Security requirements engineering in the agile era: How does it work in practice?

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    1 Citation (Scopus)

    Abstract

    Currently many software companies attempt the integration of agile project delivery models and security requirements engineering (RE). However, very little is published on how this is achieved in real-life settings. This paper reports on results from a documentary study initiated to understand the agile-ready security practices that organizations use. We selected seven well-documented Security RE frameworks for Agile projects that have been used in practice and carried out a qualitative thematic analysis based on documents describing the frameworks and their supposed use in detail. This resulted in a list of solution practices that focus on introducing artefacts, organizational roles, competencies and activities in order to make sure that security RE is done systematically in agile project organizations. Our conclusion is that Security RE adds up to the documentation in an agile project, as teams introduce new story types, e.g. evil user stories, abuser stories, security stories. Plus, we found that Security RE relies on investments into the security training of the agile project teams and into organizing hack sessions. Last, if companies take security requirements seriously, it seems that they should consider ignoring the gatekeeping role of the agile product owner.

    Original languageEnglish
    Title of host publication2018 IEEE 1st International Workshop on Quality Requirements in Agile Projects (QuaRAP)
    EditorsXavier Franch, Andreas Jedlitschka, Daniel Mendez Fernandez, Markku Oivo
    PublisherIEEE
    Pages10-13
    Number of pages4
    ISBN (Electronic)978-1-5386-8412-2
    ISBN (Print)978-1-5386-8413-9
    DOIs
    Publication statusPublished - 19 Oct 2018
    Event1st International Workshop on Quality Requirements in Agile Projects 2018 - Banff Centre for Arts and Creativity, Banff, Canada
    Duration: 21 Aug 2018 → …
    Conference number: 1
    https://www.essi.upc.edu/~quarap/

    Workshop

    Workshop1st International Workshop on Quality Requirements in Agile Projects 2018
    Abbreviated titleQuaRAP 2018
    CountryCanada
    CityBanff
    Period21/08/18 → …
    Internet address

    Fingerprint

    Requirements engineering
    Industry

    Keywords

    • Agile project delivery
    • Empirical research method
    • Qualitative study
    • Security requirements engineering

    Cite this

    Daneva, M., & Wang, C. (2018). Security requirements engineering in the agile era: How does it work in practice? In X. Franch, A. Jedlitschka, D. M. Fernandez, & M. Oivo (Eds.), 2018 IEEE 1st International Workshop on Quality Requirements in Agile Projects (QuaRAP) (pp. 10-13). [8501269] IEEE. https://doi.org/10.1109/QuaRAP.2018.00008
    Daneva, Maya ; Wang, Chong. / Security requirements engineering in the agile era : How does it work in practice?. 2018 IEEE 1st International Workshop on Quality Requirements in Agile Projects (QuaRAP). editor / Xavier Franch ; Andreas Jedlitschka ; Daniel Mendez Fernandez ; Markku Oivo. IEEE, 2018. pp. 10-13
    @inproceedings{1a898c4beea54677965eec4f0b2793c8,
    title = "Security requirements engineering in the agile era: How does it work in practice?",
    abstract = "Currently many software companies attempt the integration of agile project delivery models and security requirements engineering (RE). However, very little is published on how this is achieved in real-life settings. This paper reports on results from a documentary study initiated to understand the agile-ready security practices that organizations use. We selected seven well-documented Security RE frameworks for Agile projects that have been used in practice and carried out a qualitative thematic analysis based on documents describing the frameworks and their supposed use in detail. This resulted in a list of solution practices that focus on introducing artefacts, organizational roles, competencies and activities in order to make sure that security RE is done systematically in agile project organizations. Our conclusion is that Security RE adds up to the documentation in an agile project, as teams introduce new story types, e.g. evil user stories, abuser stories, security stories. Plus, we found that Security RE relies on investments into the security training of the agile project teams and into organizing hack sessions. Last, if companies take security requirements seriously, it seems that they should consider ignoring the gatekeeping role of the agile product owner.",
    keywords = "Agile project delivery, Empirical research method, Qualitative study, Security requirements engineering",
    author = "Maya Daneva and Chong Wang",
    year = "2018",
    month = "10",
    day = "19",
    doi = "10.1109/QuaRAP.2018.00008",
    language = "English",
    isbn = "978-1-5386-8413-9",
    pages = "10--13",
    editor = "Xavier Franch and Andreas Jedlitschka and Fernandez, {Daniel Mendez} and Markku Oivo",
    booktitle = "2018 IEEE 1st International Workshop on Quality Requirements in Agile Projects (QuaRAP)",
    publisher = "IEEE",
    address = "United States",

    }

    Daneva, M & Wang, C 2018, Security requirements engineering in the agile era: How does it work in practice? in X Franch, A Jedlitschka, DM Fernandez & M Oivo (eds), 2018 IEEE 1st International Workshop on Quality Requirements in Agile Projects (QuaRAP)., 8501269, IEEE, pp. 10-13, 1st International Workshop on Quality Requirements in Agile Projects 2018, Banff, Canada, 21/08/18. https://doi.org/10.1109/QuaRAP.2018.00008

    Security requirements engineering in the agile era : How does it work in practice? / Daneva, Maya; Wang, Chong.

    2018 IEEE 1st International Workshop on Quality Requirements in Agile Projects (QuaRAP). ed. / Xavier Franch; Andreas Jedlitschka; Daniel Mendez Fernandez; Markku Oivo. IEEE, 2018. p. 10-13 8501269.

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    TY - GEN

    T1 - Security requirements engineering in the agile era

    T2 - How does it work in practice?

    AU - Daneva, Maya

    AU - Wang, Chong

    PY - 2018/10/19

    Y1 - 2018/10/19

    N2 - Currently many software companies attempt the integration of agile project delivery models and security requirements engineering (RE). However, very little is published on how this is achieved in real-life settings. This paper reports on results from a documentary study initiated to understand the agile-ready security practices that organizations use. We selected seven well-documented Security RE frameworks for Agile projects that have been used in practice and carried out a qualitative thematic analysis based on documents describing the frameworks and their supposed use in detail. This resulted in a list of solution practices that focus on introducing artefacts, organizational roles, competencies and activities in order to make sure that security RE is done systematically in agile project organizations. Our conclusion is that Security RE adds up to the documentation in an agile project, as teams introduce new story types, e.g. evil user stories, abuser stories, security stories. Plus, we found that Security RE relies on investments into the security training of the agile project teams and into organizing hack sessions. Last, if companies take security requirements seriously, it seems that they should consider ignoring the gatekeeping role of the agile product owner.

    AB - Currently many software companies attempt the integration of agile project delivery models and security requirements engineering (RE). However, very little is published on how this is achieved in real-life settings. This paper reports on results from a documentary study initiated to understand the agile-ready security practices that organizations use. We selected seven well-documented Security RE frameworks for Agile projects that have been used in practice and carried out a qualitative thematic analysis based on documents describing the frameworks and their supposed use in detail. This resulted in a list of solution practices that focus on introducing artefacts, organizational roles, competencies and activities in order to make sure that security RE is done systematically in agile project organizations. Our conclusion is that Security RE adds up to the documentation in an agile project, as teams introduce new story types, e.g. evil user stories, abuser stories, security stories. Plus, we found that Security RE relies on investments into the security training of the agile project teams and into organizing hack sessions. Last, if companies take security requirements seriously, it seems that they should consider ignoring the gatekeeping role of the agile product owner.

    KW - Agile project delivery

    KW - Empirical research method

    KW - Qualitative study

    KW - Security requirements engineering

    U2 - 10.1109/QuaRAP.2018.00008

    DO - 10.1109/QuaRAP.2018.00008

    M3 - Conference contribution

    AN - SCOPUS:85061456556

    SN - 978-1-5386-8413-9

    SP - 10

    EP - 13

    BT - 2018 IEEE 1st International Workshop on Quality Requirements in Agile Projects (QuaRAP)

    A2 - Franch, Xavier

    A2 - Jedlitschka, Andreas

    A2 - Fernandez, Daniel Mendez

    A2 - Oivo, Markku

    PB - IEEE

    ER -

    Daneva M, Wang C. Security requirements engineering in the agile era: How does it work in practice? In Franch X, Jedlitschka A, Fernandez DM, Oivo M, editors, 2018 IEEE 1st International Workshop on Quality Requirements in Agile Projects (QuaRAP). IEEE. 2018. p. 10-13. 8501269 https://doi.org/10.1109/QuaRAP.2018.00008