Building Software Applications Securely with DevSecOps: A Socio-Technical Perspective


  • Rennie Naidoo University of Pretoria
  • Nicolaas Möller



Culture, Continuous deployment, DevOps, DevSecOps, Security, Socio-technical


While continuous real-time software delivery practices induced by agile software development approaches create new business opportunities for organizations, these practices also present new security challenges in the DevOps environment. DevSecOps attempts to incorporate advanced automated security practices for agility in the DevOps environment. Mainstream perspectives of DevSecOps tend to overlook the collaborative role played by social actors and their relations with technologies in securing software applications in organizations. The first perspective emphasises the use of technologies such as containers, microservices, cryptographic protocols and origin authentication to secure the continuous deployment pipeline. The other dominant perspective focuses almost exclusively on the social aspects such as organizational silos, culture, and team collaboration. Such one-sided perspectives neglect the socio-technical argument that secure software applications from continuous deployment emerges when developers, quality assurers, operators and security experts combine their collective expertise together with DevSecOps technologies. The article presents a socio-technical framework of DevSecOps based on a systematic literature review. The review focused primarily, but not exclusively, on the computing and information systems literature and identified 26 peer reviewed articles from 2016 to 2020 which met the quality criteria and contributed to the analysis. The authors used a critical appraisal checklist and member checking to assess the quality of the articles. The authors then used thematic analysis to develop a comprehensive framework for DevSecOps based on the insights from these articles and a socio-technical lens. The socio-technical framework can be used by practitioners to perform a more holistic analysis of their DevSecOps practices. It highlights the key social and technical themes that underpin the effectiveness of DevSecOps and how insights about these themes can be used by practitioners to improve the instrumental and humanistic goals of DevSecOps. An interdisciplinary approach is proposed to adequately address challenging socio-technical relationships in DevSecOps. Future research can empirically test the importance of the interplay between technology and human activities to improve the overall performance of DevSecOps and other domains in cyber warfare and security.