Support Security Control Management and Implementation in DevSecOps

The increasing complexity and speed of modern software development have made security integration a critical priority, particularly in DevSecOps environments. Despite the growing adoption of DevSecOps practices, organizations continue to face significant challenges in implementing and managing security controls throughout the software development lifecycle (SDLC). This thesis presents four key contributions to the field of security controls in DevSecOps environments. Firstly, a Systematic Literature Review (SLR) was conducted to investigate the current state-of-the-art body of knowledge to identify the theoretical foundations and the research that has been carried out on security controls in DevSec- Ops contexts. The SLR investigated vital challenges experienced by organizations in their essential and continuous processes, along with associated solutions and significant implementation roadblocks. Secondly, a comprehensive survey study was carried out to capture the current state of practice, investigating practical aspects and how organizations implement and manage security controls in real-world settings. Third, a series of focus group sessions and in-depth discussions were conducted with security practitioners and subject matter experts to gain deeper insights and practical perspectives on the challenges and best practices in the field. The insights and findings obtained from the SLR and empirical studies (survey, focus groups, and in-depth discussions) have formed the foundational basis for the fourth and primary contribution of this study, which is the development and validation of a governance-based security framework. The framework aims to manage security controls throughout their entire lifecycle in DevSecOps environments. It is particularly valuable for ensuring consistency across the four phases of the security control lifecycle: classification, identification, implementation, and validation. In addition, the proposed framework is designed to be scalable, reliable, and adaptable to diverse organizational contexts. It provides a structured approach and actionable guidance for security practitioners to align essential security practices with business goals, while integrating seamlessly into DevSecOps workflows and maintaining a robust security posture across agile and continuous delivery settings. On the other hand, the proposed framework offers a practical contribution to the IT security field and lays the foundation for future research to address reported issues, practical gaps, and both strategic and operational business needs.<p></p>