Challenges in DevSecOps Decision-Making Amid a Dearth of Valid Frameworks

This study examines the challenges of securing DevOps environments through a unique combination of technical framework analysis and behavioral science insights. By analyzing frameworks from organizations like OWASP, CSA, NIST, and the US DoD while applying behavioral economics and decision theory, the research investigates how cognitive biases affect security decision-making in DevSecOps and evaluates existing frameworks' gaps. The analysis reveals a significant lack of mature, comprehensive, and regularly updated DevSecOps frameworks, with existing guidelines often lacking clarity, usability, or consideration of human factors. The study identifies key cognitive biases impacting security decisions and demonstrates how these are exacerbated by the absence of robust frameworks. While the research is limited by DevSecOps' evolving nature and ongoing framework development, this limitation itself reflects the field's nascent state and highlights opportunities to observe security practice evolution under uncertainty. Future research could empirically test how framework improvements impact decision-making in real-world DevSecOps environments.