Inger Anne Tøndel
Martin Gilje Jaatun
ABSTRACT
To achieve a level of security that is just right, software development projects need to strike a balance between security and cost. This necessitates making such decisions as to what security activities to perform in development and which security requirements should be given priority. Current evidence indicates that in many agile development projects, software security is dealt with in a more or less "accidental" way based on individuals' security awareness and interest. This approach is unlikely to lead to an optimal security level for the product. This paper suggests Security Intention Recap Meetings as a recurring organisational tool for evaluating current practices regarding the security intentions of a software project, and to make decisions on how to move forward. These meetings involve key decision makers in the project, such as the product owner and the project manager, with the purpose of making security decisions visible and deliberate and to monitor their results
- Icek Ajzen. 1991. The theory of planned behavior. Organizational Behavior and Human Decision Processes 50, 2 (1991), 179--211. Theories of Cognitive Self-Regulation.Google Scholar
Cross Ref
- Wasim Alsaqaf, Maya Daneva, and Roel Wieringa. 2017. Quality requirements in large-scale distributed agile projects--a systematic literature review. In International Working Conference on Requirements Engineering: Foundation for Software Quality. Springer, 219--234.Google ScholarCross Ref
- Talya N Bauer. 2010. Onboarding new employees: Maximizing success. SHRM Foundation's Effective Practice Guideline Series 7 (2010).Google Scholar
- Paulo Caroli and Taina Caetano. 2015. Fun Retrospectives - Activities and ideas for making agile retrospectives more engaging. Leanpub, Layton.Google Scholar
- Daniela Soares Cruzes, Martin Gilje Jaatun, Karin Bernsmed, and Inger Anne Tøndel. 2018. Challenges and Experiences with Applying Microsoft Threat Modeling in Agile Development Projects. In 2018 25th Australasian Software Engineering Conference (ASWEC). IEEE, 111--120.Google Scholar
- Daniela S. Cruzes, Martin G. Jaatun, and Tosin D. Oyetoyan. 2018. Challenges and Approaches of Performing Canonical Action Research in Software Security: Research Paper. In Proceedings of the 5th Annual Symposium and Bootcamp on Hot Topics in the Science of Security (HoTSoS '18). ACM, New York, NY, USA, Article 8, 11 pages. Google ScholarDigital Library
- EU. 2016. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). L 119 (2016).Google Scholar
- James Grenning. 2002. Planning poker or how to avoid analysis paralysis while release planning. Hawthorn Woods: Renaissance Software Consulting 3 (2002), 22--23.Google Scholar
- Michael Howard and Steve Lipner. 2006. The Security Development Lifecycle. Microsoft Press. Google ScholarDigital Library
- Martin Gilje Jaatun, Karin Bernsmed, Daniela S. Cruzes, and Inger Anne Tøndel. 2019. Threat Modeling in Agile Software Development. In Exploring Security in Software Architecture and Design, Michael Felderer and Riccardo Scandariato (Eds.). IGI Global.Google Scholar
- Martin Gilje Jaatun, Daniela S. Cruzes, Karin Bernsmed, Inger Anne Tøndel, and Lillian Røstad. 2015. Software Security Maturity in Public Organisations. In Information Security, Javier Lopez and Chris J. Mitchell (Eds.). Lecture Notes in Computer Science, Vol. 9290. Springer International Publishing, 120--138. Google ScholarDigital Library
- J. Jensen, I. A. Tøndel, M. G. Jaatun, P. H. Meland, and H. Andresen. 2009. Reusable Security Requirements for Healthcare Applications. In 2009 International Conference on Availability, Reliability and Security. 380--385.Google Scholar
- Sri Lakshmi Kanniah and Mohd Naz'ri Mahrin. 2016. A review on factors influencing implementation of secure software development practices. World Academy of Science, Engineering and Technology, International Journal of Social, Behavioural, Educational, Economic, Business and Industrial Engineering 10, 8 (2016), 2860--2867.Google Scholar
- Sri Lakshmi Kanniah and Mohd Naz'ri Mahrin. 2018. Secure Software Development Practice Adoption Model: A Delphi Study. Journal of Telecommunication, Electronic and Computer Engineering (JTEC) 10, 2-8 (2018), 71--75.Google Scholar
- Dean Leffingwell. 2010. Agile software requirements: lean requirements practices for teams, programs, and the enterprise. Addison-Wesley Professional. Google ScholarDigital Library
- Larry Maccherone. 2017. The DevSecOps Manifesto. https://medium.com/continuous-agile/the-devsecops-manifesto-94579e0eb716. (2017). Accessed: 2019-04-30.Google Scholar
- Gary McGraw. 2006. Software Security: Building Security In. Addison-Wesley. Google ScholarDigital Library
- Hela Oueslati, Mohammad Masudur Rahman, and Lotfi ben Othmane. 2015. Literature review of the challenges of developing secure software using the agile approach. In 10th International Conference on Availability, Reliability and Security (ARES). IEEE, 540--547. Google ScholarDigital Library
- James O Prochaska. 2008. Decision making in the transtheoretical model of behavior change. Medical decision making 28, 6 (2008), 845--849.Google Scholar
- Ronald W Rogers and Steven Prentice-Dunn. 1997. Protection motivation theory. In Handbook of health behavior research 1: Personal and social determinants. Plenum Press, 113--132.Google Scholar
- Adam Shostack. 2014. Threat Modeling: Designing for Security. Wiley. Google ScholarDigital Library
- Evenynke Terpstra, Maya Daneva, and Chong Wang. 2017. Agile Practitioners' Understanding of Security Requirements: Insights from a Grounded Theory Analysis. In 2017 IEEE 25th International Requirements Engineering Conference Workshops (REW). IEEE, 439--442.Google ScholarCross Ref
- Inger Anne Tøndel, Martin Gilje Jaatun, Daniela Soares Cruzes, and Nils Brede Moe. 2017. Risk Centric Activities in Secure Software Development in Public Organisations. International Journal of Secure Software Engineering (IJSSE) 8, 4 (2017), 1--30. Google ScholarDigital Library
- Inger Anne Tøndel, Laurie Williams, Daniela Soares Cruzes, and Martin Gilje Jaatun. 2019. Collaborative Security Risk Estimation in Agile Software Development. Information and Computer Security (2019).Google Scholar
- Laurie Williams, Michael Gegick, and Andrew Meneely. 2009. Protection poker: Structuring software security risk assessment and knowledge transfer. In International Symposium on Engineering Secure Software and Systems. Springer, 122--134. Google ScholarDigital Library
- Laurie Williams, Andrew Meneely, and Grant Shipley. 2010. Protection poker: The new software security game. IEEE Security and Privacy 8, 3 (2010), 14--20. Google ScholarDigital Library
Index Terms
- The Security Intention Meeting Series as a way to increase visibility of software security decisions in agile development projects
Recommendations
Aligning security objectives with agile software development
XP '18: Proceedings of the 19th International Conference on Agile Software Development: CompanionSuccess of software development process is defined by its ability to transform the business objectives into requirements, and further into features and functionality. In addition to business objectives, software development also has security objectives ...
Software security in agile software development: a literature review of challenges and solutions
XP '18: Proceedings of the 19th International Conference on Agile Software Development: CompanionThere has been a surge in number of software security threats and vulnerabilities in recent times. At the same time, expectations towards software and data security are growing. Thus there is a need to ensure that security-related tasks are effectively ...
Agile development with security engineering activities
ICSSP '11: Proceedings of the 2011 International Conference on Software and Systems ProcessAgile software development has been used by industry to create a more flexible and lean software development process, i.e making it possible to develop software at a faster rate and with more agility during development. There are however concerns that ...
Comments