Socio-technical Friction: An Emergent Grounded Theory of DevSecOps Challenges
摘要
This study delves into the core obstacles organizations encounter when trying to adopt modern DevSecOps practices. Using a constructivist grounded theory approach, we conducted eighteen in-depth, semi-structured interviews with two distinct groups: nine senior cybersecurity managers and nine hands-on software engineers. Our analysis revealed a profound disconnect between strategic vision and the daily grind. Managers often spoke of governance, resource allocation, and fostering a collaborative culture, while engineers frequently experienced security efforts as disruptive, inefficient, and detrimental to their developer experience (DevEx). Through a comparative analysis of these two perspectives, we pinpointed misaligned priorities, broken communication, and a lack of jointly designed solutions that truly bridge social and technical workflows as key contributors to this divide. From these emergent insights, a core category of Socio-Technical Friction emerged, providing a new theoretical lens that strongly aligns with and extends the principles of Socio-Technical Systems (STS) theory within the DevSecOps context. Specifically, our findings show that DevSecOps initiatives often falter precisely because they treat social and technical systems as separate entities rather than interconnected parts of a whole. This fundamental misalignment creates significant friction where these two systems meet, ultimately slowing down development and weakening security. This study concludes by offering practical recommendations for closing this gap, advocating for a holistic approach to DevSecOps as a truly unified socio-technical system.