Identifying the primary dimensions of DevSecOps: A multi-vocal literature review

Abstract

Context:Security as a key non-functional requirement of software development is often ignored and devalued in DevOps programs, with security seen as an inhibitor to high velocity required in DevOps implementation. Hence, the DevSecOps approach as a security-orientated expansion to DevOps, has aimed to integrate security into DevOps implementation by promoting collaboration among development, operation and security teams. DevSecOps is a topical concept and rapidly emerging area of practice in both academic and industrial settings. Objective:We reviewed both the white and grey literature to identify recent researches and practical trends of DevSecOps, aiming to: (a) review, document and analyze the current state of DevSecOps in the existing literature; (b) investigate the application of DevSecOps in Global Software Engineering (GSE) contexts. Method:A Multi-vocal Literature Review on DevSecOps and its global application was conducted, by executing a dual-track strategy including white (104 studies) and grey (43 studies) literature from 2012 to 2021. A Thematic Analysis was performed to identify, synthesize and analyze the themes within data for reporting the MLR results. Results:Through the Multi-vocal Literature Review and Thematic Analysis, this paper identifies five major aspects of DevSecOps (Definitions, Challenges, Practices, Tools/Technologies, and Metrics/Measurement); collects related themes of each aspect; and generates a Challenge-Practice-Tool-Metric (CPTM) model by integrating the themes of the latter four aspects within a lifecycle model. Moreover, an unexplored area relating to the global application of DevSecOps has been identified. Conclusion:Based on MLR results, a CPTM (Challenge-Practice-Tool-Metric) model is built to reveal the current status of DevSecOps. The model provides a breakdown and a broad landscape of DevSecOps, from which researchers and practitioners may select an area of focus to improve their knowledge or practice. With DevSecOps spanning the many stages of the lifecycle, we believe the model will enable emphases and absences such as global aspects to be investigated.Editor’s note: Open Science material was validated by the Journal of Systems and Software Open Science Board.