Prioritisation of security an agile software development projects

Abstract

Agile software development is driven by business value, and strives towards visible progressthrough features. Consequently, the somewhat invisible and overarching aspect of softwaresecurity is at the risk of being neglected.A key assumption of this thesis is that to achieve adequate security within acceptable costs(“good enough” security), software development projects need to be able to make priorities onwhat security is needed throughout development. The thesis addresses the following overallresearch problem:How can regular security prioritisation be integrated into agile softwaredevelopment so that software products end up with a level of security that is “good enough”?To this end, the thesis investigates 1) what influences the security prioritisation throughout anagile software development project, and 2) how security roles and activities can support an agilesoftware development project in reaching a “good enough” prioritisation of security.The research follows a design science approach, studying and designing process support forcompanies wanting to improve their software security prioritisation. The investigation is centredon small and medium sized companies developing “normal” software, i.e., software that is notsecurity critical nor has security as a key feature of the product. The need for trade-offs andprioritisations between security and other software aspects is likely to be more pressing whensecurity is not a main development goal, and smaller companies have been identified as having ahigher potential for improvement in their software security compared to larger companies.The thesis suggests that to improve prioritisation of security in agile software development,companies can apply regular security prioritisation meetings, and security experts in the companycan be empowered with knowledge on how to influence the security priority. The foundation forthis suggestion is documented in a collection of papers. The thesis offers the following maincontributions that are aimed towards both practitioners and researchers: 1) A conceptual modelof the influences on security priority in agile software development, 2) Identified and evaluatedstrategies that security experts can take in influencing the security priority of agile softwaredevelopment projects, 3) A new and evaluated meeting approach for continuous software securityin agile software development, and 4) Rich descriptions of practical experiences with improvingsoftware security prioritisation, bridging the gap between science and practice