Agile development with security engineering activities

Document type: Conference Papers
Peer reviewed: Yes
Author(s): Dejan Baca, Bengt Carlsson
Title: Agile development with security engineering activities
Conference name: International Conference on Software and Systems Process, ICSSP
Year: 2011
Pagination: 149-158
ISBN: 978-145030730-7
Publisher: ACM
City: Waikiki
URI/DOI: 10.1145/1987875.1987900
Organization: Blekinge Institute of Technology
Department: School of Computing (Sektionen för datavetenskap och kommunikation)
School of Computing S-371 79 Karlskrona
+46 455 38 50 00
Language: English
Abstract: Agile software development has been used by industry to create a more flexible and lean software development process, i.e making it possible to develop software at a faster rate and with more agility during development. There are however concerns that the higher development pace and lack of documentation are creating less secure software. We have therefore looked at three known Security Engineering processes, Microsoft SDL, Cigatel touchpoints and Common Criteria and identified what specific security activities they performed. We then compared these activities with an Agile development process that is used in industry. Developers, from a large telecommunication manufacturer, were interviewed to learn their impressions on using these security activities in an agile development process. We produced a security enhanced Agile development process that we present in this paper. This new Agile process use activities from already established security engineering processes that provide the benefit the developers wanted but did not hinder or obstruct the Agile process in a significant way.
Subject: Software Engineering\General
Keywords: agile process, development process, security engineering, software engineering