Security Practices in Agile Development: An Industry Survey on Adoption, Perceived Impact, and Measurement in DevOps
Resumo
This paper presents an empirical survey study (N=24) examining the integration of security practices into agile and continuous development processes. The findings reveal that while the most adopted practices include Standards and Requirements (71%), Code Review (67%), and Compliance and Policy (63%), their implementation remains predominantly non-systematic. Despite moderate to high perceived impact, significant gaps exist between recognition and effective adoption, compounded by low security expert participation (37%) and a notable scarcity of metrics. The findings provide exploratory evidence on the current state of practice and key priorities for organizations looking to strengthen security integration while maintaining agility in their development processes.
Palavras-chave:
software security, agile development, DevOps, DevSecOps, BizDevOps, BSIMM, SDLC, shift-left, industry survey, effectiveness metrics
Referências
Assal, H. and Chiasson, S. (2019). Think secure from the beginning: A survey with software developers. In Proceedings of the 2019 CHI conference on human factors in computing systems, pages 1–13.
Black Duck (2025). BSIMM15 Report 2025: Building Security In Maturity Model. Technical report, Black Duck Software, Inc. Fifteenth edition of the BSIMM study.
Caicedo Cavagnis, E. E. and Zalazar Jaime, M. F. (2018). Entrevistas cognitivas: Revisión, directrices de uso y aplicación en investigaciones psicológicas.
Cruzes, D. S., Jaatun, M. G., Bernsmed, K., and Tøndel, I. A. (2018). Challenges and experiences with applying microsoft threat modeling in agile development projects. In 2018 25th Australasian Software Engineering Conference (ASWEC), pages 111–120. IEEE.
Genero Bocco, M., Piattini Velthius, M., Cruz-Lemus, J., and Díaz García, O. (2023). Métodos de Investigación en Informática. AQCLab, Ciudad Real, España, 1 edition. Hui, W., Lui, S. M., and Lau, W. K. (2019). A reporting guideline for is survey research. Decision Support Systems, 126:113136.
Jaatun, M. G. and Cruzes, D. S. (2021). Care and feeding of your security champion. In 2021 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), pages 1–7. IEEE.
Lohrasbinasab, I., Acharya, P. B., and Colomo-Palacios, R. (2020). Bizdevops: A multivocal literature review. In International Conference on Computational Science and Its Applications, pages 698–713. Springer.
Oyetoyan, T. D., Cruzes, D. S., and Jaatun, M. G. (2016). An empirical study on the relationship between software security skills, usage and training needs in agile settings. In 2016 11th International Conference on Availability, Reliability and Security (ARES), pages 548–555. IEEE.
Rindell, K., Ruohonen, J., Holvitie, J., Hyrynsalmi, S., and Leppänen, V. (2021). Security in agile software development: A practitioner survey. Information and Software Technology, 131:106488.
Selva-Mora, A. (2025). A bizdevops-aligned framework for integrating security practices in agile software development. In 2025 IEEE/ACM 47th International Conference on Software Engineering: Companion Proceedings (ICSE-Companion), pages 68–70. IEEE.
Selva-Mora, A. and Quesada-López, C. (2024). Security practices in agile software development: A mapping study. In Proceedings of the 7th ACM/IEEE International Workshop on Software-intensive Business, pages 56–63.
Stewart, H. and Jürjens, J. (2017). Information security management and the human aspect in organizations. Information & Computer Security, 25(5):494–534.
Terpstra, E., Daneva, M., and Wang, C. (2017). Agile practitioners’ understanding of security requirements: Insights from a grounded theory analysis. In 2017 IEEE 25th international requirements engineering conference workshops (REW), pages 439–442. IEEE.
Ur Rahman, A. A. and Williams, L. (2016). Security practices in devops. In Proceedings of the Symposium and Bootcamp on the Science of Security, pages 109–111.
Villalón-Fonseca, R. (2022). The nature of security: A conceptual framework for integral-comprehensive modeling of it security and cybersecurity. Computers & Security, 120:102805.
Williams, L. (2019). Secure software lifecycle knowledge area issue. The National Cyber Security Center.
Wolden, M., Valverde, R., and Talla, M. (2015). The effectiveness of cobit 5 information security framework for reducing cyber attacks on supply chain management system. IFAC-PapersOnLine, 48(3):1846–1852.
Black Duck (2025). BSIMM15 Report 2025: Building Security In Maturity Model. Technical report, Black Duck Software, Inc. Fifteenth edition of the BSIMM study.
Caicedo Cavagnis, E. E. and Zalazar Jaime, M. F. (2018). Entrevistas cognitivas: Revisión, directrices de uso y aplicación en investigaciones psicológicas.
Cruzes, D. S., Jaatun, M. G., Bernsmed, K., and Tøndel, I. A. (2018). Challenges and experiences with applying microsoft threat modeling in agile development projects. In 2018 25th Australasian Software Engineering Conference (ASWEC), pages 111–120. IEEE.
Genero Bocco, M., Piattini Velthius, M., Cruz-Lemus, J., and Díaz García, O. (2023). Métodos de Investigación en Informática. AQCLab, Ciudad Real, España, 1 edition. Hui, W., Lui, S. M., and Lau, W. K. (2019). A reporting guideline for is survey research. Decision Support Systems, 126:113136.
Jaatun, M. G. and Cruzes, D. S. (2021). Care and feeding of your security champion. In 2021 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), pages 1–7. IEEE.
Lohrasbinasab, I., Acharya, P. B., and Colomo-Palacios, R. (2020). Bizdevops: A multivocal literature review. In International Conference on Computational Science and Its Applications, pages 698–713. Springer.
Oyetoyan, T. D., Cruzes, D. S., and Jaatun, M. G. (2016). An empirical study on the relationship between software security skills, usage and training needs in agile settings. In 2016 11th International Conference on Availability, Reliability and Security (ARES), pages 548–555. IEEE.
Rindell, K., Ruohonen, J., Holvitie, J., Hyrynsalmi, S., and Leppänen, V. (2021). Security in agile software development: A practitioner survey. Information and Software Technology, 131:106488.
Selva-Mora, A. (2025). A bizdevops-aligned framework for integrating security practices in agile software development. In 2025 IEEE/ACM 47th International Conference on Software Engineering: Companion Proceedings (ICSE-Companion), pages 68–70. IEEE.
Selva-Mora, A. and Quesada-López, C. (2024). Security practices in agile software development: A mapping study. In Proceedings of the 7th ACM/IEEE International Workshop on Software-intensive Business, pages 56–63.
Stewart, H. and Jürjens, J. (2017). Information security management and the human aspect in organizations. Information & Computer Security, 25(5):494–534.
Terpstra, E., Daneva, M., and Wang, C. (2017). Agile practitioners’ understanding of security requirements: Insights from a grounded theory analysis. In 2017 IEEE 25th international requirements engineering conference workshops (REW), pages 439–442. IEEE.
Ur Rahman, A. A. and Williams, L. (2016). Security practices in devops. In Proceedings of the Symposium and Bootcamp on the Science of Security, pages 109–111.
Villalón-Fonseca, R. (2022). The nature of security: A conceptual framework for integral-comprehensive modeling of it security and cybersecurity. Computers & Security, 120:102805.
Williams, L. (2019). Secure software lifecycle knowledge area issue. The National Cyber Security Center.
Wolden, M., Valverde, R., and Talla, M. (2015). The effectiveness of cobit 5 information security framework for reducing cyber attacks on supply chain management system. IFAC-PapersOnLine, 48(3):1846–1852.
Publicado
11/05/2026
Como Citar
SELVA-MORA, Alejandra; QUESADA-LÓPEZ, Christian; LARA, Adrián; JENKINS, Marcelo.
Security Practices in Agile Development: An Industry Survey on Adoption, Perceived Impact, and Measurement in DevOps. In: CONGRESSO IBERO-AMERICANO EM ENGENHARIA DE SOFTWARE (CIBSE), 29. , 2026, Recife/PE.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2026
.
p. 279-293.
