Review Reports - Evolution of DevSecOps and Its Influence on Application Security: A Systematic Literature Review

Round 1

Reviewer 1 Report

Comments and Suggestions for Authors

The paper proposes a conceptual framework for effective DevSecOps adoption and out- 16 lines future research directions to bridge gaps in empirical validation and scalability. The 17 study contributes to both academia and industry by offering a comprehensive under- 18 standing of DevSecOps evolution, its practical implications, and the critical factors influencing its success.

The paper is very interesting, but it needs several structural changes for improving the readability and improve the search method, there are relevant missing references

ABSRACT is too large. It should be summarized.

INTRODUCTION should be divided into two sections:

INTRODUCTION

Research questions should be placed at the end before contributions 1.4

RELATED WORK (from 1.5 onwards)

Missing papers to investigate:

Bahaa, A., Abdelaziz, A., Sayed, A., Elfangary, L., & Fahmy, H. (2021). Monitoring real time security attacks for IoT systems using DevSecOps: a systematic literature review. Information, 12(4), 154.
Sinan, M., Shahin, M., & Gondal, I. (2025). Integrating Security Controls in DevSecOps: Challenges, Solutions, and Future Research Directions. Journal of Software: Evolution and Process, 37(6), e70029
Rangaraju, S., Ness, S., & Dharmalingam, R. (2023). Incorporating AI-driven strategies in DevSecOps for robust cloud security. International Journal of Innovative Science and Research Technology, 8(23592365), 10-5281.
Zhou, X., Mao, R., Zhang, H., Dai, Q., Huang, H., Shen, H., ... & Rong, G. (2023). Revisit security in the era of DevOps: An evidence‐based inquiry into DevSecOps industry.IET software, 17(4), 435-454.
Lombardi, F., & Fanton, A. (2023). From DevOps to DevSecOps is not enough. CyberDevOps: an extreme shifting-left architecture to bring cybersecurity within software security lifecycle pipeline. Software Quality Journal, 31(2), 619-654.
Álvaro Michelena, Jose Aveleira-Mata, Esteban Jove, Héctor Alaiz-Moretón, Héctor Quintián, José Luis Calvo-Rolle (2023). "Development of an Intelligent Classifier Model for Denial of Service Attack Detection", International Journal of Interactive Multimedia and Artificial Intelligence, vol. 8, issue Special Issue on Practical Applications of Agents and Multi-Agent Systems, no. 3, pp. 33-42. https://doi.org/10.9781/ijimai.2023.08.003
Bedoya, M., Palacios, S., Díaz-López, D., Laverde, E., & Nespoli, P. (2024). Enhancing devsecops practice with large language models and security chaos engineering. International Journal of Information Security, 1-24.
… and other

METHODOLOGY
…

METHODOLOGY: Cite PRISMA framework.

It is not clear if net databases have been searched, authors must clarify it. All these databases should be included in the search method:

web of science (clarivate): https://www.webofscience.com/
El compendex: Grey literature
IEEE library: http://ieeexplore.ieee.org/
ACM library: https://dl.acm.org/
DBLP: https://dblp.org/

Authors should include secure sdlc implementation, SSDLC as search criteria

Some figures 3,5… do not specify cite to a reference (or own).

Some references do not comply with the required format:

Kahan, N. (2023). DevSecOps in Action: Shifting Left and Securing Right for Next-Gen Cloud-Native Security. 1168
Sandu, A. K. (2021). DevSecOps: Integrating Security into the DevOps Lifecycle for Enhanced Resilience. 6, 1–19.
…

Author Response

Please see the attachment.

Author Response File: Author Response.pdf

Reviewer 2 Report

Comments and Suggestions for Authors

Authors carried out a systematic review and also highlighted the need for a comprehensive framework for DevSecOps practices. The work is interesting however the following may be considered by the authors to improve their thought.

1) The rational for selecting the articles being reviewed may be further clarified

2) In terms of contribution to knowledge in this sensitive area, how do authors come to a choice of selecting 36 studies as being enough to draw conclusion to thier studies in this regard?

3) Authors may want to define many abbreviations before the first place of mention and not just relying on the list provided at the end of the article.

4) The title specified review, the abstract at a point talks about proposing a framework and the result of this effort is not really clear as the conclusion needs to be well connected for readers to understand the real output of this effort.

5) Figure 3 and 5 may be cited if not originally owned by authors, Figure 4 may be checked for originality, Figure 6 and 7 quality may be improved for clarity and better readability

Overall, the work is a good effort in the area of DevOps

Author Response

Please see the attachment.

Author Response File: Author Response.pdf

Reviewer 3 Report

Comments and Suggestions for Authors

The topics and work are very good. SLR is conducted and methodology is well presented. The results are meaningful and valuable. However, some minor changes are required:

Introduction: The First few pages look more like an essay. It's good to introduce the topic using some visualizations, but you need to consider that this has made the section too long, and you need to assume that the audience already knows about the basics.
Which guidelines have you followed to conduct SLR? Also, include the quality assessment of the papers included in the SLR.
Include a detailed section about the contribution of the work.
Section 4: These are gaps based on your results? Then include them in the discussion section.
Conclusion need to be improved.