Challenges in DevSecOps Decision-Making Amid a Dearth of Valid Frameworks

Challenges in DevSecOps Decision-Making Amid a Dearth of Valid Frameworks | Research Square window.SnipcartSettings = { analytics: { enabled: false } }; (function() { var accessVector = localStorage.getItem('access_vector') || ''; window.dataLayer = window.dataLayer || []; if (accessVector) { window.dataLayer.push({ user: { profile: { profileInfo: { snid: accessVector } } } }); } })(); (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-K279D39R'); Browse Preprints In Review Journals COVID-19 Preprints AJE Video Bytes Research Tools Research Promotion AJE Professional Editing AJE Rubriq About Preprint Platform In Review Editorial Policies Our Team Advisory Board Help Center Sign In Submit a Preprint Cite Share Download PDF Research Article Challenges in DevSecOps Decision-Making Amid a Dearth of Valid Frameworks Francesco Ferazza, Konstantinos Mersinas This is a preprint; it has not been peer reviewed by a journal. https://doi.org/ 10.21203/rs.3.rs-5839398/v1 This work is licensed under a CC BY 4.0 License Status: Published Journal Publication published 23 Nov, 2025 Read the published version in Applied Cybersecurity & Internet Governance → Version 1 posted You are reading this latest preprint version Abstract This study examines the challenges of securing DevOps environments through a unique combination of technical framework analysis and behavioral science insights. By analyzing frameworks from organizations like OWASP, CSA, NIST, and the US DoD while applying behavioral economics and decision theory, the research investigates how cognitive biases affect security decision-making in DevSecOps and evaluates existing frameworks' gaps. The analysis reveals a significant lack of mature, comprehensive, and regularly updated DevSecOps frameworks, with existing guidelines often lacking clarity, usability, or consideration of human factors. The study identifies key cognitive biases impacting security decisions and demonstrates how these are exacerbated by the absence of robust frameworks. While the research is limited by DevSecOps' evolving nature and ongoing framework development, this limitation itself reflects the field's nascent state and highlights opportunities to observe security practice evolution under uncertainty. Future research could empirically test how framework improvements impact decision-making in real-world DevSecOps environments. Security DevSecops CI/CD Cognitive Biases Full Text Additional Declarations No competing interests reported. Cite Share Download PDF Status: Published Journal Publication published 23 Nov, 2025 Read the published version in Applied Cybersecurity & Internet Governance → Version 1 posted You are reading this latest preprint version Research Square lets you share your work early, gain feedback from the community, and start making changes to your manuscript prior to peer review in a journal. As a division of Research Square Company, we’re committed to making research communication faster, fairer, and more useful. We do this by developing innovative software and high quality services for the global research community. Our growing team is made up of researchers and industry professionals working together to solve the most critical problems facing scientific publishing. Also discoverable on Platform About Our Team In Review Editorial Policies Advisory Board Help Center Resources Author Services Accessibility API Access RSS feed Manage Cookie Preferences © Research Square 2026 | ISSN 2693-5015 (online) Privacy Policy Terms of Service Do Not Sell My Personal Information {"props":{"pageProps":{"initialData":{"identity":"rs-5839398","acceptedTermsAndConditions":true,"allowDirectSubmit":true,"archivedVersions":[],"articleType":"Research Article","associatedPublications":[],"authors":[{"id":446278588,"identity":"6cb32cc0-2728-4ade-bf91-47a8a9e3f976","order_by":0,"name":"Francesco Ferazza","email":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAZAAAAAyAQMAAABI0h/eAAAABlBMVEX///8AAABVwtN+AAAACXBIWXMAAA7EAAAOxAGVKw4bAAABWUlEQVRIie2RMUvDQBTH7zi4LI9mvdLSfoUXCnVQ7FeJFOLi4CQVSrhQyBR0VfBziOOVg7hEuwouDUInh7iUCqV4MTat1KGjQ37T/4734713R0hFxT+kp8poZz+BKZXhUZPnmUrSLG7LQtzYsA78JL0592CtwB4KdDqQ6eL4l9LQs+li4LdtAvRtMPR7tiRdATiBmugrdvlgXEtPGSTlLjXvwIkS7dxKWztJzJlQxBMCX4ELz6VPiVHAQwYvZRcg3QYNlYsKeF1ys4EiscBcgQRpEOYTnhEG2Uax5g268nPF+pQrAW1FQ+His1EmWaHY778VMF0k++5iClCgYgxVfrQiUigi77I1GFzUo9jsMgJWD65cdDSnqcS+UUIcB+GpWWqG47tka7B7sRiaF7Mi+iHnfq/1eJ3p5fK41R6xNA3Cw5Zt99Ppe0x2YDth/Rl8+1cqKioqKvbhCw6JdkWedixdAAAAAElFTkSuQmCC","orcid":"","institution":"Royal Holloway University of London","correspondingAuthor":true,"prefix":"","firstName":"Francesco","middleName":"","lastName":"Ferazza","suffix":""},{"id":446278589,"identity":"6396b046-4ff4-4f18-b297-6c18bef1933f","order_by":1,"name":"Konstantinos Mersinas","email":"","orcid":"","institution":"Royal Holloway University of London","correspondingAuthor":false,"prefix":"","firstName":"Konstantinos","middleName":"","lastName":"Mersinas","suffix":""}],"badges":[],"createdAt":"2025-01-16 07:08:25","currentVersionCode":1,"declarations":"","doi":"10.21203/rs.3.rs-5839398/v1","doiUrl":"https://doi.org/10.21203/rs.3.rs-5839398/v1","draftVersion":[],"editorialEvents":[{"content":"https://doi.org/10.60097/ACIG/213726","type":"published","date":"2025-11-24T00:00:00+00:00"}],"editorialNote":"","failedWorkflow":false,"files":[{"id":97184893,"identity":"1ad20d21-c139-424a-8b29-323a7b841dce","added_by":"auto","created_at":"2025-12-01 17:18:40","extension":"pdf","order_by":1,"title":"","display":"","copyAsset":false,"role":"manuscript-pdf","size":346639,"visible":true,"origin":"","legend":"","description":"","filename":"devops.pdf","url":"https://assets-eu.researchsquare.com/files/rs-5839398/v1_covered_7d21d9c4-fb03-4467-8d7f-3817b5f41945.pdf"}],"financialInterests":"No competing interests reported.","formattedTitle":"Challenges in DevSecOps Decision-Making Amid a Dearth of Valid Frameworks","fulltext":[],"fulltextSource":"","fullText":"","funders":[],"hasAdminPriorityOnWorkflow":false,"hasManuscriptDocX":false,"hasOptedInToPreprint":true,"hasPassedJournalQc":"","hasAnyPriority":false,"hideJournal":false,"highlight":"","institution":"","isAcceptedByJournal":true,"isAuthorSuppliedPdf":true,"isDeskRejected":"","isHiddenFromSearch":false,"isInQc":false,"isInWorkflow":false,"isPdf":true,"isPdfUpToDate":true,"isWithdrawnOrRetracted":false,"journal":{"display":true,"email":"[email protected]","identity":"researchsquare","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":true,"externalIdentity":"","sideBox":"","snPcode":"","submissionUrl":"/submission","title":"Research Square","twitterHandle":"researchsquare","acdcEnabled":true,"dfaEnabled":false,"editorialSystem":"","reportingPortfolio":"","inReviewEnabled":false,"inReviewRevisionsEnabled":true},"keywords":"Security, DevSecops, CI/CD, Cognitive Biases","lastPublishedDoi":"10.21203/rs.3.rs-5839398/v1","lastPublishedDoiUrl":"https://doi.org/10.21203/rs.3.rs-5839398/v1","license":{"name":"CC BY 4.0","url":"https://creativecommons.org/licenses/by/4.0/"},"manuscriptAbstract":"This study examines the challenges of securing DevOps environments through a unique combination of technical framework analysis and behavioral science insights. By analyzing frameworks from organizations like OWASP, CSA, NIST, and the US DoD while applying behavioral economics and decision theory, the research investigates how cognitive biases affect security decision-making in DevSecOps and evaluates existing frameworks' gaps. The analysis reveals a significant lack of mature, comprehensive, and regularly updated DevSecOps frameworks, with existing guidelines often lacking clarity, usability, or consideration of human factors. The study identifies key cognitive biases impacting security decisions and demonstrates how these are exacerbated by the absence of robust frameworks. While the research is limited by DevSecOps' evolving nature and ongoing framework development, this limitation itself reflects the field's nascent state and highlights opportunities to observe security practice evolution under uncertainty. Future research could empirically test how framework improvements impact decision-making in real-world DevSecOps environments.","manuscriptTitle":"Challenges in DevSecOps Decision-Making Amid a Dearth of Valid Frameworks","msid":"","msnumber":"","nonDraftVersions":[{"code":1,"date":"2025-04-23 03:22:44","doi":"10.21203/rs.3.rs-5839398/v1","editorialEvents":[{"type":"communityComments","content":0}],"status":"published","journal":{"display":true,"email":"[email protected]","identity":"researchsquare","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":true,"externalIdentity":"","sideBox":"","snPcode":"","submissionUrl":"/submission","title":"Research Square","twitterHandle":"researchsquare","acdcEnabled":true,"dfaEnabled":false,"editorialSystem":"","reportingPortfolio":"","inReviewEnabled":false,"inReviewRevisionsEnabled":true}}],"origin":"","ownerIdentity":"076ab04b-ec71-4440-953e-1e52e8f594e4","owner":[],"postedDate":"April 23rd, 2025","published":true,"recentEditorialEvents":[],"rejectedJournal":[],"revision":"","amendment":"","status":"published-in-journal","subjectAreas":[],"tags":[],"updatedAt":"2025-12-01T17:18:35+00:00","versionOfRecord":{"articleIdentity":"rs-5839398","link":"https://doi.org/10.60097/ACIG/213726","journal":{"identity":"applied-cybersecurity-and-internet-governance","isVorOnly":true,"title":"Applied Cybersecurity \u0026 Internet Governance"},"publishedOn":"2025-11-24 00:00:00","publishedOnDateReadable":"November 24th, 2025"},"versionCreatedAt":"2025-04-23 03:22:44","video":"","vorDoi":"10.60097/ACIG/213726","vorDoiUrl":"https://doi.org/10.60097/ACIG/213726","workflowStages":[]},"version":"v1","identity":"rs-5839398","journalConfig":"researchsquare"},"__N_SSP":true},"page":"/article/[identity]/[[...version]]","query":{"redirect":"/article/rs-5839398","identity":"rs-5839398","version":["v1"]},"buildId":"8U1c8b4HqxoKbykW_rLl7","isFallback":false,"isExperimentalCompile":false,"dynamicIds":[84888],"gssp":true,"scriptLoader":[]}