Technologies and Tools for DevSecOps: A systematic literature review

Authors

DOI:

https://doi.org/10.5753/isys.2025.6207

Keywords:

DevSecOps, DevOps, Continuos Delivery, Continuos Deployment, Security Tools

Abstract

The advent of DevOps has brought faster Agile deliveries through automation. However, the speed of continuous delivery and deployment has hurt security testing and threat detection, mainly because such tests are applied after the application is delivered. Because they are time-consuming, they cannot keep up with the speed of software delivery. To fill this gap, \textit{DevSecOps} emerged, including security testing in each phase of the DevOps lifecycle. In this sense, this study aims to investigate the security technologies and tools used in \textit{DevSecOps} and to provide a knowledge base on which the authors have referenced all of them in their research. Therefore, a Systematic Literature Review was adopted as the methodology for this research, delimiting the period to the first half of 2024. Of the 87 published studies, 42 were selected after a comprehensive review process focusing on three guiding questions. The first question (Q1): “What types of security tools have been reported in the most recent publications?”, the second question (Q2): “What technologies and platforms are referenced in \textit{DevSecOps} publications?” and the third question (Q3): “What security tools and technologies are unique and more unusual addressed in the latest publications?" As a result, the answers to question Q1 revealed thirteen categories of consistent tools referenced by different articles. As for Q2 on technologies, AI was most frequently referenced in the articles. As for Q3, only two tools were identified as unique in the publications selected for this RSL, indicating that, within the time frame of this research, there was significant consistency in the tools used in DevSecOps.

Downloads

Download data is not yet available.

References

Akbar, M. A., Smolander, K., Mahmood, S., & Alsanad, A. (2022). Toward successful devsecops in software development organizations: A decision-making framework. Information and Software Technology, 147, 106894.

Aljohani, M. A., & Alqahtani, S. S. (2023). A unified framework for automating software security analysis in devsecops. In 2023 International Conference on Smart Computing and Application (ICSCA), 1–6. IEEE.

Alok, M., & Ziadon, O. (2020). Devops and software quality: A systematic mapping. Computer Science Review, 38, 100308.

Bhamidipati, V. S. (2022). A holistic approach to ensure security and compliance while using robotic process automation. In 2022 Seventh International Conference on Parallel, Distributed and Grid Computing (PDGC), 192–197. IEEE.

Dencheva, L. (2022). Comparative analysis of static application security testing (SAST) and dynamic application security testing (DAST) by using open-source web application penetration testing tools. Master’s thesis, National College of Ireland, Dublin.

Havard, M., & Colomo-Palacios, R. (2017). Devsecops: A multivocal literature review. In Software Process Improvement and Capability Determination: 17th International Conference, 17–29, Palma de Mallorca, Spain.

Hsu, T. (2018). Hands-On Security in DevOps: Ensure continuous security, deployment, and delivery with DevSecOps. Packt Publishing.

Hsu, T. H. C. (2019). Practical security automation and testing: Tools and techniques for automated security scanning and testing in DevSecOps. Packt Publishing Ltd.

GitLab Inc. (s.d.). Container scanning. Disponível em: [link]. Acesso em: 15 jun. 2024.

GitLab Inc. (s.d.). Secret detection. Disponível em: [link]. Acesso em: 15 jun. 2024.

Jammeh, B. (2020). Devsecops: Security expertise a key to automated testing in CI/CD pipeline.

Kitchenham, B. (2004). Procedures for performing systematic reviews. Technical Report TR/SE-0401, Keele University, Keele, England. Disponível em: [link]. Acesso em: 15 jul. 2024.

Lenka, R. K., Kumar, S., & Mamgain, S. (2018). Behavior driven development: Tools and challenges. In 2018 International Conference on Advances in Computing, Communication Control and Networking (ICACCCN), 1032–1037.

Manohar, M., Bertia, A., & Salaja, S. (2023). Implementing and automating security scanning. In 2023 World Conference on Communication and Computing (WCONF), 1–6. IEEE.

Myrbakken, H., & Colomo-Palacios, R. (2017). Devsecops: A multivocal literature review. In Software Process Improvement and Capability Determination: 17th International Conference, 17–29, Palma de Mallorca, Spain.

Nikolov, L. A., & Aleksieva-Petrova, A. P. (2023). Action research on the devsecops pipeline. In 2023 International Scientific Conference on Computer Science (COMSCI), 1–6.

OWASP. (2022). Intrusion detection. Disponível em: [link]. Acesso em: 15 jun. 2024.

Oyetoyan, D. T. et al. (2018). Myths and facts about static application security testing tools: An action research at Telenor Digital. In Agile Processes in Software Engineering and Extreme Programming: 19th International Conference (XP 2018), 86–103, Porto, Portugal.

Prates, L., & Pereira, R. (2025). Devsecops practices and tools. International Journal of Information Security, 24(1), 11.

Rajapakse, R. N. et al. (2022). Challenges and solutions when adopting devsecops: A systematic review. Information and Software Technology, 141, 106700.

Rajapakse, R. N., Zahedi, M., & Babar, M. A. (2021a). An empirical analysis of practitioners’ perspectives on security tool integration into DevOps. In Proceedings of the 15th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM). ACM.

Rajapakse, R. N., Zahedi, M., & Babar, M. A. (2021b). An empirical analysis of practitioners’ perspectives on security tool integration into DevOps. In Proceedings of the 15th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM). ACM.

Rangnau, T., Buijtenen, R. V., & Fransen, F. (2020). Continuous security testing: A case study on integrating dynamic security testing tools in CI/CD pipelines. In 2020 IEEE 24th International Enterprise Distributed Object Computing Conference (EDOC), 145–154, Eindhoven, Netherlands.

Red Hat. (2023). What is DevSecOps? Disponível em: [link]. Acesso em: 15 jul. 2024.

Sharma, M. (2021). Review of the benefits of DAST (dynamic application security testing) versus SAST. International Journal of Management and Engineering Research, 1(1).

Sinan, M., Shahin, M., & Gondal, I. (2025). Integrating security controls in devsecops: Challenges, solutions, and future research directions. Journal of Software: Evolution and Process.

Stallings, W. (2017). Attack surfaces and attack trees. Pearson (6th ed.).

Tomas, N., Li, J., & Huang, H. (2019). An empirical study on culture, automation, measurement, and sharing of devsecops. In International Conference on Cyber Security and Protection of Digital Services (Cyber Security), 1–8. IEEE.

Yang, J. et al. (2019). Towards better utilizing static application security testing. In IEEE/ACM 41st International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP), Montreal, QC, Canada.

Yasar, H., & Kontostathis, K. (2016). Where to integrate security practices on DevOps platform. International Journal of Secure Software Engineering, 7, 39–50.

Downloads

Published

2026-03-27

How to Cite

Silva Pimentel, F. C. ., Costa Fonseca, L. C., & Carmona Cortes, O. A. (2026). Technologies and Tools for DevSecOps: A systematic literature review. ISys - Journal of Information Systems, 18(1), 18:1 – 18:24. https://doi.org/10.5753/isys.2025.6207

Issue

Vol. 18 No. 1 (2025)

Section

Regular articles

License

Copyright (c) 2026 iSys - Journal of Information Systems

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.