Integración de DevSecOps en la seguridad de la información para el desarrollo de software: Una revisión sistemáticas
DOI:
https://doi.org/10.47796/ing.v8i00.1396Palabras clave:
DevSecOps, seguridad de la información, desarrollo de software, automatización, CI/CDResumen
El incremento de amenazas cibernéticas y la necesidad de integrar la seguridad en el ciclo de vida del software han impulsado la adopción de DevSecOps como evolución de DevOps. El presente estudio tuvo como objetivo analizar los beneficios, desafíos y tendencias de la integración de herramientas DevSecOps en la seguridad de la información aplicada al desarrollo de software. Con este propósito, se utilizó la metodología PRISMA y se llevaron a cabo búsquedas en bases de datos académicas como arXiv, Google Académico, SCOPUS e IEEE Xplore. Esto posibilitó la selección y el análisis de 18 artículos significativos publicados entre 2020 y 2025. Los hallazgos muestran que implementar DevSecOps permite identificar vulnerabilidades de manera anticipada, mejora la capacidad de los sistemas para resistir y fomentar una cultura compartida de seguridad entre los grupos de desarrollo, sin embargo, persisten retos vinculados con la compatibilidad de herramientas, el desarrollo organizacional y la necesidad de marcos integradores. Es así que, DevSecOps se constituye como un enfoque clave para optimizar la continuidad y confiabilidad del software. Aunque, su sostenibilidad a largo plazo está condicionada a futuras investigaciones que indaguen sobre modelos predictivos, métricas de evaluación y la utilización de tecnologías como inteligencia artificial y automatización avanzada.
Descargas
Citas
Ahsan, F., & Anwer, F. (2024). A systematic literature review on software security testing using metaheuristics. Automated Software Engineering, 31(44), 1–36. https://doi.org/10.1007/s10515-024-00433-0
Aljohani, M. A., & Alqahtani, S. S. (2023). A unified framework for automating software security analysis in DevSecOps. 2023 International Conference on Smart Computing and Application (ICSCA), 1–6. Hail, Saudi Arabia. https://doi.org/10.1109/ICSCA57840.2023.10087568
Ami, A. S., Moran, K., Poshyvanyk, D., & Nadkarni, A. (2024). “False negative – that one is going to kill you”: Understanding industry perspectives of static analysis–based security testing. 2024 IEEE Symposium on Security and Privacy (SP), 3979–3997. San Francisco, CA, United States. https://doi.org/10.1109/SP54263.2024.00019
Bryhynets, A., Haidur, H., Gakhov, S., & Marchenko, V. (2025). Quantitative web application vulnerability assessment using SAST methodology. International Journal of Computing, 24(1). https://doi.org/10.47839/ijc.24.1.3888
Chen, S.-J., Pan, Y.-C., Ma, Y.-W., & Chiang, C.-M. (2022). The impact of the practical security test during the software development lifecycle. 2022 24th International Conference on Advanced Communication Technology (ICACT), 313–316. PyeongChang Kwangwoon_Do, Korea, Republic of. https://doi.org/10.23919/ICACT53585.2022.9728868
Christakis, M., Cottenier, T., Filieri, A., Luo, L., Mansur, M. N., Müller, P., Qadeer, S., Schafhalter, P., Schulte, W., & Tillmann, N. (2022). Input splitting for cloud-based static application security testing platforms. In Proceedings of the 30th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (pp. 1367–1378). ACM. https://doi.org/10.1145/3540250.3558944
Czekster, R. M. (2024). Continuous risk assessment in secure DevOps. Aston University. https://doi.org/10.48550/arXiv.2409.03405
Dasanayake, S. D. L. V., Senanayake, J., & Wijayanayake, W. M. J. I. (2024). Devsecops for Continuous Security in Trading Software Application Development: a Systematic Literature Review. Journal of Desk Research Review and Analysis, 2(2), 215-232. https://jdrra.sljol.info/articles/10.4038/jdrra.v2i2.52
David, P., Kushwaha, M. K., & Suseela, G. (2024). DevSecOps in finance: Strengthening the security model of applications. 2024 4th International Conference on Data Engineering and Communication Systems (ICDECS), 1–6. Bangalore, India. https://doi.org/10.1109/ICDECS59733.2023.10502917
De Jesus Dominguez-García, A., Limón, X., Ocharan-Hernandez, J. O., & Perez-Arriaga, J. C. (2023). Pruebas de seguridad para aplicaciones web: Una revisión sistemática de la literatura. XI Conferencia Internacional de Investigación e Innovación en Ingeniería de Software (CONISOFT), 82–91. León, Guanajuato, México. https://doi.org/10.1109/CONISOFT58849.2023.00020
Elder, S. (2021). Vulnerability detection is just the beginning. arXiv. https://doi.org/10.48550/arXiv.2103.05160
Islam, N. T., Bethany, M., Manuel, D., Jadliwala, M., & Najafirad, P. (2024). Unintentional security flaws in code: Automated defense via root cause analysis. University of Texas at San Antonio. https://doi.org/10.48550/arXiv.2409.00199
Jerónimo, A. H., Moreno, P. M., Camacho, J. A. V., & Vega, G. C. (2024). Techniques of SAST tools in the early stages of secure software development: A systematic literature review. In 2024 IEEE International Conference on Engineering Veracruz (ICEV) (pp. 1–8). IEEE. https://doi.org/10.1109/ICEV63254.2024.10766004
Kudriavtseva, A., & Gadyatskaya, O. (2023). Secure software development methodologies: A multivocal literature review (Version 2). arXiv. https://doi.org/10.48550/arXiv.2211.16987
Kushwaha, M. K., David, P., & Suseela, G. (2024). Automation and DevSecOps: Streamlining security measures in financial system. 2024 IEEE International Conference on Electronics, Computing and Communication Technologies (CONECCT), 1–6. Bangalore, India. https://doi.org/10.1109/CONECCT62155.2024.10677271
Lu, J., Li, S., Zhao, R., Guo, W., & Wang, C. (2024). Research on automatic security sensing technology based on multi-version characterization. 2024 Boao New Power System International Forum – Power System and New Energy Technology Innovation Forum (NPSIF), 1012–1017. Qionghai, China. https://doi.org/10.1109/NPSIF64134.2024.10883282
Martelleur, J., & Hamza, A. (2022). Security Tools in DevSecOps : A Systematic Literature Review (Dissertation). Retrieved from https://urn.kb.se/resolve?urn=urn:nbn:se:lnu:diva-118400
Meliala, R., Lim, C., & Andreas, J. (2024). Integrating security testing in CI/CD pipelines: Current trends from literature and market. 2024 Ninth International Conference on Informatics and Computing (ICIC), 1–6. Medan, Indonesia. https://doi.org/10.1109/ICIC64337.2024.10957011
Nguyen, J. (2020). A multivocal literature review of current tools for increasing the degree of automation in the development of secure and privacy compliant applications.
Nikolov, L. A., & Aleksieva-Petrova, A. P. (2023). Investigación-acción sobre el pipeline de DevSecOps. Conferencia Científica Internacional sobre Ciencias de la Computación (COMSCI) 2023, 1–6. Sozopol, Bulgaria. https://doi.org/10.1109/COMSCI59259.2023.10315920
Piskachev, G., Dziwok, S., Koch, T., Merschjohann, S., & Bodden, E. (2022). How far are German companies in improving security through static program analysis tools? 2022 IEEE Secure Development Conference (SecDev), 7–15. Atlanta, GA, United States. https://doi.org/10.1109/SecDev53368.2022.00015
Saeed, H., Shafi, I., Ahmad, J., Khan, A. A., Khurshaid, T., & Ashraf, I. (2025). Review of techniques for integrating security in software development lifecycle. Computers, Materials & Continua, 82(1), 139–172. https://doi.org/10.32604/cmc.2024.057587
Samavia Riaz, Ayyan Asif, Younus Khan, Muhammad Ibrar, Saira Afzal, Khalid Hamid, Sehar Gul, & Muhammad Waseem Iqbal. (2025). Software Development Empowered and Secured by Integrating A DevSecOps Design . Journal of Computing & Biomedical Informatics, 8(02). Retrieved from https://www.jcbi.org/index.php/Main/article/view/889
Santos, R., Rizvi, S., Cesarone, B., Gunn, W., & McConnell, E. (2021). Reducing software vulnerabilities using machine learning static application security testing. Proceedings of the 2021 International Conference on Software Security and Assurance (ICSSA), 1–6. https://doi.org/10.1109/ICSSA53632.2021.00016
Sermpezis, E., Karapiperis, D., & Tjortjis, C. (2024). Integration of security in the DevOps methodology. In 2024 15th International Conference on Information, Intelligence, Systems & Applications (IISA) (pp. 1–6). IEEE. https://doi.org/10.1109/IISA62523.2024.10786669
Sinan, M., Shahin, M., & Gondal, I. (2025). Integrating security controls in DevSecOps: Challenges, solutions, and future research directions. Journal of Software: Evolution and Process, 37(6), e70029. https://doi.org/10.1002/smr.70029
Stanciu, A.-M., & Ciocârlie, H. (2023). Analyzing code security: Approaches and tools for effective review and analysis. In 2023 International Conference on Electrical, Computer and Energy Technologies (ICECET) (pp. 1–6). IEEE. https://doi.org/10.1109/ICECET58911.2023.10389326
Valdés-Rodríguez, Y., Hochstetter-Diez, J., Díaz-Arancibia, J., & Cadena-Martínez, R. (2023). Towards the Integration of Security Practices in Agile Software Development: A Systematic Mapping Review. Applied Sciences, 13(7), 4578. https://doi.org/10.3390/app13074578
Wadhams, Z., Reinhold, A. M., & Izurieta, C. (2024). Automating static code analysis through CI/CD pipeline integration. Proceedings of the 2024 IEEE International Conference on Software Analysis, Evolution and Reengineering – Companion (SANER-C 2024). https://doi.org/10.1109/SANER-C62648.2024.00021
Wang, J., & Yan, C. (2021). Automation testing of software security based on BurpSuite. Proceedings of the 2021 International Conference of Social Computing and Digital Economy (ICSCDE), 1–6. https://doi.org/10.1109/ICSCDE54196.2021.00025
Descargas
Publicado
Cómo citar
Número
Sección
Licencia
Derechos de autor 2026 Jhonatan Efrain Monzon Llanos, Pamela Dominga Alayo Gamboa, Alberto Carlos Mendoza de los Santos
Esta obra está bajo una licencia internacional Creative Commons Atribución 4.0.
