DevSecOps: A Multivocal Literature Review

  • Håvard Myrbakken
  • Ricardo Colomo-PalaciosEmail author
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 770)


Involving security in DevOps has been a challenge because traditional security methods have been unable to keep up with DevOps’ agility and speed. DevSecOps is the movement that works on developing and integrating modernized security methods that can keep up with DevOps. This study is meant to give an overview of what DevSecOps is, what implementing DevSecOps means, the benefits gained from DevSecOps and the challenges an organization faces when doing so. To that end, we conducted a multivocal literature review, where we reviewed a selection of grey literature. We found that implementing security that can keep up with DevOps is a challenge, but it can gain great benefits if done correctly.


DevSecOps DevOps Security Multivocal literature review 


  1. 1.
    Mell, P.M., Grance, T.: The NIST definition of cloud computing. Special Publications (NIST SP)-800-145, 7 P. NIST Definitions on Cloud Computing, September 2011Google Scholar
  2. 2.
    Fitzgerald, B., Stol, K.J.: Continuous software engineering: a roadmap and agenda. J. Syst. Softw. 123, 176–189 (2017)CrossRefGoogle Scholar
  3. 3.
    Svensson, R.B., Claps, G.G., Aurum, A.: On the journey to continuous deployment: technical and social challenges along the way. Inf. Softw. Technol. 57, 21–31 (2015)CrossRefGoogle Scholar
  4. 4.
    Humble, J., Joanne, M.: Why enterprises must adopt devops to enable continuous delivery. J. Inf. Technol. Manage. 24, 7 (2011)Google Scholar
  5. 5.
    Hernantes, J., Ebert, C., Gallardo, G., Serrano, N.: Devops. IEEE Softw. 33(3), 94–100 (2016)CrossRefGoogle Scholar
  6. 6.
    Yankel, J., Cois, C.A., Connell, A.: Modern devops: optimizing software development through effective system interactions. In: 2014 IEEE International Professional Communication Conference (IPCC), pp. 1–7, October 2014Google Scholar
  7. 7.
    Callanan, M., Spillane, A.: Devops: making it easy to do the right thing. IEEE Softw. 33(3), 53–59 (2016)CrossRefGoogle Scholar
  8. 8.
    Spinellis, D.: Being a devops developer. IEEE Softw. 33(3), 4–5 (2016)CrossRefGoogle Scholar
  9. 9.
    Hewlett Packard Enterprise: Application security and devops. Technical report, Hewlett Packard Enterprise (2016)Google Scholar
  10. 10.
    MacDonald, N., Head, I.: DevSecOps: How to Seamlessly Integrate Security Into DevOps. Technical report, Gartner (2016)Google Scholar
  11. 11.
    Mohan, V., Othmane, L.B.: Secdevops: is it a marketing buzzword? - mapping research on security in devops. In: 2016 11th International Conference on Availability, Reliability and Security (ARES), pp. 542–547, August 2016Google Scholar
  12. 12.
    Ashfaque, A., Rahman, U., Williams, L.: Software security in devops: synthesizing practitioners’ perceptions and practices. In: Proceedings of the International Workshop on Continuous Software Evolution and Delivery, CSED 2016, pp. 70–76. ACM, New York (2016)Google Scholar
  13. 13.
    Oivo, M., Karvonen, T., Behutiye, W., Kuvaja, P.: Systematic literature review on the impacts of agile release engineering practices. Inf. Softw. Technol. 86, 87–100 (2017)CrossRefGoogle Scholar
  14. 14.
    Lwakatare, L.E., Teppola, S., Suomalainen, T., Eskeli, J., Karvonen, T., Kuvaja, P., Verner, J.M., Rodríguez, P., Haghighatkhah, A., Oivo, M.: Continuous deployment of software intensive products and services: a systematic mapping study. J. Syst. Softw. 123, 263–291 (2017)CrossRefGoogle Scholar
  15. 15.
    Ståhl, D., Bosch, J.: Modeling continuous integration practice differences in industry software development. J. Syst. Softw. 87, 48–59 (2014)CrossRefGoogle Scholar
  16. 16.
    Ogawa, R.T., Malen, B.: Towards rigor in reviews of multivocal literatures: applying the exploratory case study method. Rev. Educ. Res. 61(3), 265–286 (1991)CrossRefGoogle Scholar
  17. 17.
    Garousi, V., Mäntylä, M.V.: When and what to automate in software testing? a multi-vocal literature review. Inf. Softw. Technol. 76, 92–117 (2016)CrossRefGoogle Scholar
  18. 18.
    Junior, H.J., de França, B.B.N., Travassos, G.H.: Characterizing devops by hearing multiple voices. In: Proceedings of the 30th Brazilian Symposium on Software Engineering, SBES 2016, pp. 53–62. ACM, New York (2016)Google Scholar
  19. 19.
    Felderer, M., Garousi, V., Hacaloğlu, T.: Software test maturity assessment and test process improvement: a multivocal literature review. Inf. Softw. Technol. 85, 16–42 (2017)CrossRefGoogle Scholar
  20. 20.
    Felderer, M., Garousi, V., Mäntylä, M.V.: The need for multivocal literature reviews in software engineering: complementing systematic literature reviews with grey literature. In: Proceedings of the 20th International Conference on Evaluation and Assessment in Software Engineering, EASE 2016, pp. 26:1–26:6. ACM, New York (2016)Google Scholar
  21. 21.
    Shackleford, D.: A devsecops playbook. SANS Institute InfoSec Reading Room. A DevSecOps Playbook, March 2016Google Scholar
  22. 22.
    Vonnegut, S.: 4 keys to integrating security into devops (2016),
  23. 23.
    Lietz, S.: Shifting security to the left (2016),
  24. 24.
    Bledsoe, G.: Getting to devsecops: 5 best practices for integrating security into your devops (2016),
  25. 25.
    Lim, F.: Devsecops is the krav maga of security (2016),
  26. 26.
    Lietz, S.: Principles of devsecops (2015),
  27. 27.
    Greene, T.: What security teams need to know about devops (2016),
  28. 28.
    Anonymous User. Security breaks devops - here’s how to fix it (2015).
  29. 29.
    Shackleford, D.: The devsecops approach to securing your code and your cloud. SANS Institute InfoSec Reading Room A DevSecOps Playbook, February 2017Google Scholar
  30. 30.
    Caum, C.: Getting started with policy-driven development and devsecops (2016).
  31. 31.
    Whitehat Security. Devops invites security to “join the party” (2016),
  32. 32.
    Hornbeek, M.: Devops makes security assurance affordable (2015),
  33. 33.
    Lindros, K.: How to craft an effective devsecops process with your team (2016),
  34. 34.
    Romeo, C.: The 3 most crucial security behaviors in devsecops (2016),
  35. 35.
    Cureton, A.: Building security into devops: is devsecops the beginning of the future? (2017),
  36. 36.
    McKay, J.: How to use devsecops to smooth cloud deployment (2016),
  37. 37.
    Amazon Web Services. Introduction to devsecops on AWS (2016),
  38. 38.
    Francis, R.: 7 ways devops benefits cisos and their security programs (2015),
  39. 39.
    Wallgreen, A.: Devsecops: 9 ways devops and automation bolster security, compliance (2015),
  40. 40.
    Rotenberg, M.: 7 essential steps to devsecops success (2016),
  41. 41.
    Paul, F.: Secdevops: injecting security into devops processes (2015),
  42. 42.
    Rohr, M.: Agile security and secdevops touch points (2015),
  43. 43.
    Goldschmidt, M., McKinnon, M.: Devsecops - agility with security. Technical report, Sense of Security (2016)Google Scholar
  44. 44.
    Elder, M.: Security considerations for devops adoption (2014),
  45. 45.
    Clarke, P.M., O’Connor, R.V., Elger, P.: Continuous software engineering–a microservices architecture perspective. J. Softw. Evol. Proc. 2017, e1866 (2017)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Østfold University CollegeHaldenNorway

Personalised recommendations