Mitigating Cognitive Biases in DevSecOps Decision-making: Comprehensive components for overcoming gaps in existing DevSecOps Frameworks

Research output: Contribution to conferencePaperpeer-review


In the dynamic realm of software development, integration, delivery, and deployment, the advent of DevOps, a collaborative approach combining software development and IT operations to enhance speed, efficiency, and quality through automation, and its security-focused counterpart, DevSecOps, has enabled a new era of speed, agility, and automation. This dramatic shift has raised fascinating questions into the validity of frameworks and guidelines used to secure this contemporary methodology. This research delves into the present condition of these frameworks and guidelines, revealing their relative lack of usability, maturity, and, often, unclear characteristics.

We scrutinize guidelines and frameworks published by influential organizations such as the Open Web Application Security Project (OWASP), the Cloud Security Alliance, the US National Institute of Standards and Technology (NIST), and the US Department of Defense (DoD). We analyze existing frameworks and identify a lack of maturity and universally accepted controls and safeguards for securing DevOps.

Amidst this landscape of uncertainty, security managers are faced with formidable challenges in decision-making within the DevSecOps context. Drawing upon insights from behavioral economics and decision theory, we analyze the cognitive biases and risk perceptions that influence decision-making when securing DevOps methodologies and underline how a valid, universally accepted, and publicly available framework and guidelines could mitigate the effects of such biases.

This study aims to open new venues of research by evaluating the existing framework landscape, highlighting the gaps, challenges, and opportunities in the field of DevOps security, considering both technical and human factors. Lastly, from the analysis, valuable qualities and features for an ideal DevOps security framework emerge, including usability, maturity, clarity, universality, public availability, and alignment with behavioural economics and decision theory.
Original languageEnglish
Publication statusIn preparation - 31 May 2024

Cite this