Publications

Continuous Security Compliance is crucial for adopting Continuous Software Engineering in highly regulated domains, but traditional manual compliance methods are resource-intensive and error-prone, and the field lacks sufficient research. This paper defines continuous security compliance, outlines key challenges through a tertiary study, and proposes a research roadmap developed in collaboration with an industry partner to advance automation in this area.

This study explores the integration of research software testing into teaching, demonstrating that such efforts can improve research software quality—particularly documentation and dependency management—while also exposing students to real-world research software engineering. However, despite thoughtful student contributions, challenges such as unclear intellectual property rights and lack of incentives hinder the direct reuse of student code, limiting the full potential of this approach.

Through an industrial case study, we examine how automated security findings management can be integrated into DevOps workflows. Our findings show significant improvements in vulnerability response times and developer productivity.

The intersection of security and continuous software engineering remains a critical focus as agile and DevOps practices continue to shape development processes, with growing academic and practical interest in secure methodologies. This work summarizes validated challenges identified through practitioner engagement and outlines four key research directions to guide future efforts in scalable, secure continuous software engineering.

This study investigates the integration of automated security activities within CI pipelines of enterprise-driven open source projects, revealing that such practices are rare despite maintainers recognizing the importance of security. By analyzing over 8,000 repositories and surveying project maintainers, the research highlights a significant gap in security automation and suggests areas for practical improvement and further study.

This report introduces RefA, a reference architecture designed to support security-compliant DevOps by outlining relevant artefacts, practice areas, and the roles of people, processes, and technology. Developed through standards analysis, literature review, and industrial experience, RefA serves both practitioners aiming to assess secure DevOps lifecycles and researchers shaping future security-focused studies.