An Empirical Analysis of Practitioners' Perspectives on Security Tool Integration into DevOps

TL;DR

This paper empirically investigates the challenges faced by practitioners when integrating security tools into DevOps workflows, highlighting the shift towards new security tools and providing guidelines for effective integration.

Contribution

It provides an empirical analysis of practitioners' perspectives on security tool integration in DevOps and proposes a workflow and guidelines based on webinar data.

Findings

Traditional security tools are inadequate for DevOps needs.

Industry is shifting towards new security tools tailored for DevOps.

Developed a DevOps security integration workflow and guidelines.

Abstract

Background: Security tools play a vital role in enabling developers to build secure software. However, it can be quite challenging to introduce and fully leverage security tools without affecting the speed or frequency of deployments in the DevOps paradigm. Aims: We aim to empirically investigate the key challenges practitioners face when integrating security tools into a DevOps workflow in order to provide recommendations to overcome them. Method: We conducted a study involving 31 systematically selected webinars on integrating security tools in DevOps. We used a qualitative data analysis method, i.e., thematic analysis, to identify the challenges and emerging solutions related to integrating security tools in rapid deployment environments. Results: We find that while traditional security tools are unable to cater for the needs of DevOps, the industry is moving towards new generations of tools that have started focusing on these requirements. We have developed a DevOps workflow that integrates security tools and a set of guidelines by synthesizing practitioners' recommendations in the analyzed webinars. Conclusion: While the latest security tools are addressing some of the requirements of DevOps, there are many tool-related drawbacks yet to be adequately addressed.