Collaborative security risk estimation in agile software development

Today, agile software development teams in general do not adopt security risk-assessment practices in an ongoing manner to prioritize security work. Protection Poker is a collaborative and lightweight software security risk-estimation technique that is particularly suited for agile teams. Motivated by a desire to understand why security risk assessments have not yet gained widespread adoption in agile development, this study aims to assess to what extent the Protection Poker game would be accepted by agile teams and how it can be successfully integrated into the agile practices.,Protection Poker was studied in capstone projects, in teams doing a graduate software security course and in sessions with industry representatives. Data were collected via questionnaires, observations and group interviews.,Results show that Protection Poker has the potential to be adopted by agile teams. Key benefits include good discussions on security and the development project, along with increased knowledge and awareness. Challenges include ensuring efficient use of time and gaining impact on the end product.,Using students allowed easy access to subjects and an ability to collect rich data over time, but at the cost of generalizability to professional settings. Results from interactions with professionals supplement the data from students, showing similarities and differences in their opinions on Protection Poker.,The paper proposes ways to tackle the main obstacles to the adoption of the Protection Poker technique, as identified in this study.

[1]  Fred D. Davis A technology acceptance model for empirically testing new end-user information systems : theory and results , 1985 .

[2]  Des Greer,et al.  Agile risk management using software agents , 2017, Journal of Ambient Intelligence and Humanized Computing.

[3]  F. Nelson Ford,et al.  An Investigation Of Organizational Information Security Risk Analysis , 2010 .

[4]  Laurie A. Williams,et al.  Engineering Security Vulnerability Prevention, Detection, and Response , 2018, IEEE Software.

[5]  George Cybenko Why Johnny Can't Evaluate Security Risk , 2006, IEEE Secur. Priv..

[6]  James Stevens,et al.  Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process , 2007 .

[7]  Claes Wohlin,et al.  Using Students as Subjects—A Comparative Study of Students and Professionals in Lead-Time Impact Assessment , 2000, Empirical Software Engineering.

[8]  Young U. Ryu,et al.  Unrealistic optimism on information security management , 2012, Comput. Secur..

[9]  Torgeir Dingsøyr,et al.  Exploring software development at the very large-scale: a revelatory case study and research agenda for agile method adaptation , 2017, Empirical Software Engineering.

[10]  Michael Gegick,et al.  Protection Poker: Structuring Software Security Risk Assessment and Knowledge Transfer , 2009, ESSoS.

[11]  Hela Oueslati,et al.  Literature Review of the Challenges of Developing Secure Software Using the Agile Approach , 2015, 2015 10th International Conference on Availability, Reliability and Security.

[12]  Adler Diniz de Souza,et al.  Risk management analysis in Scrum software projects , 2019, Int. Trans. Oper. Res..

[13]  Martin Höst,et al.  A review of research on risk analysis methods for IT systems , 2013, EASE '13.

[14]  Stefan Fenz,et al.  Verification, Validation, and Evaluation in Information Security Risk Management , 2011, IEEE Security & Privacy.

[15]  Martin Gilje Jaatun,et al.  Playing Protection Poker for Practical Software Security , 2016, PROFES.

[16]  Jeff Sutherland,et al.  Manifesto for Agile Software Development , 2013 .

[17]  Laurie A. Williams,et al.  Protection Poker: The New Software Security "Game"; , 2010, IEEE Security & Privacy.

[18]  Fakhar Abbas,et al.  A Review of Security Integration Technique in Agile Software Development , 2016 .

[19]  Chong Wang,et al.  Agile Practitioners’ Understanding of Security Requirements: Insights from a Grounded Theory Analysis , 2017, 2017 IEEE 25th International Requirements Engineering Conference Workshops (REW).

[20]  Fred D. Davis Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information Technology , 1989, MIS Q..

[21]  Robert C. Wolpert,et al.  A Review of the , 1985 .

[22]  I. Ajzen,et al.  Understanding Attitudes and Predicting Social Behavior , 1980 .

[23]  Rossouw von Solms,et al.  Management of risk in the information age , 2005, Comput. Secur..

[24]  Stefanos Gritzalis,et al.  Designing Secure and Privacy-Aware Information Systems , 2017, Int. J. Secur. Softw. Eng..

[25]  Andreas Jacobsson,et al.  A Novel Security-Enhanced Agile Software Development Process Applied in an Industrial Setting , 2015, 2015 10th International Conference on Availability, Reliability and Security.

[26]  Martin Gilje Jaatun,et al.  Risk Centric Activities in Secure Software Development in Public Organisations , 2017, Int. J. Secur. Softw. Eng..

[27]  Mohd Naz'ri Mahrin,et al.  A Review on Factors Influencing Implementation of Secure Software Development Practices , 2016 .

[28]  Gary McGraw Software Security , 2012, Datenschutz und Datensicherheit - DuD.

[29]  Fred D. Davis,et al.  A Model of the Antecedents of Perceived Ease of Use: Development and Test† , 1996 .

[30]  Roel Wieringa,et al.  Quality Requirements in Large-Scale Distributed Agile Projects - A Systematic Literature Review , 2017, REFSQ.

[31]  David Geer,et al.  Are Companies Actually Using Secure Development Life Cycles? , 2010, Computer.