DevSecOps is a software development paradigm that places a high emphasis on the culture of collaboration between developers (Dev), security (Sec) and operations (Ops) teams to deliver secure software continuously and rapidly. Adopting this paradigm effectively, therefore, requires an understanding of the challenges, best practices and available solutions for collaboration among these functional teams. However, collaborative aspects related to these teams have received very little empirical attention in the DevSecOps literature. Hence, we present a study focusing on a key security activity, Application Security Testing (AST), in which practitioners face difficulties performing collaborative work in a DevSecOps environment. Our study made novel use of 48 systematically selected webinars, technical talks and panel discussions as a data source to qualitatively analyse software practitioner discussions on the most recent trends and emerging solutions in this highly evolving field. We find that the lack of features that facilitate collaboration built into the AST tools themselves is a key tool-related challenge in DevSecOps. In addition, the lack of clarity related to role definitions, shared goals, and ownership also hinders Collaborative AST (CoAST). We also captured a range of best practices for collaboration (e.g., Shift-left security), emerging communication methods (e.g., ChatOps), and new team structures (e.g., hybrid teams) for CoAST. Finally, our study identified several requirements for new tool features and specific gap areas for future research to provide better support for CoAST in DevSecOps.
翻译:DevsecOps是一个软件开发范例,它高度重视开发者(Dev)、安全(Sec)和业务(Ops)团队之间合作的文化,以便持续和迅速地提供安全的软件。因此,有效采用这一范例需要了解这些功能团队之间合作的挑战、最佳做法和现有解决办法。然而,DevsecOps文献很少从经验上注意到与这些团队有关的合作方面。因此,我们介绍了一项侧重于关键安全活动,即应用安全测试(AST)的研究,在该活动中,从业人员难以在DevsecOps环境中开展合作工作。我们的研究还以48个系统选定的网络研讨会、技术会谈和小组讨论作为数据来源,从质量上分析软件从业人员关于这一高度演变领域的最近趋势和新出现的解决办法的讨论。我们认为,缺乏促进AST工具本身中的合作的特征,是DsecOps文献中与工具有关的一个关键挑战。此外,在作用定义、共同目标和所有权方面缺乏清晰度,这也阻碍了合作AST(CST)。我们还发现,在合作领域(O-SG.SOL.C.O.