The Security Intention Meeting Series as a way to increase visibility of software security decisions in agile development projects

To achieve a level of security that is just right, software development projects need to strike a balance between security and cost. This necessitates making such decisions as to what security activities to perform in development and which security requirements should be given priority. Current evidence indicates that in many agile development projects, software security is dealt with in a more or less "accidental" way based on individuals' security awareness and interest. This approach is unlikely to lead to an optimal security level for the product. This paper suggests Security Intention Recap Meetings as a recurring organisational tool for evaluating current practices regarding the security intentions of a software project, and to make decisions on how to move forward. These meetings involve key decision makers in the project, such as the product owner and the project manager, with the purpose of making security decisions visible and deliberate and to monitor their results

[1]  Hela Oueslati,et al.  Literature Review of the Challenges of Developing Secure Software Using the Agile Approach , 2015, 2015 10th International Conference on Availability, Reliability and Security.

[2]  Mohd Naz'ri Mahrin,et al.  Secure Software Development Practice Adoption Model: A Delphi Study , 2018 .

[3]  Martin Gilje Jaatun,et al.  Challenges and approaches of performing canonical action research in software security: research paper , 2018, HotSoS.

[4]  Roel Wieringa,et al.  Quality Requirements in Large-Scale Distributed Agile Projects - A Systematic Literature Review , 2017, REFSQ.

[5]  Chong Wang,et al.  Agile Practitioners’ Understanding of Security Requirements: Insights from a Grounded Theory Analysis , 2017, 2017 IEEE 25th International Requirements Engineering Conference Workshops (REW).

[6]  Inger Anne Tøndel,et al.  Software Security Maturity in Public Organisations , 2015, ISC.

[7]  Martin Gilje Jaatun,et al.  Risk Centric Activities in Secure Software Development in Public Organisations , 2017, Int. J. Secur. Softw. Eng..

[8]  Adam Shostack,et al.  Threat Modeling: Designing for Security , 2014 .

[9]  Martin Gilje Jaatun,et al.  Threat Modeling in Agile Software Development , 2019, Exploring Security in Software Architecture and Design.

[10]  Martin Gilje Jaatun,et al.  Reusable Security Requirements for Healthcare Applications , 2009, 2009 International Conference on Availability, Reliability and Security.

[11]  Michael Gegick,et al.  Protection Poker: Structuring Software Security Risk Assessment and Knowledge Transfer , 2009, ESSoS.

[12]  Gary McGraw,et al.  Software Security: Building Security In , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[13]  Laurie A. Williams,et al.  Protection Poker: The New Software Security "Game"; , 2010, IEEE Security & Privacy.

[14]  I. Ajzen The theory of planned behavior , 1991 .

[15]  J. Prochaska Decision Making in the Transtheoretical Model of Behavior Change , 2008, Medical decision making : an international journal of the Society for Medical Decision Making.

[16]  Martin Gilje Jaatun,et al.  Challenges and Experiences with Applying Microsoft Threat Modeling in Agile Development Projects , 2018, 2018 25th Australasian Software Engineering Conference (ASWEC).

[17]  Dean Leffingwell,et al.  Agile Software Requirements: Lean Requirements Practices for Teams, Programs, and the Enterprise , 2011 .

[18]  Martin Gilje Jaatun,et al.  Collaborative security risk estimation in agile software development , 2019, Inf. Comput. Secur..

[19]  E. Seydel,et al.  Protection Motivation Theory , 2022 .

[20]  Steve Lipner,et al.  Security development lifecycle , 2010, Datenschutz und Datensicherheit - DuD.

[21]  Mohd Naz'ri Mahrin,et al.  A Review on Factors Influencing Implementation of Secure Software Development Practices , 2016 .