An Empirical Study on the Relationship between Software Security Skills, Usage and Training Needs in Agile Settings

Organizations recognize that protecting their assets against attacks is an important business. However, achieving what is adequate security requires taking bold steps to address security practices within the organization. In the Agile software development world, security engineering process is unacceptable as it runs counter to the agile values. Agile teams have thus approached software security activities in their own way. To improve security within agile settings requires that management understands the current practices of software security activities within their agile teams. In this study, we use survey to investigate software security usage, competence, and training needs in two agile organizations. We find that (1) The two organizations perform differently in core software security activities but are similar when activities that could be leveraged for security are considered (2) regardless of cost or benefit, skill drives the kind of activities that are performed (3) Secure design is expressed as the most important training need by all groups in both organizations (4) Effective software security adoption in agile setting is not automatic, it requires a driver.

[1]  Michele Marchesi,et al.  Extreme Programming and Agile Processes in Software Engineering , 2003, Lecture Notes in Computer Science.

[2]  Lawrence Bernstein,et al.  Trustworthy Systems Through Quantitative Software Engineering , 2005 .

[3]  Gustav Boström,et al.  Security Engineering and eXtreme Programming: An Impossible Marriage? , 2004, XP/Agile Universe.

[4]  Chris J. Mitchell,et al.  Information security : 18th international conference, ISC 2015, Trondheim, Norway, September 9-11, 2015, proceedings , 2015 .

[5]  Lawrence Bernstein,et al.  Trustworthy Systems through Quantitative Software Engineering: Bernstein/Trustworthy Systems Through Quantitative Software Engineering , 2005 .

[6]  Bengt Carlsson,et al.  Agile development with security engineering activities , 2011, ICSSP '11.

[7]  Julia H. Allen,et al.  Governing for Enterprise Security , 2005 .

[8]  Tore Dybå,et al.  An empirical investigation on factors affecting software developer acceptance and utilization of electronic process guides , 2004 .

[9]  Bharat K. Bhargava,et al.  Extending the Agile Development Process to Develop Acceptably Secure Software , 2014, IEEE Transactions on Dependable and Secure Computing.

[10]  Philippe Kruchten,et al.  Towards agile security assurance , 2004, NSPW '04.

[11]  Diomidis Spinellis,et al.  Avoiding the Top 10 Software Security Design Flaws , 2014 .

[12]  Barry W. Boehm,et al.  Software Defect Reduction Top 10 List , 2001, Computer.

[13]  Tore Dybå,et al.  Empirical studies of agile software development: A systematic review , 2008, Inf. Softw. Technol..

[14]  Wouter Joosen,et al.  On the secure software development process: CLASP, SDL and Touchpoints compared , 2009, Inf. Softw. Technol..

[15]  Gary McGraw,et al.  The Building Security in Maturity Model ({BSIMM}) , 2009 .

[16]  T. R. Knapp Treating ordinal scales as interval scales: an attempt to resolve the controversy. , 1990, Nursing research.

[17]  Vadim Okun,et al.  Web Application Scanners: Definitions and Functions , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[18]  Jun Zhu,et al.  Interactive support for secure programming education , 2013, SIGCSE '13.

[19]  Steffen Bartsch,et al.  Practitioners' Perspectives on Security in Agile Development , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[20]  Matt Stephens,et al.  Extreme Programming Refactored: The Case Against XP , 2003, Apress.

[21]  Andreas Jacobsson,et al.  A Novel Security-Enhanced Agile Software Development Process Applied in an Industrial Setting , 2015, 2015 10th International Conference on Availability, Reliability and Security.

[22]  Mauricio Finavaro Aniche,et al.  Increasing Learning in an Agile Environment: Lessons Learned in an Agile Team , 2011, 2011 AGILE Conference.

[23]  Tore Dybå,et al.  An Instrument for Measuring the Key Factors of Success in Software Process Improvement , 2000, Empirical Software Engineering.

[24]  Bengt Carlsson,et al.  Identification and Evaluation of Security Activities in Agile Projects , 2013, NordSec.

[25]  Kent L. Beck,et al.  Embracing Change with Extreme Programming , 1999, Computer.

[26]  Gary McGraw,et al.  Software Security: Building Security In , 2006, 2006 17th International Symposium on Software Reliability Engineering.