DiVA

diva-portal.org

Digitala Vetenskapliga Arkivet

Operational message
There are currently operational disruptions. Troubleshooting is in progress.
EnglishSvenskaNorsk
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Aligning security compliance and DevOps: a longitudinal study
Siemens Foundational Technologies, Munich, Germany.
Blekinge Institute of Technology, Faculty of Computing, Department of Software Engineering.ORCID iD: 0000-0001-7903-8236
Blekinge Institute of Technology, Faculty of Computing, Department of Software Engineering.ORCID iD: 0000-0003-0619-6027
Blekinge Institute of Technology, Faculty of Computing, Department of Software Engineering.ORCID iD: 0000-0002-3646-235x
Show others and affiliations
2026 (English)In: Journal of Systems and Software, ISSN 0164-1212, E-ISSN 1873-1228, Vol. 234, article id 112718Article in journal (Refereed) Published
Abstract [en]

Companies adopt agile methodologies and DevOps to facilitate efficient development and deployment of software-intensive products. This, in turn, introduces challenges in relation to security standard compliance traditionally following a more linear workflow. This is especially a challenge for the engineering of products and services associated with critical infrastructures. To support companies in their transition towards DevOps, this paper presents an adaptation of DevOps according to security regulations and standards. We report on our longitudinal study at Siemens AG, consisting of several individual sub-studies in the inception, validation, and initial adoption of our framework based on RefA as well as the implications for practice. RefA is a prescriptive model of a security compliant DevOps lifecycle based on the IEC 62443-4-1 standard. The overall framework is aimed at professionals, not only security experts, being able to use it on implementing DevOps processes while remaining compliant with security norms. We demonstrate how RefA facilitates the transfer of security compliance knowledge to product development teams. This knowledge transfer supports the agility aim of ensuring that cross-functional teams have all the skills needed to deliver the compliant products.
Place, publisher, year, edition, pages
Elsevier, 2026. Vol. 234, article id 112718
Keywords [en]
DevSecOps, DevOps, Continuous security compliance, Continuous software engineering, Security standards compliance, Secure software engineering
National Category
Software Engineering
Identifiers
URN: urn:nbn:se:bth-29024DOI: 10.1016/j.jss.2025.112718ISI: 001642456100001Scopus ID: 2-s2.0-105024862156OAI: oai:DiVA.org:bth-29024DiVA, id: diva2:2024931
Available from: 2026-01-02 Created: 2026-01-02 Last updated: 2026-01-02Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full textScopus

Search in DiVA

By author/editor
Angermeir, FlorianMendez, DanielGorschek, Tony
By organisation
Department of Software Engineering
In the same journal
Journal of Systems and Software
Software Engineering

Search outside of DiVA

GoogleGoogle Scholar

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 30 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
v. 2.47.0
|
WCAG
|
About DiVA Portal
|
About the DiVA Consortium