Towards risk-driven security requirements management in agile software development

Dan Ionita; Coco van der Velden; Henk Jan Klein Ikkink; Eelko Neven; Maya Daneva; Michael Kuipers

doi:10.1007/978-3-030-21297-1_12

Towards risk-driven security requirements management in agile software development

Dan Ionita^*, Coco van der Velden, Henk Jan Klein Ikkink, Eelko Neven, Maya Daneva, Michael Kuipers

^*Corresponding author for this work

Services, Cybersecurity & Safety

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

9 Citations (Scopus)

Abstract

The focus on user stories in agile means non-functional requirements, such as security, are not always explicit. This makes it hard for the development team to implement the required functionality in a reliable, secure way. Security checklists can help but they do not consider the application’s context and are not part of the product backlog. In this paper we explore whether these issues can be addressed by a framework which uses a risk assessment process, a mapping of threats to security features, and a repository of operationalized security features to populate the product backlog with prioritized security requirements. The approach highlights the relevance of each security feature to product owners while ensuring the knowledge and time required to implement security requirements is made available to developers. We applied and evaluated the framework at a Dutch medium-sized software development company with promising results.

Original language	English
Title of host publication	Information Systems Engineering in Responsible Information Systems
Subtitle of host publication	CAiSE Forum 2019, Rome, Italy, June 3–7, 2019, Proceedings
Editors	Cinzia Cappiello, Marcela Ruiz
Place of Publication	Cham
Publisher	Springer
Pages	133-144
Number of pages	12
ISBN (Print)	9783030212964
DOIs	https://doi.org/10.1007/978-3-030-21297-1_12
Publication status	Published - 1 Jan 2019
Event	31st International Conference on Advanced Information Systems Engineering, CAiSE 2019: CAiSE - Rome, Italy Duration: 3 Jun 2019 → 7 Jun 2019 Conference number: 31

Publication series

Name	Lecture Notes in Business Information Processing
Publisher	Springer
Volume	350
ISSN (Print)	1865-1348
ISSN (Electronic)	1865-1356

Conference

Conference	31st International Conference on Advanced Information Systems Engineering, CAiSE 2019
Country/Territory	Italy
City	Rome
Period	3/06/19 → 7/06/19

Keywords

Empirical research method
Risk assessment
Secure software development
Security requirements

Access to Document

10.1007/978-3-030-21297-1_12

Cite this

Ionita, D., van der Velden, C., Ikkink, H. J. K., Neven, E., Daneva, M., & Kuipers, M. (2019). Towards risk-driven security requirements management in agile software development. In C. Cappiello, & M. Ruiz (Eds.), Information Systems Engineering in Responsible Information Systems: CAiSE Forum 2019, Rome, Italy, June 3–7, 2019, Proceedings (pp. 133-144). (Lecture Notes in Business Information Processing; Vol. 350). Springer. https://doi.org/10.1007/978-3-030-21297-1_12

Ionita, Dan ; van der Velden, Coco ; Ikkink, Henk Jan Klein et al. / Towards risk-driven security requirements management in agile software development. Information Systems Engineering in Responsible Information Systems: CAiSE Forum 2019, Rome, Italy, June 3–7, 2019, Proceedings. editor / Cinzia Cappiello ; Marcela Ruiz. Cham : Springer, 2019. pp. 133-144 (Lecture Notes in Business Information Processing).

@inproceedings{afeeab044c4f4f55a3da292c61449b22,

title = "Towards risk-driven security requirements management in agile software development",

abstract = "The focus on user stories in agile means non-functional requirements, such as security, are not always explicit. This makes it hard for the development team to implement the required functionality in a reliable, secure way. Security checklists can help but they do not consider the application{\textquoteright}s context and are not part of the product backlog. In this paper we explore whether these issues can be addressed by a framework which uses a risk assessment process, a mapping of threats to security features, and a repository of operationalized security features to populate the product backlog with prioritized security requirements. The approach highlights the relevance of each security feature to product owners while ensuring the knowledge and time required to implement security requirements is made available to developers. We applied and evaluated the framework at a Dutch medium-sized software development company with promising results.",

keywords = "Empirical research method, Risk assessment, Secure software development, Security requirements",

author = "Dan Ionita and {van der Velden}, Coco and Ikkink, {Henk Jan Klein} and Eelko Neven and Maya Daneva and Michael Kuipers",

year = "2019",

month = jan,

day = "1",

doi = "10.1007/978-3-030-21297-1_12",

language = "English",

isbn = "9783030212964",

series = "Lecture Notes in Business Information Processing",

publisher = "Springer",

pages = "133--144",

editor = "Cinzia Cappiello and Marcela Ruiz",

booktitle = "Information Systems Engineering in Responsible Information Systems",

note = "31st International Conference on Advanced Information Systems Engineering, CAiSE 2019 : CAiSE ; Conference date: 03-06-2019 Through 07-06-2019",

}

Ionita, D, van der Velden, C, Ikkink, HJK, Neven, E, Daneva, M & Kuipers, M 2019, Towards risk-driven security requirements management in agile software development. in C Cappiello & M Ruiz (eds), Information Systems Engineering in Responsible Information Systems: CAiSE Forum 2019, Rome, Italy, June 3–7, 2019, Proceedings. Lecture Notes in Business Information Processing, vol. 350, Springer, Cham, pp. 133-144, 31st International Conference on Advanced Information Systems Engineering, CAiSE 2019, Rome, Italy, 3/06/19. https://doi.org/10.1007/978-3-030-21297-1_12

Towards risk-driven security requirements management in agile software development. / Ionita, Dan; van der Velden, Coco; Ikkink, Henk Jan Klein et al.

Information Systems Engineering in Responsible Information Systems: CAiSE Forum 2019, Rome, Italy, June 3–7, 2019, Proceedings. ed. / Cinzia Cappiello; Marcela Ruiz. Cham : Springer, 2019. p. 133-144 (Lecture Notes in Business Information Processing; Vol. 350).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Towards risk-driven security requirements management in agile software development

AU - Ionita, Dan

AU - van der Velden, Coco

AU - Ikkink, Henk Jan Klein

AU - Neven, Eelko

AU - Daneva, Maya

AU - Kuipers, Michael

N1 - Conference code: 31

PY - 2019/1/1

Y1 - 2019/1/1

N2 - The focus on user stories in agile means non-functional requirements, such as security, are not always explicit. This makes it hard for the development team to implement the required functionality in a reliable, secure way. Security checklists can help but they do not consider the application’s context and are not part of the product backlog. In this paper we explore whether these issues can be addressed by a framework which uses a risk assessment process, a mapping of threats to security features, and a repository of operationalized security features to populate the product backlog with prioritized security requirements. The approach highlights the relevance of each security feature to product owners while ensuring the knowledge and time required to implement security requirements is made available to developers. We applied and evaluated the framework at a Dutch medium-sized software development company with promising results.

AB - The focus on user stories in agile means non-functional requirements, such as security, are not always explicit. This makes it hard for the development team to implement the required functionality in a reliable, secure way. Security checklists can help but they do not consider the application’s context and are not part of the product backlog. In this paper we explore whether these issues can be addressed by a framework which uses a risk assessment process, a mapping of threats to security features, and a repository of operationalized security features to populate the product backlog with prioritized security requirements. The approach highlights the relevance of each security feature to product owners while ensuring the knowledge and time required to implement security requirements is made available to developers. We applied and evaluated the framework at a Dutch medium-sized software development company with promising results.

KW - Empirical research method

KW - Risk assessment

KW - Secure software development

KW - Security requirements

UR - http://www.scopus.com/inward/record.url?scp=85066804399&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-21297-1_12

DO - 10.1007/978-3-030-21297-1_12

M3 - Conference contribution

AN - SCOPUS:85066804399

SN - 9783030212964

T3 - Lecture Notes in Business Information Processing

SP - 133

EP - 144

BT - Information Systems Engineering in Responsible Information Systems

A2 - Cappiello, Cinzia

A2 - Ruiz, Marcela

PB - Springer

CY - Cham

T2 - 31st International Conference on Advanced Information Systems Engineering, CAiSE 2019

Y2 - 3 June 2019 through 7 June 2019

ER -

Ionita D, van der Velden C, Ikkink HJK, Neven E, Daneva M, Kuipers M. Towards risk-driven security requirements management in agile software development. In Cappiello C, Ruiz M, editors, Information Systems Engineering in Responsible Information Systems: CAiSE Forum 2019, Rome, Italy, June 3–7, 2019, Proceedings. Cham: Springer. 2019. p. 133-144. (Lecture Notes in Business Information Processing). doi: 10.1007/978-3-030-21297-1_12

Towards risk-driven security requirements management in agile software development

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this