Security requirements engineering in the agile era: How does it work in practice?

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    2 Citations (Scopus)

    Abstract

    Currently many software companies attempt the integration of agile project delivery models and security requirements engineering (RE). However, very little is published on how this is achieved in real-life settings. This paper reports on results from a documentary study initiated to understand the agile-ready security practices that organizations use. We selected seven well-documented Security RE frameworks for Agile projects that have been used in practice and carried out a qualitative thematic analysis based on documents describing the frameworks and their supposed use in detail. This resulted in a list of solution practices that focus on introducing artefacts, organizational roles, competencies and activities in order to make sure that security RE is done systematically in agile project organizations. Our conclusion is that Security RE adds up to the documentation in an agile project, as teams introduce new story types, e.g. evil user stories, abuser stories, security stories. Plus, we found that Security RE relies on investments into the security training of the agile project teams and into organizing hack sessions. Last, if companies take security requirements seriously, it seems that they should consider ignoring the gatekeeping role of the agile product owner.

    Original languageEnglish
    Title of host publication2018 IEEE 1st International Workshop on Quality Requirements in Agile Projects (QuaRAP)
    EditorsXavier Franch, Andreas Jedlitschka, Daniel Mendez Fernandez, Markku Oivo
    PublisherIEEE
    Pages10-13
    Number of pages4
    ISBN (Electronic)978-1-5386-8412-2
    ISBN (Print)978-1-5386-8413-9
    DOIs
    Publication statusPublished - 19 Oct 2018
    Event1st International Workshop on Quality Requirements in Agile Projects 2018 - Banff Centre for Arts and Creativity, Banff, Canada
    Duration: 21 Aug 2018 → …
    Conference number: 1
    https://www.essi.upc.edu/~quarap/

    Workshop

    Workshop1st International Workshop on Quality Requirements in Agile Projects 2018
    Abbreviated titleQuaRAP 2018
    CountryCanada
    CityBanff
    Period21/08/18 → …
    Internet address

    Keywords

    • Agile project delivery
    • Empirical research method
    • Qualitative study
    • Security requirements engineering

    Fingerprint Dive into the research topics of 'Security requirements engineering in the agile era: How does it work in practice?'. Together they form a unique fingerprint.

    Cite this