Background: Security tools play a vital role in enabling developers to build secure software. However, it can be quite challenging to introduce and fully leverage security tools without affecting the speed or frequency of deployments in the DevOps paradigm. Aims: We aim to empirically investigate the key challenges practitioners face when integrating security tools into a DevOps workflow in order to provide recommendations to overcome them. Method: We conducted a study involving 31 systematically selected webinars on integrating security tools in DevOps. We used a qualitative data analysis method, i.e., thematic analysis, to identify the challenges and emerging solutions related to integrating security tools in rapid deployment environments. Results: We find that while traditional security tools are unable to cater for the needs of DevOps, the industry is moving towards new generations of tools that have started focusing on these requirements. We have developed a DevOps workflow that integrates security tools and a set of guidelines by synthesizing practitioners' recommendations in the analyzed webinars. Conclusion: While the latest security tools are addressing some of the requirements of DevOps, there are many tool-related drawbacks yet to be adequately addressed.
翻译:背景:安全工具在使开发者能够建立安全软件方面发挥着关键作用。然而,在不影响DevOps模式部署速度或频率的情况下,引进和充分利用安全工具可能具有相当大的挑战性。目标:我们的目标是实证地调查从业者在将安全工具纳入DevOps工作流程以提供克服挑战的建议时所面临的主要挑战。方法:我们进行了一项涉及31个系统选定的网络研讨会的研究,以综合DevOps的安全工具。我们使用了定性数据分析方法,即专题分析,以确定与将安全工具纳入快速部署环境有关的挑战和新出现的解决办法。结果:我们发现传统安全工具无法满足DevOps的需求,但该行业正在走向以这些需求为重点的新一代工具。我们开发了DevOps工作流程,将安全工具与一套准则结合起来,在分析的网络研讨会中将实践者的建议综合起来。结论:虽然最新的安全工具正在解决DOps的一些要求,但许多与工具有关的退步问题尚待充分解决。