Belov R.
MODERN METHODOLOGIES FOR ORGANIZING DEVOPS PROCESSES IN WEB DEVELOPMENT *
Аннотация:
the article analyzes methods for organizing DevOps processes in web development, with particular attention given to the integration of information security measures through the DevSecOps paradigm. The study is based on an extensive review of literature available in open sources, which helped identify a set of tools and techniques currently in use.The evolution of DevOps methods has revealed information security gaps that arise during the release of updates, justifying the need for a transformational approach—the so-called “left shift,” which involves incorporating security measures early in the development lifecycle. The research systematizes both organizational and technical aspects: it examines cross-functional interaction mechanisms and the applicability of static (SAST), dynamic (DAST), and interactive (IAST) security analysis, threat modeling, and Infrastructure as Code (IaC) management tools, along with monitoring and controlling access to confidential information.The recommendations for DevSecOps integration presented in this work aim to reduce vulnerabilities, improve the quality of the developed software product, and accelerate release processes. The results outlined in this research possess practical value for IT specialists, DevOps engineers, system architects, and researchers seeking to implement innovative approaches in continuous integration and delivery to build resilient digital ecosystems.
Ключевые слова:
devOps, DevSecOps, web development, security
DOI 10.24412/2712-8849-2025-586-722-735
Introduction. In the face of evolving market expectations and a constant intensification of cyber threats, companies are compelled to reassess and shorten their development cycles. This situation drives the widespread adoption of DevOps principles, designed to speed up the creation of software products by integrating agile methodologies into development processes. However, the simultaneous increase in cyberattacks and the growing costs of mitigating their consequences shape a new security paradigm, especially in web development, where inadequate protection can result in financial losses and a decline in customer trust. As a result, there is a need to integrate information security measures into all stages of the product lifecycle, which serves as the basis for the DevSecOps concept—an approach that combines innovative development with comprehensive security measures for information systems.In Harkai A., Ciurea C. E. [1, pp. 385–404], the authors analyze the economic consequences of data breaches, assessing how cyber threats affect a company’s financial performance and proposing a conceptual methodology aimed at reducing costs related to security incidents. In parallel, Sadovykh A., Ivanov V. V. [3, pp. 1687–1702] propose a model built on a thorough analysis of security requirements and comprehensive testing, which includes validation mechanisms at every stage of the product lifecycle. Their approach integrates empirical data with process modeling, enabling the creation of a robust protection system. Likewise, Echefunna C. C. et al. [4, pp. 1–21] employ a testing strategy involving risk assessment in accordance with OWASP standards, emphasizing the significance of an integrated approach to identifying and eliminating vulnerabilities in web applications. There is also a shift in the security paradigm: Abiona O. O. et al. [5, pp. 127–133] highlight the importance of embedding defensive measures directly into the DevOps pipeline, moving away from traditional incident response measures toward continuous validation. Additionally, Karanam R. [6, pp. 1–9] proposes preventive strategies for securing CI/CD pipelines, aimed at minimizing risks in a rapidly changing development environment. These innovative approaches are further supported by Camacho N. G. [9, pp. 106–115], who examines the potential for integrating artificial intelligence and machine learning methods into DevSecOps processes to predict potential threats and enhance system adaptability.Beyond information security issues, much of the current literature addresses methodological aspects of organizing DevOps processes. Brito E. et al. [2, pp. 53–67] describe the TrustOps concept, which seeks to ensure a continuous level of trust in software products by integrating quality control mechanisms at every development stage. Meanwhile, Moeez M. et al. [7, pp. 1–9] conduct a systematic analysis of DevOps components. Singh M. [8, pp. 1–8] emphasizes the need for flexibility and adaptability in modern projects, highlighting the relevance of contemporary development methodologies. Karunarathne M. A. W., Wijayanayake W., Prasadika A. [10, pp. 282–287] conduct a systematic review aimed at identifying factors that impede the effective adoption of DevOps in organizations. They substantiate the necessity of optimizing both managerial and technical processes, keeping pace with changing market demands.The analysis of these works shows that research in DevOps and DevSecOps often focuses on a single aspect of practice or the use of specific tools. However, few studies have succeeded in combining organizational and technical components into a single integrated approach, optimally adapted for web development. This gap in existing methodologies underscores the need for further research aimed at developing a comprehensive DevOps process model that includes mandatory security requirements.The purpose of this work is to analyze and systematize approaches to DevOps process organization in the context of web development. The novelty of the article lies in an interdisciplinary approach that merges the theoretical foundations of DevOps, modern security methods (DevSecOps), and the specifics of web development. The authors’ hypothesis is that the integration of security measures (DevSecOps) into traditional DevOps processes in web development reduces vulnerabilities, enhances software quality, and accelerates development by detecting and addressing issues early. It is assumed that the comprehensive application of automated tools for code analysis, monitoring, infrastructure management, and personnel training will foster conditions for a secure and efficient development cycle.The methodological foundation is based on a literature review, which includes a systematic analysis of both academic publications and publicly available online materials.Evolution of DevOps and preconditions for transition to DevSecOps.In recent years, the software development field has undergone a marked shift in how teams conceptualize and build complex systems. Much of this transformation stems from the ongoing evolution of the DevOps concept, which seeks to eliminate the longstanding divide between development and operations. By doing so, DevOps accelerates the release of updates and markedly improves the quality of end products. The term “DevOps” itself originally signified the fusion of two essential functions—development (Dev) and operations (Ops)—with a core emphasis on automating critical processes, embedding continuous integration (CI), applying continuous delivery (CD) principles, and maintaining round-the-clock system monitoring. Alongside these technological changes, an equally important cultural realignment is taking place within organizations, focusing on more cohesive collaboration among separate functional teams [1, pp. 385–404, 10, pp. 282–287]. Figure 1 illustrates the main components and defining attributes of the DevOps approach.Figure 1. The main elements of the DevOps approach [1, pp. 385–404].Although faster development cycles have obvious benefits, such speed is often achieved at the expense of security. When security is undervalued during rapid releases, hidden defects may gradually accumulate in the software, occasionally leading to malfunctions or disruptions in web applications [5, pp. 127–133]. In these circumstances, the conventional DevOps paradigm may not always be equipped to detect and mitigate threats swiftly, which can undermine both the final product’s quality and its reliability [7, pp. 1–9].Recognizing these limitations, experts in information security and software engineering began introducing dedicated security measures directly into the DevOps pipeline, thereby establishing the DevSecOps concept. The central principle behind DevSecOps is to shift security considerations to the earliest possible stages of software creation—a strategy often described as “security left” [3, pp. 1687–1702]. In practical terms, this early-integration approach encompasses not only specialized control tools—such as SAST, DAST, and SCA—but also a cultural change within the organization. Key elements include ongoing staff education, the creation of roles specifically devoted to security oversight, and policies that position protective measures as an inherent part of the CI/CD workflow [4, pp. 1–21, 6, pp. 1–9].To gain a clearer picture of how DevOps differs from DevSecOps, Table 1 presents a direct comparison of some primary attributes.Table 1. Comparison of key characteristics of DevOps and DevSecOps [1, pp. 385–404, 3, pp. 1687–1702, 5, pp. 127–133, 7, pp. 1–9].Thus, transitioning from a traditional DevOps methodology to DevSecOps can be seen as an essential evolutionary step, driven by the rising sophistication of contemporary information systems and the increasing stringency of cybersecurity regulations. This transition entails embedding safeguards directly into the development lifecycle so that potential weaknesses can be identified and addressed early on. As a result, web applications become not only more robust and reliable but also better aligned with modern standards of information security.DevSecOps practices for web development.Effective DevSecOps implementation depends first and foremost on a corporate mindset that regards information security as a task shared by everyone involved in product creation. Establishing and cultivating this organizational culture not only simplifies problem-solving but also fosters an active exchange of expertise between developers, operational staff, and security professionals. When the collaboration reaches this level of integration, it becomes possible to detect and eliminate vulnerabilities early in the process and to continuously adapt protective measures as new threats surface.A major aspect of this approach involves weaving security checks into the full lifecycle of software delivery. Security Champions, for instance, move beyond occasional consulting roles by being present at every phase—from designing, coding, and testing through to deployment and ongoing support. This early involvement helps pinpoint weak areas before they develop into disruptive issues that could undermine system stability or lead to breaches [6, pp. 1–9]. Training programs and workshops on secure coding methods further enhance team members’ awareness of evolving threats, enabling them to align daily practices with industry-recognized standards. Clarity in policies and internal oversight mechanisms likewise ensures uniform procedures across the organization, thereby avoiding ad hoc or inconsistent methods of handling security incidents [1, pp. 385–404, 6, pp. 1–9, 7, pp. 1–9].The transition to DevSecOps also highlights the importance of integrated tools and techniques that work in tandem to protect software at every layer. Static Application Security Testing (SAST) aids in finding weaknesses in source code prior to execution, while Dynamic Application Security Testing (DAST) evaluates how a running application copes with simulated attacks in real time [4, pp. 1–21]. Interactive Application Security Testing (IAST) offers a blend of both approaches, giving developers insight into actual application performance under real-world pressures so that anomalies do not go unnoticed. Likewise, threat modeling and risk assessment processes help direct limited resources to the most pressing weaknesses [5, pp. 127–133], ensuring that no critical area goes unprotected.In addition to code-level checks, DevSecOps advocates extending these measures to infrastructure operations. The Infrastructure as Code (IaC) model, for instance, uses programmatic methods to define and manage configurations, substantially reducing the likelihood of human missteps or overlooked settings [1, pp. 385–404, 10, pp. 282–287]. Securing sensitive assets, such as API keys, passwords, and certificates, remains paramount, and specialized systems like HashiCorp Vault or AWS Secrets Manager give organizations a centralized way to handle these secrets and mitigate risks [4, pp. 1–21]. Automated monitoring with tools such as Prometheus or Grafana then ensures immediate notification of irregular activity, which can be rapidly addressed. This near-instant feedback loop proves invaluable in limiting the window of exposure to potential attacks. Periodic penetration testing by internal or external “Red Teams” supplements these defensive mechanisms by subjecting the environment to realistic attack scenarios, thus uncovering latent vulnerabilities that may slip past ordinary testing routines [1, pp. 385–404].Table 2, summarized below, offers an overview of the main DevSecOps practices implemented in web-focused environments.Table 2. Key DevSecOps Practices for Web Development [1, pp. 385–404, 4, pp. 1–21, 6, pp. 1–9, 8, pp. 1–8].Given the pace of change in the digital sphere, a rigid focus on administrative measures alone is rarely sufficient. Instead, organizations often benefit most from simultaneously employing modern technical strategies and fostering a culture where security underpins all development activities. Studies point to a balanced mix of managerial oversight and innovative tools as the key to minimizing the impact of breaches and speeding up incident response. By ensuring robust and versatile defenses—from source code evaluations and thorough infrastructure management to advanced threat detection and simulated attack exercises—DevSecOps paves the way for long-term system resilience and reliability.DevSecOps tools and implementation recommendations.Introducing DevSecOps into web development demands more than a shift in corporate culture and development practices. It also calls for deploying specialized technology designed to automate security controls at every stage of the software lifecycle. When these mechanisms function together—covering everything from static and dynamic checks of source code to Infrastructure as Code (IaC) and ongoing monitoring—organizations can reduce exposure to threats, deliver more dependable solutions, and respond more swiftly to any security incidents.In practical terms, this transition is underpinned by various tools. Software Composition Analysis (SCA) platforms, for instance, thoroughly assess all dependencies and libraries to uncover known vulnerabilities and confirm proper licensing, while Continuous Integration and Delivery (CI/CD) systems like Jenkins, GitLab CI, and GitHub Actions incorporate automated testing and deployment alongside built-in security checks. Similarly, monitoring and alerting solutions such as Prometheus, Grafana, the ELK stack, or Splunk enable teams to keep a close eye on system performance, making it easier to detect anomalies in real time. Container and infrastructure security solutions (including AquaSec, Twistlock, Trivy, Terraform, AWS CloudFormation, and Ansible) streamline configurations and deployments, and secrets management tools such as HashiCorp Vault or AWS Secrets Manager offer a secure means of handling sensitive data [1, pp. 385–404].When deciding on a DevSecOps adoption strategy, organizations commonly emphasize several key ideas. One is ensuring that selected tools can scale and accommodate changing business requirements. Another is validating how seamlessly new solutions fit with existing systems—for example, version control services and containerization workflows—so that teams can continue to develop and implement solutions at their usual pace. It is also essential to choose tools supported by vibrant, active communities. Frequent updates and swift patches for identified weaknesses enhance reliability and security while providing a community of users and developers to troubleshoot any challenges. Finally, strong automation features and well-documented APIs help integrate these solutions into pipelines without imposing cumbersome manual tasks.Implementing DevSecOps typically proceeds in stages, reflecting operational nuances and established practices within each organization. Pilot projects at the outset give teams a controlled environment to explore new tools and identify potential security gaps before rolling out more extensive changes [1, pp. 385–404, 3, pp. 1687–1702]. After that initial phase, it becomes crucial to embed security checks naturally into the existing development process—from the moment code is written and tested to the point where it is deployed. Successful integration depends on a structured plan that clearly specifies goals, timelines, and responsibilities [7, pp. 1–9, 9, pp. 106–115]. Teams often refine these plans by conducting frequent retrospectives and gathering feedback, thus ensuring that security safeguards remain both effective and adaptable as threats continue to evolve.Table 3 below highlights several core DevSecOps tools, offering guidance on criteria for selection and outlining proposed approaches for successful implementation.Table 3. Key DevSecOps tools, selection criteria, and implementation recommendations [1, pp. 385–404, 7, pp. 1–9, 9, pp. 106–115].Although each of these measures contributes individually to robust security, the real strength of DevSecOps lies in weaving them together in a holistic, methodical manner. Code scanning, relentless system monitoring, infrastructure automation, and safeguarded handling of confidential information form the backbone of a streamlined production cycle, yielding consistent standards for both reliability and protection. By integrating specialized solutions and clearly defined defensive measures, organizations can build agile digital ecosystems that are better prepared to navigate the ever-changing cybersecurity landscape.Conclusion.Taken together, these considerations show that harnessing innovative tools for software security hinges on an appropriate blend of organizational frameworks and automation techniques. Incorporating security measures at each step of the software lifecycle not only curtails potential vulnerabilities but also raises overall product quality and shortens incident response times. In particular, the recommended DevSecOps strategies—early pilot testing, regularly updating existing CI/CD environments, and fostering cross-functional security teams—provide a guide for organizations aiming to secure their operations without slowing down their release cycles.Looking ahead, further research might explore the integration of next-generation technologies and compare DevSecOps best practices across a wide spectrum of industries. Such investigations may pave the way for generalizable guidelines on development processes that balance rigorous security standards with operational efficiency.
Номер журнала Вестник науки №5 (86) том 2
Ссылка для цитирования:
Belov R. MODERN METHODOLOGIES FOR ORGANIZING DEVOPS PROCESSES IN WEB DEVELOPMENT // Вестник науки №5 (86) том 2. С. 722 - 735. 2025 г. ISSN 2712-8849 // Электронный ресурс: https://www.вестник-науки.рф/article/22916 (дата обращения: 20.07.2025 г.)
Вестник науки © 2025. 16+