Software application security is one of the major pillars for a successful security program as enterprises are increasingly growing their ecosystem complexity through interconnected information systems [2]. As the number of cyber incidents along with the cost to recover from a breach increase [1], the consequences of a poorly defined or implemented application security program can render organizations in highly regulated environments (HRE), like banks and healthcare organizations, incapable of meeting compliance obligations. Security teams in HREs are already struggling to meet a plethora of regulatory and policy requirements at expected levels of coverage [3]. And now they find themselves under even more pressure as software development and IT operational teams shift their software delivery process to DevOps [5]. This shift enables the release of software from concept through delivery potentially hundreds of times per day, thus exacerbating resource bottlenecks, further straining a fragile delivery pipeline, and placing regulatory compliance at risk. There is interest in the cybersecurity industry to standardize on a model that breaks down the traditional human resource silos, builds processes that simplify and are secure, leverages technology to automatically scan software for vulnerabilities, and builds a scalable governance framework [6]. Over the past couple of years, we have started to see this reflected in the academic literature covering the topic of DevSecOps and SecDevOps, alternate terms for the same construct [4], though there is a paucity of literature on DevSecOps further illustrating the need to develop a model from existing practice and then set about filling the vast gaps in academic literature. This presentation, representing a year of Grounded Theory Research with security professionals from companies around the world, examines how cybersecurity professionals currently define and structure a DevSecOps-based security programs and lessons that can be drawn from their experiences.

Authors: James Jenkins, Ian Allison, Peggy Gregory

Published in: World Congress on Internet Security (WorldCIS-2021)

  • Date of Conference:  7-9 December 2021
  • DOI: 10.20533/WorldCIS.2021.0002
  • ISBN: 978-1-913572-40-2
  • Conference Location: Virtual (London, UK)