An Empirical Analysis of Practitioners’ Perspectives on Security Tool Integration into DevOps. (arXiv:2107.02096v3 [cs.CR] UPDATED)

Background: Security tools play a vital role in enabling developers to build
secure software. However, it can be quite challenging to introduce and fully
leverage security tools without affecting the speed or frequency of deployments
in the DevOps paradigm. Aims: We aim to empirically investigate the key
challenges practitioners face when integrating security tools into a DevOps
workflow in order to provide recommendations to overcome them. Method: We
conducted a study involving 31 systematically selected webinars on integrating
security tools in DevOps. We used a qualitative data analysis method, i.e.,
thematic analysis, to identify the challenges and emerging solutions related to
integrating security tools in rapid deployment environments. Results: We find
that while traditional security tools are unable to cater for the needs of
DevOps, the industry is moving towards new generations of tools that have
started focusing on these requirements. We have developed a DevOps workflow
that integrates security tools and a set of guidelines by synthesizing
practitioners’ recommendations in the analyzed webinars. Conclusion: While the
latest security tools are addressing some of the requirements of DevOps, there
are many tool-related drawbacks yet to be adequately addressed.