Abstract
The focus on user stories in agile means non-functional requirements, such as security, are not always explicit. This makes it hard for the development team to implement the required functionality in a reliable, secure way. Security checklists can help but they do not consider the application’s context and are not part of the product backlog.
In this paper we explore whether these issues can be addressed by a framework which uses a risk assessment process, a mapping of threats to security features, and a repository of operationalized security features to populate the product backlog with prioritized security requirements. The approach highlights the relevance of each security feature to product owners while ensuring the knowledge and time required to implement security requirements is made available to developers. We applied and evaluated the framework at a Dutch medium-sized software development company with promising results.
Supported by The Netherlands Organisation for Scientific Research (NWO) in the context of cyber-security research (grant number 628.001.011).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Hammoudeh, A.: A risk-driven approach to security, from check boxes to risk management frameworks (2016). https://securityintelligence.com/a-risk-driven-approach-to-security-from-check-boxes-to-risk-management-frameworks/
Baskerville, R.: Agile security for information warfare: a call for research. In: ECIS 2004 Proceedings p. 13 (2004)
Beck, K., et al.: Manifesto for Agile Software Development (2001)
Boehm, B.W.: A spiral model of software development and enhancement. Computer 21(5), 61–72 (1988)
Daneva, M., Wang, C.: Security requirements engineering in the agile era: How does it work in practice? In: 2018 IEEE 1st International Workshop on Quality Requirements in Agile Projects (QuaRAP), pp. 10–13, August 2018. https://doi.org/10.1109/QuaRAP.2018.00008
Davis, A.: Return on security investment-proving it’s worth it. Netw. Secur. 2005(11), 8–10 (2005)
ENISA Threat Landscape 2017: 15 Top Cyber-Threats and Trends. Technical report, European Union Agency for Network and Information Security (2017). https://doi.org/10.2824/967192
Goldfarb, J.: Risk-driven security: The approach to keep pace with advanced threats (2015). https://www.securityweek.com/risk-driven-security-approach-keep-pace-advanced-threats
Information technology - Security techniques - Information security management systems - Requirements. Standard ISO 27001:2005, International Organization for Standardization (ISO) (2005)
Information technology - Security techniques - Code of practice for information security management. Standard ISO 27002:2005, International Organization for Standardization (ISO) (2005)
Information technology - Security techniques - Information security risk management. Standard ISO 27005:2011, International Organization for Standardization (ISO) (2011)
Koers, M., Paans, R., van der Veer, R., Kok, C., Breeman, J.: Grip on secure software development (SSD): ‘the client at the helm’, version 2.0. Technical report, Centrum voor Informatiebeveiliging en Privacybescherming (CIP), March 2015. https://www.cip-overheid.nl/wp-content/uploads/2018/01/20160622_Grip_on_SSD_The_method_v2_0_EN.pdf
Koers, M., Tewarie, W.: Grip on secure software development (SSD): security requirements for (web) applications, version 2.0. Technical report, Centrum voor Informatiebeveiliging en Privacybescherming (CIP), October 2014. https://www.cip-overheid.nl/wp-content/uploads/2018/08/20180821-Grip-on-SSD-Security-requirements-v2.0-2.pdf
McDermott, J.: Abuse-case-based assurance arguments. In: Proceedings 17th Annual Computer Security Applications Conference, ACSAC 2001, pp. 366–374. IEEE (2001)
McDermott, J., Fox, C.: Using abuse case models for security requirements analysis. In: Proceedings of the 15th Annual Computer Security Applications Conference. (ACSAC 1999), pp. 55–64. IEEE (1999)
OWASP: Top 10–2013: The ten most critical web application security risks. The Open Web Application Security Project (2013)
Rosenquist, M.: Prioritizing information security risks with threat agent risk assessment. Intel Corporation White Paper (2009)
Siponen, M., Baskerville, R., Kuivalainen, T.: Integrating security into agile development methods. In: Proceedings of the 38th Annual Hawaii International Conference on System Sciences. HICSS 2005, pp. 185a–185a. IEEE (2005)
Terpstra, E., Daneva, M., Wang, C.: Agile practitioners’ understanding of security requirements: insights from a grounded theory analysis. In: 2017 IEEE 25th International Requirements Engineering Conference Workshops (REW), pp. 439–442. IEEE (2017)
Wieringa, R.J.: Design Science Methodology for Information Systems and Software Engineering. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43839-8
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Ionita, D., van der Velden, C., Ikkink, HJ.K., Neven, E., Daneva, M., Kuipers, M. (2019). Towards Risk-Driven Security Requirements Management in Agile Software Development. In: Cappiello, C., Ruiz, M. (eds) Information Systems Engineering in Responsible Information Systems. CAiSE 2019. Lecture Notes in Business Information Processing, vol 350. Springer, Cham. https://doi.org/10.1007/978-3-030-21297-1_12
Download citation
DOI: https://doi.org/10.1007/978-3-030-21297-1_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-21296-4
Online ISBN: 978-3-030-21297-1
eBook Packages: Computer ScienceComputer Science (R0)