THE RECOMMENDATIONS TO SECURITY

CHALLENGES IN AGILE PRACTICES

The choice of choosing a software process model depends on the overall environment and
context of the problem and the organization. While the Agile methods focus on rapid delivery
of the software, at the same time, there could be different types of challenges that the
developers must encounter during the development of the software and maintaining software
security is no exception. It has become an important challenge for the developers that, if not
considered at early stage of the software development life cycle, can cause serious threats to
the software and the organization as well. In this document, we discuss some important
challenges that can cause serious security threats to the software.
Challenge 1: Security related activities are not applied at each development iteration.
Agile methodologies focus on developing software systems in multiple iterations and in each
iteration all the phases of the lifecycle are performed in a rapid way. Usually, the user stories
are identified, and security is not considered in any of the phases of the software development
lifecycle, rather, it is only communicated as a non-functional requirement. Due to this reason, it
is not given due importance in the project. It is reported that software industry considers it as a
time taking activity that increases delivery times that is against the agile principle [1].
Several studies discuss that security activities must be considered from the beginning of the
software project and applied at each stage of the project lifecycle. Kruchten et al. [2] propose
that security practices must be considered from the beginning of the project life cycle, and they
must be applied during all phases such as requirements, design, and implementation. The
security assurance methods are not aligned with the agile methods, so they try to integrate
security assurance practices into different phases of agile methods. Kagombe et al. [3] also
argue that where agile software development has introduced several benefits to the
development industry on the other hand such as rapid delivery and feedback, customer
involvement, and requirements creeping to name a few, on the other hand, agile methods are
found to be not a better solution for developing secure software systems.
In summary, all the above-mentioned works recommend applying security related activities at
each stage of the software development lifecycle.
Challenge 2: Risks assessment activity is not included in the agile development methods.
Risk management comprises of a set of activities that must be done during the lifecycle of the
software development e.g., risk identification, risk assessment, risk mitigation, and risk
monitoring & reporting. These activities are crucial in developing a secure software system that
 must be performed in all the phases of the software. On the other hand, agile methods
emphasize on rapid delivery and feedback leaving all the necessary risk management activities.
Several research such as Ge et al. [4] and Casola et al. [5] highlighted this challenge in the agile
methodologies and propose their recommendations. Since risk assessment is a fundamental
part of secure applications, they emphasize on integrating agile processes and risk management
for building secure web applications. The iterative risk analysis at each phase would help to
avoid the addition of mechanisms or ways that inhibit security threats.
Challenge 3: Continuous code changes make completing the assurance activities difficult.
Requirements change and feature creeping is a fundamental feature that agile methods benefit
their developers with. However, this code creeping affects the security aspect of the code and
results in an insecure application. The authors in [2], [6], and [1] report that report that
frequent code changes make it difficult to ensure a secure software during the lifecycle. These
new emerging and continuous requirements tend to make changes in the design and
architecture of the software and result in poor conformity with the security requirements and
its related design decisions.
The authors recommend that too many requirements change at every stage of the software
development lifecycle should be monitored and assessed whenever a new requirement change
comes so that it may not affect the security requirements.
References
[1] J. de V. Mohino, J. B. Higuera, J. R. B. Higuera, and J. A. S. Montalvo, “The application of a new secure
software development life cycle (S-SDLC) with agile methodologies,” Electronics (Switzerland), vol. 8, no.
11, 2019, doi: 10.3390/electronics8111218.

[2] K. Beznosov and P. Kruchten, “Towards agile security assurance,” Proceedings New Security Paradigms
Workshop, pp. 47–54, 2005, doi: 10.1145/1065907.1066034.

[3] G. G. Kagombe, R. W. Mwangi, and J. M. Wafula, “Achieving Standard Software Security in Agile
Developments,” ACM International Conference Proceeding Series, pp. 24–33, Aug. 2021, doi:
10.1145/3484399.3484403.

[4] X. Ge, R. F. Paige, F. A. C. Polack, H. Chivers, and P. J. Brooke, “Agile Development of Secure Web
Applications.”

[5] V. Casola, A. de Benedictis, M. Rak, and U. Villano, “A novel Security-by-Design methodology: Modeling
and assessing security by SLAs with a quantitative approach,” Journal of Systems and Software, vol. 163,
May 2020, doi: 10.1016/j.jss.2020.110537.

[6] A. Ali and L. ben Othmane, “Towards Effective Security Assurance for Incremental Software
Development The Case of Zen Cart Application.” [Online]. Available: https://pear.php.net/