rity Engineering Methods
In this study, the history of security engineering processes and activities integration with agile software development methods was researched by a literature survey. The inception of iterative and incremental software devel- opment methods raised suspicions of an inherent incompatibility between the traditional non-agile security processes and the new agile methods. This suspicion is deemed to still affect the attitude towards the suitability of ag- ile methods to provide security. To examine and explore this claim, this study presents a literature review of a selected set of agile secure software development methods.
The results show a wide and well-documented adaptation of security activities in agile software development, with the observed activities covering the whole security development lifecycle. During the research process, a repetitive theme was noted in the reviewed articles: it was noted that agile methods are considered unsuitable for security engineering work, not to mention to achieve regulatory compliance or conformance with a capability maturity model. However, the evidence to the contrary is excessive, and the reviewed articles provide many concrete examples of empirical cases where security engineering has been applied at all phases of the software security development life cycle in the context of agile development.
Table 4.2: Literature searches and result set size (truncated from P1)
Library Result set size ACM Digital Library 59
IEEE Explore 120 Springer Link 101 Wiley 32 ScienceDirect 64 Total 376 4.2.1 Method
A systematic literature review, following the principles set by Kitchenham et al. (2009), was used to find the definitive set of secure agile software de- velopment methods, of which a core set of 11 papers was selected for anal- ysis, and the security activities documented in the methods were extracted. The research was conducted in several phases: first, a systematic literature method was applied by performing searches in five online computer science libraries, using a systematic and documented process. The resulting set of 388 articles was then manually screened for most suitable examples of the adaptation of agile methods to security work, with a preference for case studies and using the incorporation of security engineering activities as a selection requirement. A simple metric, citation count, was considered an indication of the impact of the research. Due to inconsistencies in citation count reporting between online libraries, a high number of citations was not an essential requirement, but merely a contributing factor towards inclusion. In Table 4.2 is shown the amount of the agile software security engi- neering articles at the time of the article’s writing, in the selected online libraries.
Each library search was conducted with the term (agile AND software AND (security AND engineering)), with slight library-dependent varia- tion in syntax. This body of articles was used to select a representative set of software security engineering research, covering the whole life cycle. The selected articles were then reviewed and analyzed, and the security activities described in the articles were identified. These activities were evaluated us- ing the principles of Common Criteria, which is the ISO standard to “permit comparability between the results of independent security evaluations”. It does so by providing a common set of requirements for the security func- tions of IT products and systems and for assurance measures applied to them during a security evaluation.
Finally, each method was screened for any empirical evidence provided, as were any references to security, quality or safety standards. The results were categorized and evaluated using the defined analytic lenses.
4.2.2 Contribution and future work
Based on the findings of this study, the practice of security engineering ap- pears well adapted to, and widely used with, the agile software development methods. Some of the activities have been modified to better suit an iter- ative development model and, based on the literature, much attention has been paid to retain the agile nature of the development process despite of the added security activities. The often-repeated myth of agile methods’ incom- patibility or inherent unsuitability for security tasks and achieving security objectives is still being perpetuated.
Selected result articles represent the various phases in the SSDLC models thoroughly. Notably, a minority (4 of 11) were empirical. The impact of these articles was not reliably available, so the direct number of references was used as reported by the library itself; this was acknowledged not to be the actual number of references. The results show the history of the agile software security engineering research, as well as its overall typology: conceptual papers are dominant, with empirical evidence provided mostly in the form of case studies. The methodological development of the agile software development processes is a central theme, complimented with the research of security skills and management.
The field of secure agile software development is still fragmented and organization specific, largely due to the highly adaptable nature of the agile methods. A wide industry survey concentrating on agile security activi- ties would help to identify the key agile security practices and confirm the findings outlined in this study. This was performed in P6.
Also using other than peer-reviewed academic sources would provide an interesting ground for hypotheses, to be verified with a scientific method. Finally, distinct similarity between security and safety activities implies an increase in the general quality of the software products created with security- augmented processes. The impact of security activities on the measurable quality of software, and software project management should also prove to be an interesting research subject.