Challenges and solutions when adopting DevSecOps: A systematic review

Context: DevOps has become one of the fastest growing software development paradigms in the industry. However, this trend has presented the challenge of ensuring secure software delivery while maintaining the agility of DevOps. The requirement of secure outputs in DevOps led to the DevSecOps paradigm, which is gaining the interest of both the industry and academia. However, the adoption of DevSecOps in practice has been challenging. Objective: This study aims to identify the challenges faced by practitioners when adopting DevSecOps and the solutions proposed by peer-reviewed studies. We intend our study to aid practitioners planning to adopt DevSecOps, foresee problems and decide on solutions early. We also aim to find specific gap areas for future research and development. Method: We have conducted a Systematic Literature Review of 52 peer-reviewed studies. The thematic analysis method was applied to analyze the extracted data. Results: We identified 21 challenges related to adopting DevSecOps, 31 specific solutions, and key gap areas in this domain. The results were classified into four themes: People, Practices, Tools, and Infrastructure. Our findings show that tools-related challenges and solutions were the most frequently reported, driven by the need for automation in this paradigm. Shift-left security and continuous security assessment were two key practices recommended for DevSecOps. People-related factors were considered critical for adoption success but less studied. Conclusions: We highlight the need for developer-centered application security testing tools that target the continuous practices in DevOps. More work is needed on how traditionally manual security practices can be automated to suit the rapid deployment cycles. Finally, achieving a suitable balance between the speed of delivery and security is a significant issue practitioners face in this paradigm.