Identification and Evaluation of Security Activities in Agile Projects

  • Tigist Ayalew
  • Tigist Kidane
  • Bengt Carlsson
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8208)


We compare four high-profile waterfall security-engineering processes (CLASP, Microsoft SDL, Cigital Touchpoints and Common Criteria) with the available preconditions within agile processes. Then, using a survey study, agile security activities are identified and evaluated by practitioners from large companies, e.g. software and telecommunication companies. Those activities are compared and a specific security engineering process is suggested for an agile process setting that can provide high benefit with low integration cost.


Agile Process Software security Development Process Security Engineering 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Azham, Z., Ghani, I., Ithnin, N.: Security backlog in Scrum security practices. In: 5th Malaysian Conference in Software Engineering (MySEC), pp. 414–417 (2011)Google Scholar
  2. 2.
    Keramati, H., Mirian-Hosseinabadi, S.H.: Integrating software development security activities with agile methodologies. In: IEEE/ACS International Conference on Computer Systems and Applications, AICCSA 2008, pp. 749–754 (2008)Google Scholar
  3. 3.
    Baca, D.: Developing secure software in an agile process. Computer Science Department. Blekinge Institute of Technology Sweden, pp. 129–149 (2012)Google Scholar
  4. 4.
    Dybâ, T., Dingsoyr, T.: What do we know about agile software development? IEEE Software 26(5), 6–9 (2009)CrossRefGoogle Scholar
  5. 5.
    Bhardwaj, D.: Scrumming it up, a Survey on Current Software Industry PracticesGoogle Scholar
  6. 6.
    Beznosov, K., Kruchten, P.: Towards agile security assurance. In: Proceedings of the 2004 Workshop on New Security Paradigms, pp. 47–54 (2004)Google Scholar
  7. 7.
    Bartsch, S.: ‘Practitioners’ Perspectives on Security in Agile Development. In: 2011 Sixth International Conference on Availability, Reliability and Security (ARES), pp. 479–484 (2011)Google Scholar
  8. 8.
    Siponen, M., Baskerville, R., Kuivalainen, T.: Integrating security into agile development methods. In: Proceedings of the 38th Annual Hawaii International Conference on System Sciences, HICSS 2005, p. 185a (2005)Google Scholar
  9. 9.
    Baca, D., Carlsson, B.: Agile development with security engineering activities. In: Proceeding of the 2nd Workshop on Software Engineering for Sensor Network Applications, pp. 149–158 (2011)Google Scholar
  10. 10.
    Chivers, H., Paige, R.F., Ge, X.: Agile security using an incremental security architecture. In: Baumeister, H., Marchesi, M., Holcombe, M. (eds.) XP 2005. LNCS, vol. 3556, pp. 57–65. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  11. 11.
    Sonia, Singhal, A.: Integration Analysis of Security Activities from the Perspective of Agility. In: 2012 Agile, pp. 40–47. IEEE, India (2012)Google Scholar
  12. 12.
    Ge, X., Paige, R.F., Polack, F.A.C., Chivers, H., Brooke, P.J.: Agile development of secure web applications. In: Proceedings of the 6th International Conference on Web Engineering, pp. 305–312 (2006)Google Scholar
  13. 13.
    Category: CLASP Activity - OWASP, (accessed: August 8, 2013)
  14. 14.
    Buyens, K., Scandariato, R., Joosen, W.: Process activities supporting security principles. In: 31st Annual International Computer Software and Applications Conference, COMPSAC 2007, vol. 2, pp. 281–292 (2007)Google Scholar
  15. 15.
    De Win, B., Scandariato, R., Buyens, K., Grégoire, J., Joosen, W.: ‘On the secure software development process: CLASP, SDL and Touchpoints compared. Information and Software Technology 51(7), 1152–1171 (2009)CrossRefGoogle Scholar
  16. 16.
    McGraw, G.: Software security: building security, vol. 1. Addison-Wesley Professional (2006)Google Scholar
  17. 17.
    Mellado, D., Fernandez-Medina, E., Piattini, M.: A comparison of the Common Criteria with proposals of information systems security requirements. In: The First International Conference on Availability, Reliability and Security, ARES 2006, p. 8 (2006)Google Scholar
  18. 18.
    Baca, D., Petersen, K.: Prioritizing countermeasures through the countermeasure method for software security (CM-sec). In: Ali Babar, M., Vierimaa, M., Oivo, M. (eds.) PROFES 2010. LNCS, vol. 6156, pp. 176–190. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  19. 19.
    Williams, L., Kessler, R.R., Cunningham, W., Jeffries, R.: Strengthening the case for pair programming. IEEE Software 17(4), 19–25 (2000)CrossRefGoogle Scholar
  20. 20.
    Simsek, Z., Veiga, J.F.: A primer on Internet organizational surveys. Organizational Research Methods 4(3), 218 (2001)CrossRefGoogle Scholar
  21. 21.
    Rea, L.M., Parker, R.A.: Designing and conducting survey research. Jossey-Bass Publishers, San Francisco (1997)Google Scholar
  22. 22.
    Wohlin, C.: Experimentation in software engineering: an introduction, vol. 6. Springer (2000)Google Scholar
  23. 23.
    Allen, J., Barnum, S., Ellison, R., McGraw, G., Mead, N.: Software security engineering: a guide for project managers. Addison-Wesley Professional (2008)Google Scholar
  24. 24.
    Manifesto for Agile Software Development, (accessed: August 8, 2013)

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Tigist Ayalew
    • 1
  • Tigist Kidane
    • 1
  • Bengt Carlsson
    • 1
  1. 1.Blekinge Institute of TechnologyKarlskronaSweden

Personalised recommendations