Threat Modeling Integration into Agile Development Cycles Using DevSecOps Maturity Models and Risk-Based Prioritization

Russell Grady Clay Holden

Authors

Russell Grady Clay Holden Application Architect, Ecuador. Author

Keywords:

Threat Modeling, Agile Development, DevSecOps, Security Maturity Models, Risk-Based Prioritization, Secure Software Engineering

Abstract

The rapid adoption of Agile and DevOps practices has significantly shortened software development lifecycles, but it has also introduced new security challenges due to frequent releases and evolving architectures. Traditional threat modeling approaches, which are often heavyweight and design-centric, struggle to align with iterative Agile workflows. This research paper examines how threat modeling can be effectively integrated into Agile development cycles by leveraging DevSecOps maturity models and risk-based prioritization techniques. By aligning threat modeling activities with maturity levels and sprint-based risk assessment, organizations can ensure continuous security without compromising delivery speed. The study synthesizes academic research and proposes a structured integration framework supported by diagrams, tables, and visual analytics.

References

Howard, M., & Lipner, S. (2006). The Security Development Lifecycle. IEEE Security & Privacy, Vol. 4, Issue 5.

Shostack, A. (2014). Threat Modeling: Designing for Security. Wiley Software Security Series, Vol. 1, Issue 1.

Gundaboina, A. (2022). Quantum Computing and Cloud Security: Future-Proofing Healthcare Data Protection. International Journal for Multidisciplinary Research, 4(4), 1–12. https://doi.org/10.36948/ijfmr.2022.v04i04.61014

Mellado, D., Fernández-Medina, E., & Piattini, M. (2010). Security requirements engineering framework. Computer Standards & Interfaces, Vol. 32, Issue 4.

Behl, A., & Behl, K. (2017). Cybersecurity and cyberwar. Oxford University Press, Vol. 2, Issue 1.

Gundaboina A. DevSecOps in Healthcare: Building Secure and Compliant Patient Engagement Applications. J Artif Intell Mach Learn & Data Sci 2024 2(4), 3052-3059. DOI: doi.org/10.51219/JAIMLD/anjan-gundaboina/629

Fitzgerald, B., & Stol, K. (2017). Continuous software engineering. Journal of Systems and Software, Vol. 123, Issue 1.

Rios, E., et al. (2019). DevSecOps maturity models. IEEE Software, Vol. 36, Issue 2.

Verendel, V. (2009). Quantified security risk estimation. Information Security Journal, Vol. 18, Issue 2.

Gundaboina, A. (2024). HITRUST Certification Best Practices: Streamlining Compliance for Healthcare Cloud Solutions. International Journal of Computer Science and Information Technology Research, 5(1), 76–94. https://ijcsitr.org/index.php/home/article/view/IJCSITR_2024_05_01_008

Myrbakken, H., & Colomo-Palacios, R. (2020). DevSecOps practices. Information and Software Technology, Vol. 123, Issue 1.

McGraw, G. (2006). Software security. IEEE Security & Privacy, Vol. 4, Issue 2.

Pohl, C., et al. (2015). Secure Agile development. XP Conference Proceedings, Vol. 1, Issue 1.

Baca, D., & Carlsson, B. (2011). Agile development with security. Software Practice and Experience, Vol. 41, Issue 9.

Gundaboina, A. (2024). Automated Patch Management for Endpoints: Ensuring Compliance in Healthcare and Education Sectors. International Journal of Computer Science and Information Technology Research (IJCSITR), 5(2), 114–134. https://doi.org/10.63530/IJCSITR_2024_05_02_010

Sindre, G., & Opdahl, A. (2005). Eliciting security requirements. Requirements Engineering Journal, Vol. 10, Issue 1.

Scandariato, R., et al. (2015). Agile threat modeling. International Journal of Secure Software Engineering, Vol. 6, Issue 3.

Knauss, E., et al. (2018). Continuous security in Agile. Empirical Software Engineering, Vol. 23, Issue 6.

Ahmad, A., et al. (2021). Security backlog management. Journal of Software: Evolution and Process, Vol. 33, Issue 4.

Gundaboina, A. (2024). Application Protection Platforms (CNAPP) for Healthcare: Safeguarding Patient Data in Cloud Infrastructure. International Journal of Innovative Research in Engineering & Multidisciplinary Physical Sciences, 12(5), 1–12. https://doi.org/10.37082/IJIRMPS.v12.i5.232622