This study delves into the core obstacles organizations encounter when trying to adopt modern DevSecOps practices. Using a constructivist grounded theory approach, we conducted eighteen in-depth, semi-structured interviews with two distinct groups: nine senior cybersecurity managers and nine hands-on software engineers. Our analysis revealed a profound disconnect between strategic vision and the daily grind. Managers often spoke of governance, resource allocation, and fostering a collaborative culture, while engineers frequently experienced security efforts as disruptive, inefficient, and detrimental to their developer experience (DevEx). Through a comparative analysis of these two perspectives, we pinpointed misaligned priorities, broken communication, and a lack of jointly designed solutions that truly bridge social and technical workflows as key contributors to this divide. From these emergent insights, a core category of Socio-Technical Friction emerged, providing a new theoretical lens that strongly aligns with and extends the principles of Socio-Technical Systems (STS) theory within the DevSecOps context. Specifically, our findings show that DevSecOps initiatives often falter precisely because they treat social and technical systems as separate entities rather than interconnected parts of a whole. This fundamental misalignment creates significant friction where these two systems meet, ultimately slowing down development and weakening security. This study concludes by offering practical recommendations for closing this gap, advocating for a holistic approach to DevSecOps as a truly unified socio-technical system.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Socio-technical Friction: An Emergent Grounded Theory of DevSecOps Challenges

  • Francesco Ferazza,
  • Konstantinos Mersinas

摘要

This study delves into the core obstacles organizations encounter when trying to adopt modern DevSecOps practices. Using a constructivist grounded theory approach, we conducted eighteen in-depth, semi-structured interviews with two distinct groups: nine senior cybersecurity managers and nine hands-on software engineers. Our analysis revealed a profound disconnect between strategic vision and the daily grind. Managers often spoke of governance, resource allocation, and fostering a collaborative culture, while engineers frequently experienced security efforts as disruptive, inefficient, and detrimental to their developer experience (DevEx). Through a comparative analysis of these two perspectives, we pinpointed misaligned priorities, broken communication, and a lack of jointly designed solutions that truly bridge social and technical workflows as key contributors to this divide. From these emergent insights, a core category of Socio-Technical Friction emerged, providing a new theoretical lens that strongly aligns with and extends the principles of Socio-Technical Systems (STS) theory within the DevSecOps context. Specifically, our findings show that DevSecOps initiatives often falter precisely because they treat social and technical systems as separate entities rather than interconnected parts of a whole. This fundamental misalignment creates significant friction where these two systems meet, ultimately slowing down development and weakening security. This study concludes by offering practical recommendations for closing this gap, advocating for a holistic approach to DevSecOps as a truly unified socio-technical system.