42 (2017)
Felderer, M., Garousi, V., Mäntylä, M.V.: The need for multivocal literature reviews in software engineering: complementing systematic literature reviews with grey literature. In: Proceedings of the 20th International Conference on Evaluation and Assessment in Software Engineering, EASE 2016, pp. 26:1–26:6. ACM, New York (2016)
Shackleford, D.: A devsecops playbook. SANS Institute InfoSec Reading Room. A DevSecOps Playbook, March 2016
Vonnegut, S.: 4 keys to integrating security into devops (2016), https://goo.gl/aZ0S3i
Lietz, S.: Shifting security to the left (2016), https://goo.gl/sbheKS
Bledsoe, G.: Getting to devsecops: 5 best practices for integrating security into your devops (2016), https://goo.gl/ZPzgxa
Lim, F.: Devsecops is the krav maga of security (2016), https://goo.gl/BH4MS2
Lietz, S.: Principles of devsecops (2015), https://goo.gl/N8zcXV
Greene, T.: What security teams need to know about devops (2016), https://goo.gl/c8VOn4
Anonymous User. Security breaks devops - here’s how to fix it (2015). https://goo.gl/Yr1jk3
Shackleford, D.: The devsecops approach to securing your code and your cloud. SANS Institute InfoSec Reading Room A DevSecOps Playbook, February 2017
Caum, C.: Getting started with policy-driven development and devsecops (2016). https://goo.gl/AevVcX
Whitehat Security. Devops invites security to “join the party” (2016), https://goo.gl/spj0wK
Hornbeek, M.: Devops makes security assurance affordable (2015), https://goo.gl/g0iKfZ
Lindros, K.: How to craft an effective devsecops process with your team (2016), https://goo.gl/ppWtjx
Romeo, C.: The 3 most crucial security behaviors in devsecops (2016), https://goo.gl/FJKuYQ
Cureton, A.: Building security into devops: is devsecops the beginning of the future? (2017), https://goo.gl/Npv2Py
McKay, J.: How to use devsecops to smooth cloud deployment (2016), https://goo.gl/vqoh4L
Amazon Web Services. Introduction to devsecops on AWS (2016), https://goo.gl/wxl3YM
Francis, R.: 7 ways devops benefits cisos and their security programs (2015), https://goo.gl/RxieGr
Wallgreen, A.: Devsecops: 9 ways devops and automation bolster security, compliance (2015), https://goo.gl/RyA9QZ
Rotenberg, M.: 7 essential steps to devsecops success (2016), https://goo.gl/JAOQlF
Paul, F.: Secdevops: injecting security into devops processes (2015), https://goo.gl/Eul2fn
Rohr, M.: Agile security and secdevops touch points (2015), https://goo.gl/peuqpS
Goldschmidt, M., McKinnon, M.: Devsecops - agility with security. Technical report, Sense of Security (2016)
Elder, M.: Security considerations for devops adoption (2014), https://goo.gl/b0CStP
Clarke, P.M., O’Connor, R.V., Elger, P.: Continuous software engineering–a microservices architecture perspective. J. Softw. Evol. Proc. 2017, e1866 (2017)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Myrbakken, H., Colomo-Palacios, R. (2017). DevSecOps: A Multivocal Literature Review. In: Mas, A., Mesquida, A., O'Connor, R., Rout, T., Dorling, A. (eds) Software Process Improvement and Capability Determination. SPICE 2017. Communications in Computer and Information Science, vol 770. Springer, Cham. https://doi.org/10.1007/978-3-319-67383-7_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-67383-7_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-67382-0
Online ISBN: 978-3-319-67383-7
eBook Packages: Computer ScienceComputer Science (R0)