A Conceptual Framework for Global DevSecOps: Delphi-AHP Study

Abstract

Context: DevOps has become mainstream in the Software Engineering (SE) industry and academia, enhancing software development performance by bridging the gap between development (Dev) and operations (Ops). However, security requirements are often overlooked and devalued because they are perceived as hindrances to the high velocity required in DevOps. DevSecOps, as a security-oriented variant of DevOps, aims to integrate security into DevOps implementation by promoting collaboration among development (Dev), operations (Ops), and security (Sec) teams. Meanwhile, academia and industry’s interest in another trend – Global Software Engineering (GSE), has also significantly increased. GSE is a business strategy that arranges software development teams geographically distributed across the world. The foundational idea of DevOps/DevSecOps is to reduce functional silos and foster collaboration, and it encounters magnified challenges in GSE contexts due to geographical, temporal, linguistic, and cultural distances. Researchers and practitioners have paid attention to DevOps adoption in GSE, yet a research gap exists between DevSecOps and GSE that warrants academic investigation.

Aim: This research aimed to provide an in-depth understanding of DevSecOps and its adoption in GSE by developing an empirically grounded conceptual framework.

Methods: This research was divided into two stages. First, a Multivocal Literature Review (MLR) study was conducted to explore the current state of DevSecOps. A Thematic Analysis (TA) was performed to identify, synthesise, and analyse themes within the data for reporting MLR results and to further establish a conceptual framework as a theoretical basis for the following research. Second, an empirical study was conducted to validate, refine, and upgrade the MLR findings. It employed a qualitative research methodology, incorporating a quantitative survey that combined a Delphi survey and the Analytic Hierarchy Process (AHP). The Delphi-AHP study consisted of three survey rounds with 18 international participants, who are DevSecOps experts with various roles, including academic, industrial, managerial, and technical. The data were collected via an online survey that used multiple question formats, including AHP pairwise comparisons, multiple-choice, and open-ended questions. A dissent analysis was conducted to determine whether there is consensus or dissent regarding DevSecOps.

Results: The MLR study identifies five aspects of DevSecOps research (Definitions, Challenges, Practices, Tools/Technologies, and Metrics/Measurement), collects related themes of each aspect, and generates a “DevSecOps CPTM (Challenge-Practice-Tool-Metric) Model (Version 1.0)” by integrating the themes of the latter four aspects. An unexplored area relating to the application of DevSecOps in GSE has been identified. Subsequently, the Delphi-AHP study evaluates and prioritises the identified challenges, practices, tools, and metrics, collects new items into each aspect, identifies slight differences between local and global DevSecOps, and upgrades the DevSecOps CPTM Model from Version 1.0 to 2.0 by incorporating additional GSE aspects. Additionally, the dissent analysis reveals that dissenting opinions exist on DevSecOps between the SE industry and academia.

Conclusion: This research provides implications for both practice and theory by providing an in-depth understanding of DevSecOps and its adoption in GSE. As the key artifact, the DevSecOps CPTM Model (Version 2.0) is presented to effectively support SE academia and industry by providing a broad landscape and a prioritised breakdown of DevSecOps, from which researchers and practitioners can select an area of focus to enhance their knowledge or practice. With DevSecOps spanning many stages of the lifecycle, the framework will enable the exploration of new emphases and future opportunities, such as AI-driven DevSecOps practices and tools.