Abstract
Background: The popularity of DevSecOps is on the rise because it promises to integrate a greater degree of security into software delivery pipelines. However, there is also an unacceptable risk related to safety that cannot be overlooked, given the importance of this aspect in many industries.
Objective: The objective of this study is to provide an overview of the safety aspects reported in the literature on DevSecOps. This study also characterizes such aspects and identifies the gaps that may lead to future research work.
Methods: A systematic literature review was conducted using five well-known academic databases. The search was executed in September 2021 and March 2022 to identify relevant studies.
Results: The search returned 114 academic studies. After the screening process, five primary studies published between 2019 and 2021 were selected. These studies were analyzed thoroughly to identify the safety aspects. Then, we categorized them into three main groups: (i) risk-related safety aspects, (ii) human-related aspects, and (iii) management aspects.
Conclusion: Safety is an important characteristic that is becoming more critical as the number of critical systems grows. This review reveals that only a scarce number of studies are focusing on safety in DevSecOps. However, those studies gave us some insights into this topic. Therefore, our main observation is that this topic has not yet been completely explored in the academic literature. This review can encourage reflection and discussion between the safety and security communities.
Keywords: DevSecOps, Safety, Security, Risk, Human factors, Systematic literature review
Graphical Abstract
[http://dx.doi.org/10.1016/j.csi.2016.11.013]
[http://dx.doi.org/10.1145/3382494.3410679]
[http://dx.doi.org/10.1016/j.infsof.2018.06.004]
[http://dx.doi.org/10.1002/smr.500]
[http://dx.doi.org/10.1109/SEAA.2018.00082]
[http://dx.doi.org/10.1007/978-3-030-00623-5_1]
[http://dx.doi.org/10.1007/978-3-319-67383-7_2]
[http://dx.doi.org/10.1016/j.infsof.2018.01.011]
[http://dx.doi.org/10.1145/2804371.2804373]
[http://dx.doi.org/10.1007/978-3-030-28005-5_35]
[http://dx.doi.org/10.1145/3387940.3392233]
[http://dx.doi.org/10.1109/JSYST.2018.2881017]
[http://dx.doi.org/10.1016/j.ress.2015.02.008]
[http://dx.doi.org/10.6028/NIST.IR.7298r3]
[http://dx.doi.org/10.3390/electronics2010041]
[http://dx.doi.org/10.1016/j.ress.2012.09.011]
[http://dx.doi.org/10.1016/j.ijcip.2010.06.003]
[http://dx.doi.org/10.1007/3-540-48249-0_40]
[http://dx.doi.org/10.1109/EDCC51268.2020.00020]
[http://dx.doi.org/10.1109/QRS51102.2020.00064]
[http://dx.doi.org/10.1109/MS.2017.3571578]
[http://dx.doi.org/10.1016/j.infsof.2021.106700]
[http://dx.doi.org/10.1109/ARES.2016.92]
[http://dx.doi.org/10.1007/978-3-030-29608-7_7]
[http://dx.doi.org/10.1109/ACCESS.2020.2998819]
[http://dx.doi.org/10.1145/2896941.2896946]
[http://dx.doi.org/10.1007/978-1-4842-6434-8_3]
[http://dx.doi.org/10.1007/978-981-16-8062-5_7]
[http://dx.doi.org/10.1145/3344948.3344977]
[http://dx.doi.org/10.1007/978-3-319-95273-4_3]
[http://dx.doi.org/10.1109/ICNS50378.2020.9222919]
[http://dx.doi.org/10.1109/SSS47320.2020.9174201]
[http://dx.doi.org/10.1002/9781119644682.ch28]
[http://dx.doi.org/10.9770/jesi.2017.4.4(12)]
[http://dx.doi.org/10.1109/STC.2017.8234450]