Management of DevSecOps Process: An Empirical Investigation

Abstract

Context: DevSecOps integrates security into the DevOps project lifecycle, uniting development, operations, and security practices. This integration, while beneficial for developing secure software, introduces complexity from a project management perspective. This study delves into this complexity by examining the ten knowledge areas of the Project Management Body of Knowledge (PMBOK) within the context of DevSecOps project management. Objective: This study aims to explore and understand the application of PMBOK's ten knowledge areas in managing DevSecOps projects, focusing on the guidelines that are important to consider in integration of security practices throughout the development lifecycle. Method: Our research approach involved two phases: Firstly, we developed a theoretical model grounded in DevSecOps guidelines identified from existing literature. Secondly, we conducted a quantitative survey targeting industry practitioners to gather insights into the practical application of the theoretical model. The study involved 138 responses from professionals, which were subsequently analyzed using correlation and Partial Least Squares (PLS) analysis to test the hypotheses posited in the theoretical model. Results: The analysis reveals critical insights into the management of DevSecOps projects, highlighting the importance of adhering to specific guidelines to navigate the complexities introduced by the integration of security practices. The empirical data support the theoretical model, underscoring the relevance of PMBOK's knowledge areas in the successful management of DevSecOps projects. Conclusion: For organizations committed to the DevSecOps paradigm, it is imperative to consider and implement the identified guidelines. These guidelines not only support the sustainable integration of security practices into DevOps projects but also contribute to the overall success and security of the software developed under this paradigm.