Integrating DevSecOps into Information Security for Software Development: A Systematic Review
DOI:
https://doi.org/10.47796/ing.v8i00.1396Keywords:
DevSecOps, information security, software development, automation, CI/CDAbstract
The increase in cyber threats and the need to integrate security into the software lifecycle have driven the adoption of DevSecOps as an evolution of DevOps. This study aimed to analyze the benefits, challenges, and trends of integrating DevSecOps tools into information security applied to software development. For this purpose, the PRISMA methodology was used and searches were carried out in academic databases such as arXiv, Google Scholar, SCOPUS, and IEEE Xplore. This enabled the selection and analysis of 18 significant articles published between 2020 and 2025. The findings show that implementing DevSecOps allows for the early identification of vulnerabilities, improves the resilience of systems, and fosters a shared security culture among development groups. However, challenges related to tool compatibility, organizational development, and the need for integrative frameworks persist. Thus, DevSecOps is emerging as a key approach to optimizing software continuity and reliability. However, its long-term sustainability depends on future research investigating predictive models, evaluation metrics, and the use of technologies such as artificial intelligence and advanced automation.
Downloads
References
Ahsan, F., & Anwer, F. (2024). A systematic literature review on software security testing using metaheuristics. Automated Software Engineering, 31(44), 1–36. https://doi.org/10.1007/s10515-024-00433-0
Aljohani, M. A., & Alqahtani, S. S. (2023). A unified framework for automating software security analysis in DevSecOps. 2023 International Conference on Smart Computing and Application (ICSCA), 1–6. Hail, Saudi Arabia. https://doi.org/10.1109/ICSCA57840.2023.10087568
Ami, A. S., Moran, K., Poshyvanyk, D., & Nadkarni, A. (2024). “False negative – that one is going to kill you”: Understanding industry perspectives of static analysis–based security testing. 2024 IEEE Symposium on Security and Privacy (SP), 3979–3997. San Francisco, CA, United States. https://doi.org/10.1109/SP54263.2024.00019
Bryhynets, A., Haidur, H., Gakhov, S., & Marchenko, V. (2025). Quantitative web application vulnerability assessment using SAST methodology. International Journal of Computing, 24(1). https://doi.org/10.47839/ijc.24.1.3888
Chen, S.-J., Pan, Y.-C., Ma, Y.-W., & Chiang, C.-M. (2022). The impact of the practical security test during the software development lifecycle. 2022 24th International Conference on Advanced Communication Technology (ICACT), 313–316. PyeongChang Kwangwoon_Do, Korea, Republic of. https://doi.org/10.23919/ICACT53585.2022.9728868
Christakis, M., Cottenier, T., Filieri, A., Luo, L., Mansur, M. N., Müller, P., Qadeer, S., Schafhalter, P., Schulte, W., & Tillmann, N. (2022). Input splitting for cloud-based static application security testing platforms. In Proceedings of the 30th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (pp. 1367–1378). ACM. https://doi.org/10.1145/3540250.3558944
Czekster, R. M. (2024). Continuous risk assessment in secure DevOps. Aston University. https://doi.org/10.48550/arXiv.2409.03405
Dasanayake, S. D. L. V., Senanayake, J., & Wijayanayake, W. M. J. I. (2024). Devsecops for Continuous Security in Trading Software Application Development: a Systematic Literature Review. Journal of Desk Research Review and Analysis, 2(2), 215-232. https://jdrra.sljol.info/articles/10.4038/jdrra.v2i2.52
David, P., Kushwaha, M. K., & Suseela, G. (2024). DevSecOps in finance: Strengthening the security model of applications. 2024 4th International Conference on Data Engineering and Communication Systems (ICDECS), 1–6. Bangalore, India. https://doi.org/10.1109/ICDECS59733.2023.10502917
De Jesus Dominguez-García, A., Limón, X., Ocharan-Hernandez, J. O., & Perez-Arriaga, J. C. (2023). Pruebas de seguridad para aplicaciones web: Una revisión sistemática de la literatura. XI Conferencia Internacional de Investigación e Innovación en Ingeniería de Software (CONISOFT), 82–91. León, Guanajuato, México. https://doi.org/10.1109/CONISOFT58849.2023.00020
Elder, S. (2021). Vulnerability detection is just the beginning. arXiv. https://doi.org/10.48550/arXiv.2103.05160
Islam, N. T., Bethany, M., Manuel, D., Jadliwala, M., & Najafirad, P. (2024). Unintentional security flaws in code: Automated defense via root cause analysis. University of Texas at San Antonio. https://doi.org/10.48550/arXiv.2409.00199
Jerónimo, A. H., Moreno, P. M., Camacho, J. A. V., & Vega, G. C. (2024). Techniques of SAST tools in the early stages of secure software development: A systematic literature review. In 2024 IEEE International Conference on Engineering Veracruz (ICEV) (pp. 1–8). IEEE. https://doi.org/10.1109/ICEV63254.2024.10766004
Kudriavtseva, A., & Gadyatskaya, O. (2023). Secure software development methodologies: A multivocal literature review (Version 2). arXiv. https://doi.org/10.48550/arXiv.2211.16987
Kushwaha, M. K., David, P., & Suseela, G. (2024). Automation and DevSecOps: Streamlining security measures in financial system. 2024 IEEE International Conference on Electronics, Computing and Communication Technologies (CONECCT), 1–6. Bangalore, India. https://doi.org/10.1109/CONECCT62155.2024.10677271
Lu, J., Li, S., Zhao, R., Guo, W., & Wang, C. (2024). Research on automatic security sensing technology based on multi-version characterization. 2024 Boao New Power System International Forum – Power System and New Energy Technology Innovation Forum (NPSIF), 1012–1017. Qionghai, China. https://doi.org/10.1109/NPSIF64134.2024.10883282
Martelleur, J., & Hamza, A. (2022). Security Tools in DevSecOps : A Systematic Literature Review (Dissertation). Retrieved from https://urn.kb.se/resolve?urn=urn:nbn:se:lnu:diva-118400
Meliala, R., Lim, C., & Andreas, J. (2024). Integrating security testing in CI/CD pipelines: Current trends from literature and market. 2024 Ninth International Conference on Informatics and Computing (ICIC), 1–6. Medan, Indonesia. https://doi.org/10.1109/ICIC64337.2024.10957011
Nguyen, J. (2020). A multivocal literature review of current tools for increasing the degree of automation in the development of secure and privacy compliant applications.
Nikolov, L. A., & Aleksieva-Petrova, A. P. (2023). Investigación-acción sobre el pipeline de DevSecOps. Conferencia Científica Internacional sobre Ciencias de la Computación (COMSCI) 2023, 1–6. Sozopol, Bulgaria. https://doi.org/10.1109/COMSCI59259.2023.10315920
Piskachev, G., Dziwok, S., Koch, T., Merschjohann, S., & Bodden, E. (2022). How far are German companies in improving security through static program analysis tools? 2022 IEEE Secure Development Conference (SecDev), 7–15. Atlanta, GA, United States. https://doi.org/10.1109/SecDev53368.2022.00015
Saeed, H., Shafi, I., Ahmad, J., Khan, A. A., Khurshaid, T., & Ashraf, I. (2025). Review of techniques for integrating security in software development lifecycle. Computers, Materials & Continua, 82(1), 139–172. https://doi.org/10.32604/cmc.2024.057587
Samavia Riaz, Ayyan Asif, Younus Khan, Muhammad Ibrar, Saira Afzal, Khalid Hamid, Sehar Gul, & Muhammad Waseem Iqbal. (2025). Software Development Empowered and Secured by Integrating A DevSecOps Design . Journal of Computing & Biomedical Informatics, 8(02). Retrieved from https://www.jcbi.org/index.php/Main/article/view/889
Santos, R., Rizvi, S., Cesarone, B., Gunn, W., & McConnell, E. (2021). Reducing software vulnerabilities using machine learning static application security testing. Proceedings of the 2021 International Conference on Software Security and Assurance (ICSSA), 1–6. https://doi.org/10.1109/ICSSA53632.2021.00016
Sermpezis, E., Karapiperis, D., & Tjortjis, C. (2024). Integration of security in the DevOps methodology. In 2024 15th International Conference on Information, Intelligence, Systems & Applications (IISA) (pp. 1–6). IEEE. https://doi.org/10.1109/IISA62523.2024.10786669
Sinan, M., Shahin, M., & Gondal, I. (2025). Integrating security controls in DevSecOps: Challenges, solutions, and future research directions. Journal of Software: Evolution and Process, 37(6), e70029. https://doi.org/10.1002/smr.70029
Stanciu, A.-M., & Ciocârlie, H. (2023). Analyzing code security: Approaches and tools for effective review and analysis. In 2023 International Conference on Electrical, Computer and Energy Technologies (ICECET) (pp. 1–6). IEEE. https://doi.org/10.1109/ICECET58911.2023.10389326
Valdés-Rodríguez, Y., Hochstetter-Diez, J., Díaz-Arancibia, J., & Cadena-Martínez, R. (2023). Towards the Integration of Security Practices in Agile Software Development: A Systematic Mapping Review. Applied Sciences, 13(7), 4578. https://doi.org/10.3390/app13074578
Wadhams, Z., Reinhold, A. M., & Izurieta, C. (2024). Automating static code analysis through CI/CD pipeline integration. Proceedings of the 2024 IEEE International Conference on Software Analysis, Evolution and Reengineering – Companion (SANER-C 2024). https://doi.org/10.1109/SANER-C62648.2024.00021
Wang, J., & Yan, C. (2021). Automation testing of software security based on BurpSuite. Proceedings of the 2021 International Conference of Social Computing and Digital Economy (ICSCDE), 1–6. https://doi.org/10.1109/ICSCDE54196.2021.00025
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2026 Jhonatan Efrain Monzon Llanos, Pamela Dominga Alayo Gamboa, Alberto Carlos Mendoza de los Santos
This work is licensed under a Creative Commons Attribution 4.0 International License.
