DevSecOps Practices for GDPR, HIPAA or LGPD Compliance in Software Development: A Systematic Review
Resumo
Context: The current software development scenario requires integrating security and regulatory compliance practices, especially after implementing regulations such as LGPD, GDPR, and HIPAA. Problem: There is a lack of frameworks that effectively combine security, regulatory compliance, and continuous software delivery in DevSecOps environments. Solution: This study aims to identify and analyze approaches, methods, tools, and frameworks that promote regulatory compliance in DevSecOps practices through a systematic literature review. IS Theory: Sociotechnical Theory underpins the analysis, considering the interaction between technical (automated tools and processes) and social (organizational culture and collaborative practices) aspects necessary to effectively implement regulatory compliance. Method: A systematic review was carried out following the guidelines for performing systematic literature reviews in software engineering and analyzing 15 primary studies identified in five scientific databases (ACM Digital Library, IEEE Xplore Digital Library,Web of Science, Science Direct and Scopus). Summarization of Results: The need for automation of compliance checks, early integration of security practices, and establishing an organizational culture that prioritizes regulatory compliance was identified. Contributions and Impact on IS: The study provides an overview of existing practices and frameworks, highlighting the need for a sociotechnical approach that integrates technological and organizational aspects to ensure regulatory compliance in DevSecOps environments, contributing to the advancement of secure software development practices.
Palavras-chave:
DevSecOps, Regulatory Compliance, Software Security, Privacy Protection, Security Integration
Referências
Marco Anisetti, Claudio A. Ardagna, Filippo Gaudenzi, and Ernesto Damiani. 2019. A Continuous Certification Methodology for DevOps. In Proceedings of the 11th International Conference on Management of Digital EcoSystems. 205–212.
Nalin Asanka Gamagedara Arachchilage and Mumtaz Abdul Hameed. 2020. Designing a Serious Game: Teaching Developers to Embed Privacy Into Software Systems. In Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering. 7–12.
Claudio A. Ardagna, Nicola Bena, and Ramon Martín De Pozuelo. 2022. Bridging the Gap Between Certification and Software Development. In Proceedings of the 17th International Conference on Availability, Reliability and Security. 1–10.
Abdulhamid A. Ardo, Julian M Bass, and Tarek Gaber. 2023. Implications of Regulatory Policy for Building Secure Agile Software in Nigeria A Grounded Theory. The Electronic Journal of Information Systems in Developing Countries 89, 6 (2023), e12285.
Cláudia Ascenção, Henrique Teixeira, João Gonçalves, and Fernando Almeida. 2024. Large-scale Agile Security Practices in Software Engineering. Information & Computer Security (2024).
Vanessa Ayala-Rivera, A Omar Portillo-Dominguez, and Liliana Pasquale. 2024. GDPR Compliance Via Software Evolution: Weaving Security Controls in Software Design. Journal of Systems and Software (2024), 112144.
H. Bentzen and Njl Hstmlingen. 2019. Balancing Protection and Free Movement of Personal Data: The New European Union General Data Protection Regulation. Annals of Internal Medicine 170 (2019), 335–337. DOI: 10.7326/M18-2782
B. Blechner and Adam Butera. 2002. Health Insurance Portability and Accountability Act of 1996 (HIPAA): a provider’s overview of new privacy regulations. Connecticut medicine 66 2 (2002), 91–5.
Robert P Bostrom and J Stephen Heinen. 1977. MIS problems and failures: A socio-technical perspective. Part I: The causes. MIS quarterly (1977), 17–32.
Valentina Casola, Alessandra De Benedictis, Massimiliano Rak, and Umberto Villano. 2020. A Novel Security-by-Design Methodology: Modeling and Assessing Security by SLAs with a Quantitative Approach. Journal of Systems and Software 163 (2020), 110537.
Tao Chen and Haiyan Suo. 2022. Design and Practice of Security Architecture via DevSecOps Technology. 2022 IEEE 13th International Conference on Software Engineering and Service Science (ICSESS) (2022), 310–313. DOI: 10.1109/ICSESS54813.2022.9930212
Chris W Clegg. 2000. Sociotechnical principles for system design. Applied ergonomics 31, 5 (2000), 463–477.
Said Daoudagh, Francesca Lonetti, and Eda Marchetti. 2020. Continuous development and testing of access and usage control: A systematic literature review. In Proceedings of the 2020 European Symposium on Software Engineering. 51–59.
Breno B Nicolau de França, Helvio Jeronimo, and Guilherme Horta Travassos. 2016. Characterizing DevOps by hearing multiple voices. In Proceedings of the XXX Brazilian Symposium on Software Engineering. 53–62.
Edna Dias Canedo, Angelica Toffano Seidel Calazans, Eloisa Toffano Seidel Masson, Pedro Henrique Teixeira Costa, and Fernanda Lima. 2020. Perceptions of ICT practitioners regarding software privacy. Entropy 22, 4 (2020), 429.
Floris Erich, Chintan Amrit, and Maya Daneva. 2014. A mapping study on cooperation between information system development and operations. In International Conference on Product-Focused Software Process Improvement. Springer, 277–280.
Akanksha Gupta. 2022. An Integrated Framework for DevSecOps Adoption. arXiv preprint arXiv:2207.04093 (2022).
Rogelio Hernández, Begoña Moros, and Joaquín Nicolás. 2023. Requirements Management in DevOps Environments: A Multivocal Mapping Study. Requirements Engineering 28, 3 (2023), 317–346.
Jez Humble and Joanne Molesky. 2011. Why enterprises must adopt devops to enable continuous delivery. Cutter IT Journal 24, 8 (2011), 6.
Zalialetdzinau Kanstantsin. 2022. Multivocal Literature Review on the Security of DevSecOp. Asian Journal of Research in Computer Science (2022). DOI: 10.9734/ajrcos/2022/v14i230329
Hansol Kim. 2022. Legislative Harmonization of Brazilian Data Protection Law with EU GDPR: A Comparative Study on the EU GDPR and Brazil’s LGPD. Center for Legislative Studies, Gyeongin National University of Education (2022). DOI: 10.58555/li.2022.2.105
Barbara Kitchenham and Pearl Brereton. 2013. A systematic review of systematic review process research in software engineering. Information and software technology 55, 12 (2013), 2049–2075.
Barbara Kitchenham, Stuart Charters, et al. 2007. Guidelines for performing systematic literature reviews in software engineering.
Felix Lange and Immanuel Kunz. 2024. Evolution of Secure Development Lifecycles and Maturity Models in the Context of Hosted Solutions. Journal of Software: Evolution and Process (2024), e2711.
Runfeng Mao, He Zhang, Qiming Dai, Huang Huang, Guoping Rong, Haifeng Shen, Lianping Chen, and Kaixiang Lu. 2020. Preliminary Findings about DevSecOps from Grey Literature. 2020 IEEE 20th International Conference on Software Quality, Reliability and Security (QRS) (2020), 450–457. DOI: 10.1109/QRS51102.2020.00064
Mina Miri, C. Amir Pourafshar, Pooya Mehregan, and Nathanael Mohammed. 2019. Bridging the Gap Between Policies and Execution in an Agile Environment. Governance of IT, OT and IoT, ISACA JOURNAL 4 (2019).
Enid Mumford. 2003. Redesigning human systems. IGI Global.
Matthew J. Page, Joanne E. McKenzie, Patrick M. Bossuyt, Isabelle Boutron, Tammy C. Hoffmann, Cynthia D. Mulrow, Larissa Shamseer, Jennifer M. Tetzlaff, Elie A. Akl, Sue E. Brennan, et al. 2023. A Declaração PRISMA 2020: Diretriz Atualizada para Relatar Revisões Sistemáticas. Revista Panamericana de Salud Publica 46 (2023), e112.
Khyara F. Passos. 2021. Compliance with Brazil’s New Data Privacy Legislation: What Us Companies Need to Know. Social Science Research Network (2021). DOI: 10.2139/SSRN.3777357
Agung Maulana Putra and Herman Kabetta. 2022. Implementation of DevSecOps by Integrating Static and Dynamic Security Testing in CI/CD Pipelines. In 2022 IEEE International Conference of Computer Science and Information Technology (ICOSNIKOM). IEEE, 1–6.
R. Rajapakse, Mansooreh Zahedi, M. Babar, and Haifeng Shen. 2021. Challenges and solutions when adopting DevSecOps: A systematic review. ArXiv abs/2103.08266 (2021). DOI: 10.1016/j.infsof.2021.106700
Xhesika Ramaj, Mary Sánchez-Gordón, Vasileios Gkioulos, Sabarathinam Chockalingam, and Ricardo Colomo-Palacios. 2022. Holding On to Compliance While Adopting DevSecOps: An SLR. Electronics 11, 22 (2022), 3707.
Thorsten Rangnau, Remco v. Buijtenen, F. Fransen, and F. Turkmen. 2020. Continuous Security Testing: A Case Study on Integrating Dynamic Security Testing Tools in CI/CD Pipelines. 2020 IEEE 24th International Enterprise Distributed Object Computing Conference (EDOC) (2020), 145–154. DOI: 10.1109/EDOC49727.2020.00026
Lucas Dalle Rocha, Geovana Ramos Sousa Silva, and Edna Dias Canedo. 2023. Privacy Compliance in Software Development: A Guide to Implementing the LGPD Principles. In Proceedings of the 38th ACM/SIGAPP Symposium on Applied Computing. 1352–1361.
Wasim Fathima Shah. 2023. Preserving Privacy and Security: A Comparative Study of Health Data Regulations - GDPR vs. HIPAA. International Journal for Research in Applied Science and Engineering Technology (2023). DOI: 10.22214/ijraset.2023.55551
Thiago Luís Santos Sombra. 2020. The General Data Protection Law in Brazil: What Comes Next? Global Privacy Law Review (2020). DOI: 10.54648/gplr2020083
Emrah Soykan and Huseyin Uzunboylu. 2015. Newtrends on mobile learning area: The review of published articles on mobile learning in science direct database. World Journal on Educational Technology 7 (2015), 31–41. DOI: 10.18844/WJET.V7I1.22
Damian A Tamburri. 2020. Design principles for the General Data Protection Regulation (GDPR): A formal concept analysis and its evaluation. Information Systems 91 (2020), 101469.
Theodoros Theodoropoulos, Luis Rosa, Chafika Benzaid, Peter Gray, Eduard Marin, Antonios Makris, Luis Cordeiro, Ferran Diego, Pavel Sorokin, Marco Di Girolamo, et al. 2023. Security in Cloud-Native Services: A Survey. Journal of Cybersecurity and Privacy 3, 4 (2023), 758–793.
UNCTAD. 2021. Data Protection and Privacy Legislation Worldwide. [link]. Acesso em: 23 out. 2024.
Yolanda Valdés-Rodríguez, Jorge Hochstetter-Diez, Mauricio Diéguez-Rebolledo, Ana Bustamante-Mora, and Rodrigo Cadena-Martínez. 2024. Analysis of Strategies for the Integration of Security Practices in Agile Software Development: A Sustainable SME Approach. IEEE Access (2024).
Anna Wiedemann, Manuel Wiesche, Heiko Gewald, and Helmut Krcmar. 2020. Understanding how DevOps aligns development and operations: a tripartite model of intra-IT alignment. European Journal of Information Systems 29, 5 (2020), 458–473.
Erkang Zheng, Phil Gates-Idem, and Matt Lavin. 2018. Building a Virtually Air-Gapped Secure Environment in AWS: With Principles of DevOps Security Program and Secure Software Delivery. In Proceedings of the 5th Annual Symposium and Bootcamp on Hot Topics in the Science of Security. 1–8.
Xin Zhou, Yuqin Jin, He Zhang, Shanshan Li, and Xin Huang. 2016. A Map of Threats to Validity of Systematic Literature Reviews in Software Engineering. In 2016 23rd Asia-Pacific Software Engineering Conference (APSEC). IEEE, 153–160.
Nalin Asanka Gamagedara Arachchilage and Mumtaz Abdul Hameed. 2020. Designing a Serious Game: Teaching Developers to Embed Privacy Into Software Systems. In Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering. 7–12.
Claudio A. Ardagna, Nicola Bena, and Ramon Martín De Pozuelo. 2022. Bridging the Gap Between Certification and Software Development. In Proceedings of the 17th International Conference on Availability, Reliability and Security. 1–10.
Abdulhamid A. Ardo, Julian M Bass, and Tarek Gaber. 2023. Implications of Regulatory Policy for Building Secure Agile Software in Nigeria A Grounded Theory. The Electronic Journal of Information Systems in Developing Countries 89, 6 (2023), e12285.
Cláudia Ascenção, Henrique Teixeira, João Gonçalves, and Fernando Almeida. 2024. Large-scale Agile Security Practices in Software Engineering. Information & Computer Security (2024).
Vanessa Ayala-Rivera, A Omar Portillo-Dominguez, and Liliana Pasquale. 2024. GDPR Compliance Via Software Evolution: Weaving Security Controls in Software Design. Journal of Systems and Software (2024), 112144.
H. Bentzen and Njl Hstmlingen. 2019. Balancing Protection and Free Movement of Personal Data: The New European Union General Data Protection Regulation. Annals of Internal Medicine 170 (2019), 335–337. DOI: 10.7326/M18-2782
B. Blechner and Adam Butera. 2002. Health Insurance Portability and Accountability Act of 1996 (HIPAA): a provider’s overview of new privacy regulations. Connecticut medicine 66 2 (2002), 91–5.
Robert P Bostrom and J Stephen Heinen. 1977. MIS problems and failures: A socio-technical perspective. Part I: The causes. MIS quarterly (1977), 17–32.
Valentina Casola, Alessandra De Benedictis, Massimiliano Rak, and Umberto Villano. 2020. A Novel Security-by-Design Methodology: Modeling and Assessing Security by SLAs with a Quantitative Approach. Journal of Systems and Software 163 (2020), 110537.
Tao Chen and Haiyan Suo. 2022. Design and Practice of Security Architecture via DevSecOps Technology. 2022 IEEE 13th International Conference on Software Engineering and Service Science (ICSESS) (2022), 310–313. DOI: 10.1109/ICSESS54813.2022.9930212
Chris W Clegg. 2000. Sociotechnical principles for system design. Applied ergonomics 31, 5 (2000), 463–477.
Said Daoudagh, Francesca Lonetti, and Eda Marchetti. 2020. Continuous development and testing of access and usage control: A systematic literature review. In Proceedings of the 2020 European Symposium on Software Engineering. 51–59.
Breno B Nicolau de França, Helvio Jeronimo, and Guilherme Horta Travassos. 2016. Characterizing DevOps by hearing multiple voices. In Proceedings of the XXX Brazilian Symposium on Software Engineering. 53–62.
Edna Dias Canedo, Angelica Toffano Seidel Calazans, Eloisa Toffano Seidel Masson, Pedro Henrique Teixeira Costa, and Fernanda Lima. 2020. Perceptions of ICT practitioners regarding software privacy. Entropy 22, 4 (2020), 429.
Floris Erich, Chintan Amrit, and Maya Daneva. 2014. A mapping study on cooperation between information system development and operations. In International Conference on Product-Focused Software Process Improvement. Springer, 277–280.
Akanksha Gupta. 2022. An Integrated Framework for DevSecOps Adoption. arXiv preprint arXiv:2207.04093 (2022).
Rogelio Hernández, Begoña Moros, and Joaquín Nicolás. 2023. Requirements Management in DevOps Environments: A Multivocal Mapping Study. Requirements Engineering 28, 3 (2023), 317–346.
Jez Humble and Joanne Molesky. 2011. Why enterprises must adopt devops to enable continuous delivery. Cutter IT Journal 24, 8 (2011), 6.
Zalialetdzinau Kanstantsin. 2022. Multivocal Literature Review on the Security of DevSecOp. Asian Journal of Research in Computer Science (2022). DOI: 10.9734/ajrcos/2022/v14i230329
Hansol Kim. 2022. Legislative Harmonization of Brazilian Data Protection Law with EU GDPR: A Comparative Study on the EU GDPR and Brazil’s LGPD. Center for Legislative Studies, Gyeongin National University of Education (2022). DOI: 10.58555/li.2022.2.105
Barbara Kitchenham and Pearl Brereton. 2013. A systematic review of systematic review process research in software engineering. Information and software technology 55, 12 (2013), 2049–2075.
Barbara Kitchenham, Stuart Charters, et al. 2007. Guidelines for performing systematic literature reviews in software engineering.
Felix Lange and Immanuel Kunz. 2024. Evolution of Secure Development Lifecycles and Maturity Models in the Context of Hosted Solutions. Journal of Software: Evolution and Process (2024), e2711.
Runfeng Mao, He Zhang, Qiming Dai, Huang Huang, Guoping Rong, Haifeng Shen, Lianping Chen, and Kaixiang Lu. 2020. Preliminary Findings about DevSecOps from Grey Literature. 2020 IEEE 20th International Conference on Software Quality, Reliability and Security (QRS) (2020), 450–457. DOI: 10.1109/QRS51102.2020.00064
Mina Miri, C. Amir Pourafshar, Pooya Mehregan, and Nathanael Mohammed. 2019. Bridging the Gap Between Policies and Execution in an Agile Environment. Governance of IT, OT and IoT, ISACA JOURNAL 4 (2019).
Enid Mumford. 2003. Redesigning human systems. IGI Global.
Matthew J. Page, Joanne E. McKenzie, Patrick M. Bossuyt, Isabelle Boutron, Tammy C. Hoffmann, Cynthia D. Mulrow, Larissa Shamseer, Jennifer M. Tetzlaff, Elie A. Akl, Sue E. Brennan, et al. 2023. A Declaração PRISMA 2020: Diretriz Atualizada para Relatar Revisões Sistemáticas. Revista Panamericana de Salud Publica 46 (2023), e112.
Khyara F. Passos. 2021. Compliance with Brazil’s New Data Privacy Legislation: What Us Companies Need to Know. Social Science Research Network (2021). DOI: 10.2139/SSRN.3777357
Agung Maulana Putra and Herman Kabetta. 2022. Implementation of DevSecOps by Integrating Static and Dynamic Security Testing in CI/CD Pipelines. In 2022 IEEE International Conference of Computer Science and Information Technology (ICOSNIKOM). IEEE, 1–6.
R. Rajapakse, Mansooreh Zahedi, M. Babar, and Haifeng Shen. 2021. Challenges and solutions when adopting DevSecOps: A systematic review. ArXiv abs/2103.08266 (2021). DOI: 10.1016/j.infsof.2021.106700
Xhesika Ramaj, Mary Sánchez-Gordón, Vasileios Gkioulos, Sabarathinam Chockalingam, and Ricardo Colomo-Palacios. 2022. Holding On to Compliance While Adopting DevSecOps: An SLR. Electronics 11, 22 (2022), 3707.
Thorsten Rangnau, Remco v. Buijtenen, F. Fransen, and F. Turkmen. 2020. Continuous Security Testing: A Case Study on Integrating Dynamic Security Testing Tools in CI/CD Pipelines. 2020 IEEE 24th International Enterprise Distributed Object Computing Conference (EDOC) (2020), 145–154. DOI: 10.1109/EDOC49727.2020.00026
Lucas Dalle Rocha, Geovana Ramos Sousa Silva, and Edna Dias Canedo. 2023. Privacy Compliance in Software Development: A Guide to Implementing the LGPD Principles. In Proceedings of the 38th ACM/SIGAPP Symposium on Applied Computing. 1352–1361.
Wasim Fathima Shah. 2023. Preserving Privacy and Security: A Comparative Study of Health Data Regulations - GDPR vs. HIPAA. International Journal for Research in Applied Science and Engineering Technology (2023). DOI: 10.22214/ijraset.2023.55551
Thiago Luís Santos Sombra. 2020. The General Data Protection Law in Brazil: What Comes Next? Global Privacy Law Review (2020). DOI: 10.54648/gplr2020083
Emrah Soykan and Huseyin Uzunboylu. 2015. Newtrends on mobile learning area: The review of published articles on mobile learning in science direct database. World Journal on Educational Technology 7 (2015), 31–41. DOI: 10.18844/WJET.V7I1.22
Damian A Tamburri. 2020. Design principles for the General Data Protection Regulation (GDPR): A formal concept analysis and its evaluation. Information Systems 91 (2020), 101469.
Theodoros Theodoropoulos, Luis Rosa, Chafika Benzaid, Peter Gray, Eduard Marin, Antonios Makris, Luis Cordeiro, Ferran Diego, Pavel Sorokin, Marco Di Girolamo, et al. 2023. Security in Cloud-Native Services: A Survey. Journal of Cybersecurity and Privacy 3, 4 (2023), 758–793.
UNCTAD. 2021. Data Protection and Privacy Legislation Worldwide. [link]. Acesso em: 23 out. 2024.
Yolanda Valdés-Rodríguez, Jorge Hochstetter-Diez, Mauricio Diéguez-Rebolledo, Ana Bustamante-Mora, and Rodrigo Cadena-Martínez. 2024. Analysis of Strategies for the Integration of Security Practices in Agile Software Development: A Sustainable SME Approach. IEEE Access (2024).
Anna Wiedemann, Manuel Wiesche, Heiko Gewald, and Helmut Krcmar. 2020. Understanding how DevOps aligns development and operations: a tripartite model of intra-IT alignment. European Journal of Information Systems 29, 5 (2020), 458–473.
Erkang Zheng, Phil Gates-Idem, and Matt Lavin. 2018. Building a Virtually Air-Gapped Secure Environment in AWS: With Principles of DevOps Security Program and Secure Software Delivery. In Proceedings of the 5th Annual Symposium and Bootcamp on Hot Topics in the Science of Security. 1–8.
Xin Zhou, Yuqin Jin, He Zhang, Shanshan Li, and Xin Huang. 2016. A Map of Threats to Validity of Systematic Literature Reviews in Software Engineering. In 2016 23rd Asia-Pacific Software Engineering Conference (APSEC). IEEE, 153–160.
Publicado
19/05/2025
Como Citar
FREITAS, Denisson S. A. de; OLIVEIRA, Adicinéia Aparecida de; MORENO, Edward D.; SILVA, Gilton J. F. da.
DevSecOps Practices for GDPR, HIPAA or LGPD Compliance in Software Development: A Systematic Review. In: SIMPÓSIO BRASILEIRO DE SISTEMAS DE INFORMAÇÃO (SBSI), 21. , 2025, Recife/PE.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2025
.
p. 145-153.
DOI: https://doi.org/10.5753/sbsi.2025.246400.
