当前位置: X-MOL 学术Inf. Softw. Technol. › 论文详情
Our official English website, www.x-mol.net, welcomes your feedback! (Note: you will need to create a separate account there.)
Challenges and solutions when adopting DevSecOps: A systematic review
Information and Software Technology ( IF 3.8 ) Pub Date : 2021-08-22 , DOI: 10.1016/j.infsof.2021.106700
Roshan N. Rajapakse 1, 2 , Mansooreh Zahedi 1 , M. Ali Babar 1, 2 , Haifeng Shen 3
Affiliation  

Context:

DevOps (Development and Operations) has become one of the fastest-growing software development paradigms in the industry. However, this trend has presented the challenge of ensuring secure software delivery while maintaining the agility of DevOps. The efforts to integrate security in DevOps have resulted in the DevSecOps paradigm, which is gaining significant interest from both industry and academia. However, the adoption of DevSecOps in practice is proving to be a challenge.

Objective:

This study aims to systemize the knowledge about the challenges faced by practitioners when adopting DevSecOps and the proposed solutions reported in the literature. We also aim to identify the areas that need further research in the future.

Method:

We conducted a Systematic Literature Review of 54 peer-reviewed studies. The thematic analysis method was applied to analyze the extracted data.

Results:

We identified 21 challenges related to adopting DevSecOps, 31 specific solutions, and the mapping between these findings. We also determined key gap areas in this domain by holistically evaluating the available solutions against the challenges. The results of the study were classified into four themes: People, Practices, Tools, and Infrastructure. Our findings demonstrate that tool-related challenges and solutions were the most frequently reported, driven by the need for automation in this paradigm. Shift-left security and continuous security assessment were two key practices recommended for DevSecOps. People-related factors were considered critical for successful DevSecOps adoption but less studied.

Conclusions:

We highlight the need for developer-centered application security testing tools that target the continuous practices in DevSecOps. More research is needed on how the traditionally manual security practices can be automated to suit rapid software deployment cycles. Finally, achieving a suitable balance between the speed of delivery and security is a significant issue practitioners face in the DevSecOps paradigm.



中文翻译:

采用 DevSecOps 时的挑战和解决方案:系统回顾

语境:

DevOps(开发和运营)已成为业界发展最快的软件开发范式之一。然而,这种趋势带来了在保持 DevOps 敏捷性的同时确保安全软件交付的挑战。在 DevOps 中集成安全性的努力已经产生了 DevSecOps 范式,这引起了行业和学术界的极大兴趣。然而,实践证明 DevSecOps 的采用是一个挑战。

客观的:

本研究旨在系统化有关从业者在采用 DevSecOps 和文献中报告的建议解决方案时面临的挑战的知识。我们还旨在确定未来需要进一步研究的领域。

方法:

我们对 54 项同行评审研究进行了系统文献综述。采用专题分析法对提取的数据进行分析。

结果:

我们确定了与采用 DevSecOps 相关的 21 个挑战、31 个特定解决方案以及这些发现之间的映射。我们还通过针对挑战全面评估可用的解决方案,确定了该领域的关键差距领域。研究结果分为四个主题:人员、实践、工具和基础设施。我们的研究结果表明,受此范例中自动化需求的驱动,与工具相关的挑战和解决方案是最常报告的。左移安全和持续安全评估是 DevSecOps 推荐的两个关键实践。人们认为与人员相关的因素对于成功采用 DevSecOps 至关重要,但研究较少。

结论:

我们强调需要以开发人员为中心的应用程序安全测试工具,这些工具针对 DevSecOps 中的持续实践。需要更多研究如何将传统的手动安全实践自动化以适应快速的软件部署周期。最后,实现交付速度和安全性之间的适当平衡是从业者在 DevSecOps 范式中面临的一个重要问题。

更新日期:2021-09-07
down
wechat
bug