Industrial Challenges in Secure Continuous Development
Fabiola Moyón, Florian Angermeir, Daniel Mendez
TL;DR
This paper investigates the practical challenges of aligning security with continuous software development in industry. It employs a multi-method, case-study approach across three regulated organizations, supplemented by workshops with security and CSD practitioners and focus groups to identify and prioritize security challenges. The key contribution is a structured, prioritized catalog of 15 challenges across five domains (Continuous Development, Value Stream, Efficiency, Knowledge Transfer, CI/CD Pipelines) and four actionable future research directions to enable scalable secure agile development in regulated settings. The work offers a practitioner-oriented roadmap for integrating security activities into CSD, with implications for regulators, engineering teams, and researchers seeking scalable, real-world solutions.
Abstract
The intersection between security and continuous software engineering has been of great interest since the early years of the agile development movement, and it remains relevant as software development processes are more frequently guided by agility and the adoption of DevOps. Several authors have contributed studies about the framing of secure agile development and secure DevOps, motivating academic contributions to methods and practices, but also discussions around benefits and challenges. Especially the challenges captured also our interest since, for the last few years, we are conducting research on secure continuous software engineering from a more applied, practical perspective with the overarching aim to introduce solutions that can be adopted at scale. The short positioning at hands summarizes a relevant part of our endeavors in which we validated challenges with several practitioners of different roles. More than framing a set of challenges, we conclude by presenting four key research directions we identified for practitioners and researchers to delineate future work.