Security requirements engineering in the agile era: How does it work in practice?

Maya Daneva; Chong Wang

doi:10.1109/QuaRAP.2018.00008

Security requirements engineering in the agile era: How does it work in practice?

Maya Daneva, Chong Wang

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

6 Citations (Scopus)

Abstract

Currently many software companies attempt the integration of agile project delivery models and security requirements engineering (RE). However, very little is published on how this is achieved in real-life settings. This paper reports on results from a documentary study initiated to understand the agile-ready security practices that organizations use. We selected seven well-documented Security RE frameworks for Agile projects that have been used in practice and carried out a qualitative thematic analysis based on documents describing the frameworks and their supposed use in detail. This resulted in a list of solution practices that focus on introducing artefacts, organizational roles, competencies and activities in order to make sure that security RE is done systematically in agile project organizations. Our conclusion is that Security RE adds up to the documentation in an agile project, as teams introduce new story types, e.g. evil user stories, abuser stories, security stories. Plus, we found that Security RE relies on investments into the security training of the agile project teams and into organizing hack sessions. Last, if companies take security requirements seriously, it seems that they should consider ignoring the gatekeeping role of the agile product owner.

Original language	English
Title of host publication	2018 IEEE 1st International Workshop on Quality Requirements in Agile Projects (QuaRAP)
Editors	Xavier Franch, Andreas Jedlitschka, Daniel Mendez Fernandez, Markku Oivo
Publisher	IEEE
Pages	10-13
Number of pages	4
ISBN (Electronic)	978-1-5386-8412-2
ISBN (Print)	978-1-5386-8413-9
DOIs	https://doi.org/10.1109/QuaRAP.2018.00008
Publication status	Published - 19 Oct 2018
Event	1st International Workshop on Quality Requirements in Agile Projects 2018 - Banff Centre for Arts and Creativity, Banff, Canada Duration: 21 Aug 2018 → … Conference number: 1 https://www.essi.upc.edu/~quarap/

Workshop

Workshop	1st International Workshop on Quality Requirements in Agile Projects 2018
Abbreviated title	QuaRAP 2018
Country/Territory	Canada
City	Banff
Period	21/08/18 → …
Internet address	https://www.essi.upc.edu/~quarap/

Keywords

Agile project delivery
Empirical research method
Qualitative study
Security requirements engineering

Access to Document

10.1109/QuaRAP.2018.00008

Cite this

@inproceedings{1a898c4beea54677965eec4f0b2793c8,

title = "Security requirements engineering in the agile era: How does it work in practice?",

abstract = "Currently many software companies attempt the integration of agile project delivery models and security requirements engineering (RE). However, very little is published on how this is achieved in real-life settings. This paper reports on results from a documentary study initiated to understand the agile-ready security practices that organizations use. We selected seven well-documented Security RE frameworks for Agile projects that have been used in practice and carried out a qualitative thematic analysis based on documents describing the frameworks and their supposed use in detail. This resulted in a list of solution practices that focus on introducing artefacts, organizational roles, competencies and activities in order to make sure that security RE is done systematically in agile project organizations. Our conclusion is that Security RE adds up to the documentation in an agile project, as teams introduce new story types, e.g. evil user stories, abuser stories, security stories. Plus, we found that Security RE relies on investments into the security training of the agile project teams and into organizing hack sessions. Last, if companies take security requirements seriously, it seems that they should consider ignoring the gatekeeping role of the agile product owner.",

keywords = "Agile project delivery, Empirical research method, Qualitative study, Security requirements engineering",

author = "Maya Daneva and Chong Wang",

year = "2018",

month = oct,

day = "19",

doi = "10.1109/QuaRAP.2018.00008",

language = "English",

isbn = "978-1-5386-8413-9",

pages = "10--13",

editor = "Xavier Franch and Andreas Jedlitschka and Fernandez, {Daniel Mendez} and Markku Oivo",

booktitle = "2018 IEEE 1st International Workshop on Quality Requirements in Agile Projects (QuaRAP)",

publisher = "IEEE",

note = "1st International Workshop on Quality Requirements in Agile Projects 2018, QuaRAP 2018 ; Conference date: 21-08-2018",

url = "https://www.essi.upc.edu/~quarap/",

}

Daneva, M & Wang, C 2018, Security requirements engineering in the agile era: How does it work in practice? in X Franch, A Jedlitschka, DM Fernandez & M Oivo (eds), 2018 IEEE 1st International Workshop on Quality Requirements in Agile Projects (QuaRAP)., 8501269, IEEE, pp. 10-13, 1st International Workshop on Quality Requirements in Agile Projects 2018, Banff, Alberta, Canada, 21/08/18. https://doi.org/10.1109/QuaRAP.2018.00008

Security requirements engineering in the agile era : How does it work in practice? / Daneva, Maya ; Wang, Chong.

2018 IEEE 1st International Workshop on Quality Requirements in Agile Projects (QuaRAP). ed. / Xavier Franch; Andreas Jedlitschka; Daniel Mendez Fernandez; Markku Oivo. IEEE, 2018. p. 10-13 8501269.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Security requirements engineering in the agile era

T2 - 1st International Workshop on Quality Requirements in Agile Projects 2018

AU - Daneva, Maya

AU - Wang, Chong

N1 - Conference code: 1

PY - 2018/10/19

Y1 - 2018/10/19

N2 - Currently many software companies attempt the integration of agile project delivery models and security requirements engineering (RE). However, very little is published on how this is achieved in real-life settings. This paper reports on results from a documentary study initiated to understand the agile-ready security practices that organizations use. We selected seven well-documented Security RE frameworks for Agile projects that have been used in practice and carried out a qualitative thematic analysis based on documents describing the frameworks and their supposed use in detail. This resulted in a list of solution practices that focus on introducing artefacts, organizational roles, competencies and activities in order to make sure that security RE is done systematically in agile project organizations. Our conclusion is that Security RE adds up to the documentation in an agile project, as teams introduce new story types, e.g. evil user stories, abuser stories, security stories. Plus, we found that Security RE relies on investments into the security training of the agile project teams and into organizing hack sessions. Last, if companies take security requirements seriously, it seems that they should consider ignoring the gatekeeping role of the agile product owner.

AB - Currently many software companies attempt the integration of agile project delivery models and security requirements engineering (RE). However, very little is published on how this is achieved in real-life settings. This paper reports on results from a documentary study initiated to understand the agile-ready security practices that organizations use. We selected seven well-documented Security RE frameworks for Agile projects that have been used in practice and carried out a qualitative thematic analysis based on documents describing the frameworks and their supposed use in detail. This resulted in a list of solution practices that focus on introducing artefacts, organizational roles, competencies and activities in order to make sure that security RE is done systematically in agile project organizations. Our conclusion is that Security RE adds up to the documentation in an agile project, as teams introduce new story types, e.g. evil user stories, abuser stories, security stories. Plus, we found that Security RE relies on investments into the security training of the agile project teams and into organizing hack sessions. Last, if companies take security requirements seriously, it seems that they should consider ignoring the gatekeeping role of the agile product owner.

KW - Agile project delivery

KW - Empirical research method

KW - Qualitative study

KW - Security requirements engineering

U2 - 10.1109/QuaRAP.2018.00008

DO - 10.1109/QuaRAP.2018.00008

M3 - Conference contribution

AN - SCOPUS:85061456556

SN - 978-1-5386-8413-9

SP - 10

EP - 13

BT - 2018 IEEE 1st International Workshop on Quality Requirements in Agile Projects (QuaRAP)

A2 - Franch, Xavier

A2 - Jedlitschka, Andreas

A2 - Fernandez, Daniel Mendez

A2 - Oivo, Markku

PB - IEEE

Y2 - 21 August 2018

ER -

Security requirements engineering in the agile era: How does it work in practice?

Abstract

Workshop

Keywords

Access to Document

Fingerprint

Cite this