Professional Documents
Culture Documents
A R T I C L E I N F O A B S T R A C T
Keywords: Context: Software security engineering provides the means to define, implement and verify security in software
Survey products. Software security engineering is performed by following a software security development life cycle
Security engineering model or a security capability maturity model. However, agile software development methods and processes,
Agile software development
dominant in the software industry, are viewed to be in conflict with these security practices and the security
Software security
Security standards
requirements.
Security assurance Objective: Empirically verify the use and impact of software security engineering activities in the context of
agile software development, as practiced by software developer professionals.
Method: A survey (N = 61) was performed among software practitioners in Finland regarding their use of 40
common security engineering practices and their perceived security impact, in conjunction with the use of 16
agile software development items and activities.
Results: The use of agile items and activities had a measurable effect on the selection of security engineering
practices. Perceived impact of the security practices was lower than the rate of use would imply: This was taken
to indicate a selection bias, caused by e.g. developers’ awareness of only certain security engineering practices,
or by difficulties in applying the security engineering practices into an iterative software development workflow.
Security practices deemed to have most impact were proactive and took place in the early phases of software
development.
Conclusion: Systematic use of agile practices conformed, and was observed to take place in conjunction with
the use of security practices. Security activities were most common in the requirement and implementation
phases. In general, the activities taking place early in the life cycle were also considered most impactful. A
discrepancy between the level of use and the perceived security impact of many security activities was observed.
This prompts research and methodological development for better integration of security engineering activities
into software development processes, methods, and tools.
* Corresponding author.
E-mail address: kakrind@utu.fi (K. Rindell).
https://doi.org/10.1016/j.infsof.2020.106488
Received 2 December 2018; Received in revised form 1 October 2020; Accepted 5 November 2020
Available online 20 November 2020
0950-5849/© 2020 The Authors. Published by Elsevier B.V. This is an open access article under the CC BY license (http://creativecommons.org/licenses/by/4.0/).
K. Rindell et al. Information and Software Technology 131 (2021) 106488
clearly defined security objectives, elicitation of requirements, creation security mechanisms introduced in the operations and maintenance
of security architecture and design, and secure programming practices. phases of the applications’ life cycle. A common characteristic of secu
Security assurance is gathered throughout the life cycle, and by verifying rity faults, such as implementation bugs and design flaws, is their
the implemented security features. Regulative requirements and persistence. When not repaired, they become “features”, requiring
rigorous security frameworks typically introduce additional security constant and costly security engineering activities throughout the soft
assurance requirements. These take the form of additional documenta ware’s operational lifetime. Eliminating such faults early on requires
tion, security reviews, security testing, and audits [29,69]. A main significantly less resources than having to fix the issues later [35,55].
objective of software security engineering is to provide the software Furthermore, hardware errors, problems caused by users, and other is
developers means to comply with security assurance requirements. The sues in the operating environment are more transient and can be miti
general aim of software security engineering is to address the identified gated by means independent of the assets protected [26]. These
software security risks already in the development phase, enabling characteristics make software security engineering distinct from other
efficient creation of effective security solutions. security domains.
Introducing new tasks and tools into software development work Systematic security assurance contains rigorous documentation of
flow necessarily incurs a cost in time and other resources. Software technical security features, security architecture, and procedural secu
development organizations operate under strict budgeting and sched rity instructions. A number of security verification techniques may also
uling restraints, with careful monitoring of the ability to produce be used [69]. These techniques—various forms of security documenta
deployable software. These restraints have created a high demand for tion, testing, reviews, and audits—seek to detect flaws and errors, and to
efficient software development processes, including those specific to provide an appropriate level of assurance.
security engineering. This stresses the importance of efficiently
combining the agile software development and security engineering 2.2. Software security development models
processes, and the significance of this task to both industry and research.
To determine the state of the art practices in software security, an Software security engineering consists of a diverse set of techniques
industry survey was performed among the Finnish software industry and processes. In research, they are often arranged into security devel
practitioners. The respondents were asked about individual agile soft opment and life cycle models. Organizational security practices are
ware development and software security engineering activities they use traditionally presented in the form of security maturity models, pro
during software development, and the security impact of the security moting repeatability and continuous improvement of the security ac
practices used. In total, the survey contained questions about the usage tivities used in software development.
of forty common software security activities and twelve agile practices, To make the investment in software security more feasible for the
along with their perceived impact on software security. software development organizations, also less demanding maturity
The rest of this article is structured as follows: The opening Section 2 models have been developed. An example is the openly available Soft
provides the theoretical background and motivation for the survey. The ware Assurance Maturity Model (SAMM) [52]. SAMM makes an explicit
survey design is described in Section 3, and the results are presented in claim of being “agile agnostic”: In practice, this means that it does not
Section 4. Results and implications are further discussed in Section 5; even mention the principles and values of the Agile Manifesto [7]. It
examination of threats to validity conclude the article in Sections 6 and 7 does, however, take into consideration the tremendous advancements in
respectively. continuous and automated software engineering practices and pro
cesses. SAMM is also accompanied with a diverse set of open source tools
2. Background and frameworks, including those provided by the Open Web Application
Security Project (OWASP). These less demanding yet still rigorous
This section provides an introduction to the main concepts and maturity models encourage developers and organizations to tailor the
challenges software security engineering is facing, and the regulatory models to their own processes and to perform at least the most necessary
and industrial background of security in software development. security improvements. This tailoring aligns with various industry best
practices, often published in the form of security checklists and “do not
2.1. Software security engineering do” lists [27,51,62]. Like with maturity models for agile development
[50], it should be noted that these security-specific maturity models and
The purpose of software security engineering is to identify, mitigate, their checklists are not adequate in all contexts.
and avoid security threats to software and data assets [1,42]. In this The SSDLC models used were the Microsoft Security Development
approach, the goal of ensuring the availability, integrity, and confi Lifecycle (SDL) model [78], and Touchpoints for Software Security [42].
dentiality of information is achieved by security policies, implemented The latter also forms the development life cycle model included in the
into software security features during software development. To verify Building Security In Maturity Model (BSIMM). To comply with the
the implementation, appropriate security assurance is produced and changing software development practices, Microsoft later made a rudi
gathered along the development, testing and operations. mentary effort to adopt the SDL for agile development [25]. However,
As a means to increase software dependability, software security the references to agile development have since been removed from the
engineering aims to guarantee the correctness of software, computer current version of the SDL [43], and the life cycle model itself integrated
networks, and computer systems in adverse situations. The problem into DevOps processes and tools used in Microsoft’s public cloud service.
field in software security is relatively well-known [73], whereas the The international standard for security development framework has
common approach to mitigate and manage security is often performed been created by the ISO/IEC in the form of Secure Software Engineering
by following relatively simple checklists to guide design and imple Capability Maturity Model (SSE-CMM) [31]. This model claims to
mentation practices [27,51,62]. However, software security engineering contain the best practices for security engineering. It formalizes security
must provide also more systematic means to address the security risks in work into an exhaustive set of security processes, by defining 129 se
software development. Software dependability, a related concept, is curity processes divided into 22 process areas. To supplement this
achieved through such means as fault prevention, fault tolerance, fault high-level standard, multiple international, national and
removal, and fault forecasting [2]. domain-specific security regulations have been crated [22,55].
Emphasis on the prevention of latent security issues necessarily In Finland, where this survey was performed, a comprehensive set of
places software security engineering to the early phases of the software information security instructions has been issued by the Government
life cycle. This provides an opportunity to prevent security incidents Information Security Management Board (Finnish abbreviation: VAHTI
from occurring in the first place. It can also supplement the external [76]). This model contains a specific Software Security Development
2
K. Rindell et al. Information and Software Technology 131 (2021) 106488
Life Cycle (SSDLC) model. While this model does not cite any references, been made [11]. This line of work has also provided early outlines for
it is largely formed after the SDL and Touchpoints, and based on the creating and gathering assurance at requirements, design, imple
Common Criteria [30], the ISO standard for software product evalua mentation, and testing phases. Elicitation of security requirements,
tion, and appears to conform with the ISO application security standard whether through misuse cases or by other means, has also been studied
[28]; VAHTI can be considered to represent the state of the art of soft [34,72].
ware security engineering practices in Finland. KATAKRI is another A major research challenge centers around the question of how to
Finnish security framework, geared towards compatibility with Euro integrate security engineering practices, maturity models, and activities
pean and North American security regulations. required to comply with standards into flexible agile work flow [56].
The most notable industrial software security framework outside the The main objective should not be maintaining “agility” as such, but to
SSDLCs and maturity models is SAFECode [58]. This approach to se produce as secure software as necessary, as efficiently as possible. The
curity management is based on a rigorous security risk management many quality-improving mechanisms in agile development—iterative
process. Similarly to ISO standard framework, SAFECode addresses the development, retrospectives, constant refactoring, and continuous
identified risks by secure design and coding practices coupled with strict integration—work towards both of these goals when producing secure
management of third party software components. A security incident software [5].
response function is used to cover the operational part of a software life The same applies in the safety context [32]. Also the software se
cycle. SAFECode supplements the security maturity models by providing curity life cycles in an agile context have been a frequent subject in
concrete and actionable instructions for the deployment of security software security research [3,4,12]. General challenges in adapting se
processes. It also contains the essential principles guiding the build-up of curity engineering into agile development have been identified [20]. A
an SSDLC-enhanced software development process. further example would be the integration of security engineering and
education [53,81]. However, there is a notable lack of industry surveys
2.3. Related work directly concentrating on the actual development-time activities.
Directly comparable industry surveys are limited both in numbers
Applying security engineering methods and models into agile soft and in scope. Apart from a small web survey (N = 46) concerning the
ware development was initially seen as challenging [15,79]. As agile general use of security life cycle models [19], no surveys about industry
development matured experiences have often been more positive, use of security engineering practices in software development are
although even recent empirical research continues to report organiza known. The survey reported in the present paper fills this notable gap in
tional and technical problems in adaptation [75]. The perceived previous research.
mismatch between formal security engineering and software develop
ment has prompted many attempts to combine maturity models with 3. Research design
agile processes [65,67]. A finding common to these studies is that agile
software development can comply even with strict and formal security This chapter summarizes the research objective and the research
requirements, but at the unsurprising expense of slower development questions. it also describes the practical measures taken to answer those
and higher cost, largely due to non-agile security processes. questions, and how to replicate the research process. In the design and
In software development, agile methodologies promote and provide implementation of the research, the general good practices for industry
the ideals of flexibility and freedom [6,64]. Even though the agile survey were followed [68].
methods were initially criticized due to their perceived contradictions
with the traditional process-oriented approaches [48,74], agile princi 3.1. Research questions
ples have since been successfully adopted also to the regulated areas of
the software industry. Agile methods are now used to fulfill extensive The primary research objective was to improve the understanding of
software safety and security requirements, although this may require the use of security engineering activities in the context of agile software
compromising some of the benefits of the agile approach. The iterative development. The first research question (RQ) makes the research
methods also contain inherent mechanisms for continual performance objective explicit:
and quality improvement. Agile principles simplify that tradition, and
build upon it [66]. RQ1: To what extent are security engineering activities utilized in
Iterative and incremental software development methods have the context of agile software development?
inspired and enabled new continuous integration and deployment
models, such as DevOps, which considerably shorten maintenance cy This research question was addressed by querying the extent of usage
cles. In terms of security, this shortening manifests itself through of both security engineering and agile activities in software projects.
accelerated delivery of security improvements and quicker recovery Forty software development security practices were extracted from
from security incidents. However, in regulated environments, DevOps various security engineering models: the ISO/IEC Common Criteria,
has also definite challenges caused by the introduction of new practices Microsoft SDL, BSIMM, and VAHTI; three additional activities were
[36]. Despite of these challenges, a growing number of organizations is extracted from literature [59]. These practices were assembled into five
utilizing automated processes to deploy software into production [8]. groups according to its phase in the SSDLC: requirement, design,
The tools, techniques, and methodologies used for the automation implementation, verification, and release.
contain also security considerations. To support continuous delivery, The secondary objective augments RQ1 with the following question:
further work has been done to find an acceptable level of continuous
software security using agile methods [10]. RQ2: What is the perceived security impact of security engineering
Given the challenges outlined, it is not surprising that previous work activities in agile software development?
has been done to examine software security engineering in the context of
agile software development. Early contributions for agile software se The two research questions complement each other; the answer to
curity engineering were mainly theoretical concepts on how to perform this question was found by directly asking for the perceived impact of
and manage agile software security engineering. Given that software each used activity. The use of a particular security engineering activity
architectures have often been seen as a weak point of agile methods [9, may or may not reflect its perceived impact. The activity may be used
66], a good example would be the suggestions for secure software ar because it is efficient for improving security. However, it may be used
chitectures in agile development [13,18]. Similarly, suggestions for also because it demands only few resources or because it is easy to
producing security assurance using Extreme Programming (XP) have embed into existing agile software development work practices. The
3
K. Rindell et al. Information and Software Technology 131 (2021) 106488
reverse relation is also important: the activity may be used only infre “always”. Otherwise the scale was comparable to the ones used in
quently even though its perceived impact upon security is substantial. existing surveys (notably, Synopsys Software Integrity Group [70]). The
Answers to RQ1 and RQ2 can implicitly pinpoint important insights same scale was used in the questionnaire for all security engineering
about potential incompatibility problems between agile methods and activities. An analogous five-point scale was used for the perceived
security engineering activities. impact of these:
4
K. Rindell et al. Information and Software Technology 131 (2021) 106488
limit theorem was deemed not not to apply. Furthermore, the survey Table 2
revealed a high incidence of self-designed security rules supplementing Development methodologies.
the regulation-based ones, rendering the independence of the security Methodology Share (%)
activities under doubt. In line with our purpose of inspecting these
Scrum 30
specific phenomena, and presenting relevant and truthful results, the Scrum-Kanban 28
research objective is accomplished using descriptive statistics. Custom agile 17
Kanban 14
Other 3
4. Results
Do not know 5
No answer 3
This section reports the results as designed: background details of the
respondents and their organization, and the answers to the research
questions. the most popular agile methodologies among the respondents. In
contrast to earlier surveys [38,77], none of the respondents reported
using XP or a method derived from XP. A few respondents reported not
4.1. Background
using any specific agile methodology, or declined from naming it.
Notably, all of these respondents reported using e.g. iterations and
The background questions were used to profile the respondents and
backlogs, both key practices in agile methodologies.
their role in the software development. This section also covers basic
Observed details about the use of agile methodologies are significant
information about their organizations, certifications, and the applica
on their own rights. Even in security sensitive projects, a majority of
tion area in which security has been a concern in a software project.
respondents managed their work by agile methodologies, and performed
agile activities in software development. This observation is particularly
4.1.1. Demographics: experience, education, and organizations
significant for the survey at hand: there exists no widely used polar
The respondents are generally well-educated and highly experienced
opposite (i.e. use of RAD, ‘waterfall’, or other non-agile method) for
in software engineering. While about five percent reported no experi
empirical comparisons. The results also justify the wording used for RQ1
ence in software development, as much as 77% reported six or more
and RQ2. Based on the results, it appears that the respondents had
years. Roughly about a half of the respondents have a master’s degree, a
performed quite well in adapting agile software development methods
little below one third have a bachelor’s degree, and about fifteen percent
for security engineering.
have a doctoral degree.
While nearly all of the respondents were working with agile projects,
The respondents work in diverse organizations. About 39% worked
there is still some variance in terms of the actual agile work practices. To
in organizations with less than fifty employees, about 21% in organi
query such practices, the respondents were asked to evaluate the use of
zations with 50 to 250 employees, and about 35% in organizations with
sixteen different agile work practices on a similar five-point Likert scale
more than 250 employees. About five percent preferred not to disclose
used for the security activities (see Section 3.3). The results are visual
this information. This range presumably reflects the current structure of
ized in Fig. 1, which shows the relative share of the answers across the
the Finnish software industry. The same applies to the type of software
Likert scale; the numbers on left (never and rarely) and right (mostly and
produced. Most (69%) of the respondents are developing web and cloud
systematically) of the plot display the combined share of two categories
applications. The rest are mostly working with desktop and client-server
each. When compared to an earlier survey [38] performed in the context
applications, embedded software, and mobile applications. A few
of technical debt activities in agile software development, the adoption
specialized domains are also represented, including video games, smart
rates of agile activities by security-oriented developers were consistently
cards, and consulting.
Table 1
Project roles.
Role Share (%)
Developer 40
Architect 21
Scrum master or team leader 11
Project manager 10
Executive 8
No projects 5
Security specialist 3
Product owner 2
Tester 0
Fig. 1. Use of agile work practices.
5
K. Rindell et al. Information and Software Technology 131 (2021) 106488
Table 3
Standards, regulations, and security constraints.
Standard, regulation, or constraint Share (%)
6
K. Rindell et al. Information and Software Technology 131 (2021) 106488
7
K. Rindell et al. Information and Software Technology 131 (2021) 106488
8
K. Rindell et al. Information and Software Technology 131 (2021) 106488
9
K. Rindell et al. Information and Software Technology 131 (2021) 106488
10
K. Rindell et al. Information and Software Technology 131 (2021) 106488
effective ways to bind together the security requirements, design, the results indicate that organizational rigidity is associated with
implementation and verification activities would provide means for e.g. decreasing use of the activities surveyed.
dependency management and vulnerability tracking in software mod
ules and connected components. 6. Threats to validity
Regulation is a main driving force in the security work, although not
the only one. The results imply a need for improvement in the mecha Several measures were taken in the preparation, design, and execu
nisms how security regulation imposes requirements to software tion of the survey, and the analysis of the data, to mitigate or to avoid the
development. Especially the security assurance items regarding security threats to validity of the research. The security activities were collected
policies and security enforcement mechanisms have a decreased level of from several software security frameworks and standards, and the
usage despite their perceived effectiveness, implying bad conformance software activities and artifacts from an earlier study performed among
with software development processes. Formal compliance requirements software developers in Finland.
have strayed quite far from the practical work done in day-to-day soft The research instrument, an open and anonymous questionnaire,
ware development. This has an implication that certain process-related was assessed to pose certain challenges to the independence of the data
security improvement practices, although effective, remain mostly un collected. The challenges were identified as follows: (1) inability to
used in mainstream software development projects. It is understandable, identify the respondents’ organization, project, or customer they are
however, that formal or semi-formal process and documentation reviews working on; (2) acknowledging that the respondents share the same
are performed only under direct regulatory requirements. background, have same or very similar education, and are very likely to
share the same security awareness training; (3) acknowledging that the
5.3. Implications for research respondents form a group of software security specialists, that work in
same homogeneous regulatory environment, share their experiences,
Many of the security engineering activities in the Software Security and draw from the same security influences [cf. 21].
Life Cycle model are used also in agile software development. However, To further mitigate threats to reliability, a portion of the respondents
neither the SSDLC nor other models are usually adopted wholesale. were individually picked from software and security companies, and the
These typically act as security engineering frameworks from which questionnaire itself piloted with selected subject matter experts (N =
practitioners pick and choose the practices deemed most suitable for 20). The questionnaire was designed to mitigate the misunderstandings
their work. Another important point is the poor alignment between the the respondents may have about the security engineering activities via
use of the activities and their perceived impact upon software security. clarifying clauses and logical question grouping. To the degree the us
While this misalignment can be attributed to several possible factors, ability of the survey design allowed, control questions were used to
there is a dual implication from the mismatch. On one hand, software verify the answers. However, the substantial amount of security activ
development organizations should be more proactive in updating their ities (40) may have caused some misinterpretations, posing a possible
processes; on the other, the research community working on software threat to reliability. The data was also purged of any outliers and
security development models should pay more attention to their checked for possible vandalism, which led to the removal of one
adaptability. response.
The adaptability question can be considered also at the level of in The focused sample, the strict scoping of the survey questions, and
dividual software security engineering activities. To this end, a good further limiting of the surveyed projects to the agile software develop
problem for further research would be the identification of activities that ment projects with specific security activities, the randomness of the
are synergic. In other words, some particular security engineering ac sample was likely to be reduced. The respondents were selected from an
tivity might be used more efficiently as a part of a general software extensive precompiled list of Finnish software companies, with the re
development activity. For instance, elicitation of security requirements spondents representing a subset of those organizations. As the re
might be reasonably attainable as a part of Scrum’s backlog formation. spondents reported a substantial level of use of organizations’ self-
Likewise, coding standards and code reviews are in line with core agile designed security constraints, a possible threat to internal validity was
principles [39]. Furthermore, static and dynamic analysis should be recognized in the form of organizational clustering.
integrated into code review processes instead of being treated as isolated The respondents were experts in software security. Thus, general
activities [45]. The reverse direction should be also considered; there izing the results from the observed sample to all software engineers was
are also certain security engineering activities that have a poor synergy deemed to produce potentially misleading results. To avoid this threat to
with traditional agile software development activities. external validity, a decision was made to present the results using
By comparing synergic and non-synergic security engineering ac descriptive statistics. The results provide the general software developer
tivities, it might be also possible to better understand the impact of se population a clear and concise picture about how the experts conduct
curity engineering on software development efficiency. The relationship software security engineering, and which activities they find to be most
between security and efficiency is a complex one, however. Practical impactful.
evaluation requires that a software development organization has
knowledge about the level of security attained and the development 7. Concluding remarks
efficiency attainable via the use of a particular set of security engi
neering activities. A good question for further research would be the The survey, performed among software practitioners working with
means by which the evaluation on the security-efficiency nexus could be Finnish software development companies, gives a positive view of the
carried out. level of professionalism and security capabilities of the respondents. The
Finally, it is worth remarking a positive correlation between all of the respondents give the appearance of taking security work seriously, and
security engineering activities and a sum variable formed based on the they genuinely worry about the security of the software products they
arithmetic mean of the sixteen agile work practices in Fig. 1. This is a develop.
tentative but important observation for further research. In other words, This survey opens some quite interesting research avenues. It was
increasing agility is associated with increasing use of software security also designed to give a clear baseline for comparison to coming surveys.
engineering activities, and the other way around. These are generally The effect of various regulative security practices should be thoroughly
interesting preliminary findings because a common folk wisdom would examined, as the body of national and international security regulation
entail negative correlations; that less agile or more rigid organizations is constantly growing in response to increasing security concerns.
would be more likely to use security engineering activities outside of the Effectiveness of security work in software development gives a
standard agile toolbox, or even as parallel processes [60]. In contrast, competitive edge to the early adapters, and to those who best manage
11
K. Rindell et al. Information and Software Technology 131 (2021) 106488
the integration of the processes. Qualitative approaches drilling into Conference, XP 2005, Sheffield, UK, June 18–23, 2005. Proceedings, Springer
Berlin Heidelberg, Berlin, Heidelberg, 2005, pp. 57–65, https://doi.org/10.1007/
these crucial topics should provide immediately useful and interesting
11499053_7.
results for both security researchers and practitioners. [14] A. Cockburn, L. Williams, The costs and benefits of pair programming, Extreme
Program. Examined 8 (2000) 223–247.
[15] K. Conboy, B. Fitzgerald, W. Golden, Agility in information systems development:
CRediT authorship contribution statement
athree-tiered framework, in: R.L. Baskerville, L. Mathiassen, J. Pries-Heje, J.
I. DeGross (Eds.), Business Agility and Information Technology Diffusion: IFIP TC8
Kalle Rindell: Conceptualization, Methodology, Validation, Formal WG 8.6 International Working Conference May 8–11, 2005, Atlanta, Georgia, U.S.
A., Springer US, Boston, MA, 2005, pp. 35–49, https://doi.org/10.1007/0-387-
analysis, Investigation, Resources, Data curation, Writing - original
25590-7_3.
draft, Writing - review & editing, Visualization, Supervision, Project [16] M.L. Drury-Grogan, K. Conboy, T. Acton, Examining decision characteristics &
administration. Jukka Ruohonen: Conceptualization, Methodology, challenges for agile software development, J. Syst. Softw. 131 (2017) 248–265.
Validation, Formal analysis, Investigation, Resources, Data curation, [17] B. Fitzgerald, K.-J. Stol, R. O’Sullivan, D. O’Brien, Scaling agile methods to
regulated environments: an industry case study. Proceedings of the 2013
Writing - original draft, Writing - review & editing, Visualization, Project International Conference on Software Engineering, ICSE ’13, 2013, pp. 863–872.
administration. Johannes Holvitie: Conceptualization, Methodology, [18] X. Ge, R. Paige, F. Polack, P. Brooke, Extreme Programming Security Practices, in:
Validation, Formal analysis, Investigation, Resources, Data curation, G. Concas, E. Damiani, M. Scotto, G. Succi (Eds.), Agile Processes in Software
Engineering and Extreme Programming, Lecture Notes in Computer Science, 4536,
Writing - original draft, Writing - review & editing, Visualization, Project Springer Berlin Heidelberg, 2007, pp. 226–230, https://doi.org/10.1007/978-3-
administration. Sami Hyrynsalmi: Conceptualization, Methodology, 540-73101-6_42.
Validation, Formal analysis, Writing - original draft, Writing - review & [19] D. Geer, Are companies actually using secure development life cycles? Computer
43 (6) (2010) 12–16, https://doi.org/10.1109/MC.2010.159.
editing, Supervision, Project administration. Ville Leppänen: Concep [20] I. Ghani, A.F.B. Arbain, H. Oueslati, M.M. Rahman, L. Ben-Othmane, Evaluation of
tualization, Methodology, Validation, Formal analysis, Resources, Data the challenges of developing secure software using the agile approach, Int. J. Secur.
curation, Writing - original draft, Writing - review & editing, Supervi Softw. Eng. 7 (1) (2016) 17–37, https://doi.org/10.4018/IJSSE.2016010102.
[21] M.J. Grawitch, D.C. Munz, Are your data nonindependent? A practical guide to
sion, Project administration.
evaluating nonindependence and within-group agreement, Underst. Stat. 3 (4)
(2004) 231–257.
[22] B. Hamid, D. Weber, Engineering secure systems: models, patterns and empirical
Declaration of Competing Interest validation, Comput. Secur. 77 (2018) 315–348.
[23] L.T. Heeager, P.A. Nielsen, A conceptual model of agile software development in a
The authors declare that they have no known competing financial safety-critical context: a systematic literature review, Inf. Softw. Technol. 103
(2018) 22–39.
interests or personal relationships that could have appeared to influence [24] J. Holvitie, S.A. Licorish, R.O. Spínola, S. Hyrynsalmi, S.G. MacDonell, T.
the work reported in this paper. S. Mendes, J. Buchan, V. Leppänen, Technical debt and agile software development
practices and processes: an industry practitioner survey, Inf. Softw. Technol. 96
(2018) 141–160.
Supplementary material [25] M. Howard, S. Lipner, The Security Development Lifecycle 8, Microsoft Press
Redmond, 2006.
Supplementary material associated with this article can be found, in [26] ICS-CERT, Recommended Practice: Improving Industrial Control System
Cybersecurity with Defense-in-depth Strategies, U.S. Homeland Security, 2016.
the online version, at 10.1016/j.infsof.2020.106488
https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/NCCIC_I
CS-CERT_Defense_in_Depth_2016_S508C.pdf
References [27] IEEE, Avoiding the top 10 software security design flaws, 2018. https://www.com
puter.org/cms/CYBSI/docs/Top-10-Flaws.pdf.
[28] ISO/IEC Sstandard 27034-1:2011, Information Technology - Security Techniques -
[1] R. Anderson, Security Engineering: A Guide to Building Dependable Distributed
Application Security - Part 1: Overview and Concepts, ISO/IEC, 2011.
Systems, 2nd ed., Wiley, Indianapolis, 2008.
[29] ISO/IEC standard 15026-4:2012, Systems and Software Engineering – Systems and
[2] A. Avizienis, J. Laprie, B. Randell, C. Landwehr, Basic concepts and taxonomy of
Software Assurance – Part 4: Assurance in the Life Cycle, ISO/IEC, 2012.
dependable and secure computing, IEEE Trans. Dependable Secure Comput. 1 (1)
[30] ISO/IEC standard 15408-1:2009, Information Technology - Security Techniques -
(2004) 11–33, https://doi.org/10.1109/TDSC.2004.2.
Evaluation Criteria for IT Security, 3rd ed., ISO/IEC, 2014.
[3] T. Ayalew, T. Kidane, B. Carlsson, Identification and evaluation of security
[31] ISO/IEC standard 21827:2008, Information technology – Security techniques –
activities in agile projects. Secure IT Systems: 18th Nordic Conference, NordSec
Systems security engineering – Capability maturity model (SSE-CMM), 2nd ed.,
2013, Ilulissat, Greenland, October 18–21, 2013, Proceedings, Springer Berlin
ISO/IEC, 2008.
Heidelberg, Berlin, Heidelberg, 2013, pp. 139–153, https://doi.org/10.1007/978-
[32] R. Kasauli, E. Knauss, B. Kanagwa, A. Nilsson, G. Calikli, Safety-critical systems and
3-642-41488-6_10.
agile development: amapping study. 2018 44th Euromicro Conference on Software
[4] D. Baca, B. Carlsson, Agile development with security engineering activities.
Engineering and Advanced Applications (SEAA), 2018, pp. 470–477, https://doi.
Proceedings of the 2011 International Conference on Software and Systems
org/10.1109/SEAA.2018.00082.
Process, in: ICSSP ’11, ACM, New York, NY, USA, 2011, pp. 149–158, https://doi.
[33] G. Klees, A. Ruef, B. Cooper, S. Wei, M. Hicks, Evaluating Fuzz Testing, ArXiv e-
org/10.1145/1987875.1987900.
prints (2018).
[5] S. Bartsch, Practitioners’ perspectives on security in agile development. 2011 Sixth
[34] V. Kongsli, Towards agile security in web applications. Companion to the 21st ACM
International Conference on Availability, Reliability and Security, 2011,
SIGPLAN Symposium on Object-Oriented Programming Systems, Languages, and
pp. 479–484, https://doi.org/10.1109/ARES.2011.82.
Applications, OOPSLA ’06, ACM, New York, NY, USA, 2006, pp. 805–808, https://
[6] K. Beck, Extreme Programming Explained: Embrace Change, Addison-Wesley
doi.org/10.1145/1176617.1176727.
Longman Publishing Co., Inc., Boston, MA, USA, 2000.
[35] R. Kuhn, M. Raunak, R. Kacker, Can reducing faults prevent vulnerabilities?
[7] K. Beck, M. Beedle, A. Van Bennekum, A. Cockburn, W. Cunningham, M. Fowler, J.
Computer 51 (7) (2018) 82–85.
Grenning, J. Highsmith, A. Hunt, R. Jeffries, et al., Manifesto for agile software
[36] T. Laukkarinen, K. Kuusinen, T. Mikkonen, Regulated software meets devops, Inf.
development, Online at http://www.agilemanifesto.org(2001).
Softw. Technol. 97 (2018) 176–178, https://doi.org/10.1016/j.
[8] L. Bell, M. Brunton-Spall, R. Smith, J. Bird, Agile Application Security: Enabling
infsof.2018.01.011.
Security in a Continuous Delivery Pipeline, O’Reilly Media, Inc., 2017.
[37] J. Li, B. Zhao, C. Zhang, Fuzzing: a survey, Cybersecurity 1 (1) (2018) 6, https://
[9] S. Bellomo, P. Kruchten, R.L. Nord, I. Ozkaya, How to agilely architect an agile
doi.org/10.1186/s42400-018-0002-y.
architecture, Cutter IT J. 27 (2) (2014) 12–17.
[38] S. Licorish, J. Holvitie, R. Spínola, S. Hyrynsalmi, J. Buchan, T. Mendes,
[10] L. Ben-Othmane, P. Angin, H. Weffers, B. Bhargava, Extending the agile
S. MacDonnell, V. Leppänen, Adoption and suitability of software development
development process to develop acceptably secure software, IEEE Trans.
methods and practices - results from a multi-national industry practitioner survey.
Dependable Secure Comput. 11 (6) (2014) 497–509, https://doi.org/10.1109/
2016 Asia-Pacific Software Engineering Conference (APSEC), IEEE, 2016,
TDSC.2014.2298011.
pp. 369–372.
[11] K. Beznosov, P. Kruchten, Towards agile security assurance. NSPW ’04 Proceedings
[39] R.C. Martin, Clean Code: AHandbook of Agile Software Craftsmanship, Pearson
of the 2004 Workshop on New Security Paradigms, 2004, pp. 47–54.
Education, 2009.
[12] G. Boström, J. Wäyrynen, M. Bodén, K. Beznosov, P. Kruchten, Extending XP
[40] J. McDermott, Abuse-case-based assurance arguments. Seventeenth Annual
practices to support security requirements engineering. Proceedings of the 2006
Computer Security Applications Conference, 2001, pp. 366–374, https://doi.org/
International Workshop on Software Engineering for Secure Systems, SESS ’06,
10.1109/ACSAC.2001.991553.
ACM, New York, NY, USA, 2006, pp. 11–18, https://doi.org/10.1145/
[41] J. McDermott, C. Fox, Using abuse case models for security requirements analysis.
1137627.1137631.
Proceedings 15th Annual Computer Security Applications Conference (ACSAC’99),
[13] H. Chivers, R.F. Paige, X. Ge, Agile security using an incremental security
1999, pp. 55–64, https://doi.org/10.1109/CSAC.1999.816013.
architecture, in: H. Baumeister, M. Marchesi, M. Holcombe (Eds.), Extreme
Programming and Agile Processes in Software Engineering: 6th International
12
K. Rindell et al. Information and Software Technology 131 (2021) 106488
[42] G. McGraw, Software Security: Building Security In, Addison-Wesley Professional, Availability, Reliability and Security, ARES 2018, ACM, New York, NY, USA, 2018,
2006. pp. 6:1–6:7, https://doi.org/10.1145/3230833.3233274.
[43] Microsoft, Agile development using microsoft security development lifecycle, [62] SANS, CWE/SANS top 25 most dangerous software errors, 2011.
2019. [63] R. Scandariato, K. Wuyts, W. Joosen, A descriptive study of microsoft’s threat
[44] A. Middleton, E. Bragin, M. Parker, on behalf of the DDD Study, Finding people modeling technique, Requir. Eng. 20 (2015) 163–180.
who will tell you their thoughts on genomics-recruitment strategies for social [64] K. Schwaber, M. Beedle, Agile Software Development with Scrum, 1st ed., Prentice
sciences research, J. Community Genet. 5 (2014) 291–302, https://doi.org/ Hall PTR, Upper Saddle River, NJ, USA, 2002.
10.1007/s12687-014-0184-2. [65] T. Schweigert, D. Vohwinkel, M. Korsaa, R. Nevalainen, M. Biro, Agile maturity
[45] D. Mitropoulos, D. Spinellis, Fatal injection: a survey of modern code injection model: analysing agile maturity characteristics from the SPICE perspective,
attack countermeasures, PeerJ Comput. Sci. 3 (e136) (2017) 1–40, https://doi.org/ J. Softw. 26 (5) (2014) 513–520.
10.7717/peerj-cs.136. [66] N. Séguin, G. Tremblay, H. Bagane, Agile principles as software engineering
[46] P. Morrison, D. Moye, R. Pandita, L. Williams, Mapping the field of software life principles: an analysis, in: C. Wohlin (Ed.), Agile Processes in Software Engineering
cycle security metrics, Inf. Softw. Technol. 102 (2018) 146–159, https://doi.org/ and Extreme Programming, Springer Berlin Heidelberg, Berlin, Heidelberg, 2012,
10.1016/j.infsof.2018.05.011. pp. 1–15.
[47] F.D. Nembhard, M.M. Carvalho, T.C. Eskridge, Towards the application of [67] F.S. Silva, F.S.F. Soares, A.L. Peres, I.M. de Azevedo, A.P.L. Vasconcelos, F.
recommender systems to secure coding, EURASIP J. Inf. Secur. 9 (2019) 1–24, K. Kamei, S.R. de Lemos Meira, Using CMMI together with agile software
https://doi.org/10.1186/s13635-019-0092-4. development: a systematic review, Inf. Softw. Technol. 58 (2015) 20–43, https://
[48] S. Nerur, R. Mahapatra, G. Mangalaraj, Challenges of migrating to agile doi.org/10.1016/j.infsof.2014.09.012.
methodologies, Commun. ACM 48 (5) (2005) 72–78, https://doi.org/10.1145/ [68] S. Stavru, A critical examination of recent industrial surveys on agile method
1060710.1060712. usage, J. Syst. Softw. 94 (2014) 87–97, https://doi.org/10.1016/j.jss.2014.03.041.
[49] NIST, Source code security analyzers, 2018. [69] J.M. Such, A. Gouglidis, W. Knowles, G. Misra, A. Rashid, Information assurance
[50] I. Nurdiani, J. Börstler, S. Fricker, K. Petersen, P. Chatzipetrou, Understanding the techniques: perceived cost effectiveness, Comput. Secur. 60 (2016) 117–133,
order of agile practice introduction: comparing agile maturity models and https://doi.org/10.1016/j.cose.2016.03.009.
practitioners’ experience, J. Syst. Softw. 156 (2019) 1–20. [70] Synopsys Software Integrity Group, The building security in maturity model, 2017.
[51] OWASP, Owasp top 10 application security risks, 2018. [71] C. Theisen, N. Munaiah, M. Al-Zyoud, J.C. Carver, L.W. Andrew Meneelyb, Attack
[52] OWASP SAMM, Software assurance maturity model, 2019. surface definitions: a systematic literature review, Inf. Softw. Technol. 104 (2018)
[53] T.D. Oyetoyan, D.S. Cruzes, M.G. Jaatun, An empirical study on the relationship 94–103.
between software security skills, usage and training needs in agile settings. 2016 [72] I.A. Tøndel, M.G. Jaatun, P.H. Meland, Security requirements for the rest of us: a
11th International Conference on Availability, Reliability and Security (ARES), survey, IEEE Softw. 25 (1) (2008) 20–27, https://doi.org/10.1109/MS.2008.19.
2016, pp. 548–555, https://doi.org/10.1109/ARES.2016.103. [73] K. Tsipenyuk, B. Chess, G. McGraw, Seven pernicious kingdoms: a taxonomy of
[54] T.D. Oyetoyan, B. Milosheska, M. Grini, D.S. Cruzes, Myths and facts about static software security errors, IEEE Secur. Privacy 3 (6) (2005) 81–84.
application security testing tools: an action research at telenor digital. Proceedings [74] R. Turner, A. Jain, Agile meets CMMI: culture clash or common cause? in: D. Wells,
of the 19th International Conference on Agile Processes in Software Engineering L. Williams (Eds.), Extreme Programming and Agile Methods — XP/Agile Universe
and Extreme Programming (XP 2018), Springer, 2018, pp. 86–103, https://doi. 2002 Springer Berlin Heidelberg, Berlin, Heidelberg, 2002, pp. 153–165.
org/10.1007/978-3-319-91602-6_6. [75] S. Türpe, A. Poller, Managing security work in scrum: tensions and challenges.
[55] D.M. Phillips, T.A. Mazzuchi, S. Sarkani, An architecture, system engineering, and Proceedings of the International Workshop on Secure Software Engineering in
acquisition approach for space system software resiliency, Inf. Softw. Technol. 94 DevOps and Agile Development (SecSE 2017), CEUR Workshop Proceedings, 2017,
(2018) 150–164. pp. 34–49.
[56] A. Poth, S. Sasabe, A. Mas, A. Mesquida, Lean and agile software process [76] VAHTI, VAHTI-ohje (trans. VAHTI instruction), 2015.
improvement in traditional and agile environments, J. Softw. 0 (0) (2018). [77] VersionOne, 12th annual state of agile survey, 2018.
[57] J. Rahikkala, S. Hyrynsalmi, V. Leppänen, Accounting testing in software cost [78] J. Viega, G. McGraw, Building Secure Software: How to Avoid Security Problems
estimation: acase study of the current practice and impacts.. SPLST, 2015, the Right Way, 1st ed., Addison-Wesley, 2002.
pp. 61–75. [79] J. Wäyrynen, M. Bodén, G. Boström, Security engineering and extreme
[58] T. Rice, J. Brown-White, T. Skinner, N. Ozmore, N. Carlage, W. Poland, programming: an impossible marriage? in: C. Zannier, H. Erdogmus, L. Lindstrom
E. Heitzman, D. Dhillon, Fundamental practices for secure software development (Eds.), Extreme Programming and Agile Methods - XP/Agile Universe 2004: 4th
3rd edition. Undamental Practices for Secure Software Development, SAFECode, Conference on Extreme Programming and Agile Methods, Calgary, Canada, August
2018, p. 38. 15–18, 2004. Proceedings Springer Berlin Heidelberg, Berlin, Heidelberg, 2004,
[59] K. Rindell, S. Hyrynsalmi, V. Leppänen, Busting a myth: review of agile security pp. 117–128, https://doi.org/10.1007/978-3-540-27777-4_12.
engineering methods. Proceedings of the 12th International Conference on [80] L. Williams, R.R. Kessler, W. Cunningham, R. Jeffries, Strengthening the case for
Availability, Reliability and Security, ARES ’17, ACM, New York, NY, USA, 2017, pair programming, IEEE Softw. 17 (4) (2000) 19–25, https://doi.org/10.1109/
pp. 74:1–74:10, https://doi.org/10.1145/3098954.3103170. 52.854064.
[60] K. Rindell, S. Hyrynsalmi, V. Leppänen, Case study of agile security engineering: [81] L. Williams, G. McGraw, S. Migues, Engineering security vulnerability prevention,
building identity management for a government agency, Int. J. Secure Softw. Eng. detection, and response, IEEE Softw. 35 (5) (2018) 76–80, https://doi.org/
8 (2017) 43–57. 10.1109/MS.2018.290110854.
[61] K. Rindell, J. Ruohonen, S. Hyrynsalmi, Surveying secure software development [82] M. Younas, D.N.A. Jawawi, I. Ghani, T. Fries, R. Kazmi, Agile development in the
practices in finland. Proceedings of the 13th International Conference on cloud computing environment: a systematic review, Inf. Softw. Technol. 103
(2018) 142–158.
13