Article Preview
Top1. Introduction
Agile development methods are widely accepted and implemented in industry. Often based on the Agile Manifesto (Beck et al., 2001), several proposals for agile methods exist with Scrum as a particularly prominent example (Schwaber & Beedle, 2001).
Security engineering and agile software development are often perceived as a clash of culture. According to Baca & Carlsson (2011), agile practitioners judge security engineering processes as too costly and not beneficial enough in an agile context. Threat assessment and mitigation focus on parts of the product that are either subject to (possibly rapid) change in agile environments – such as code, scope and requirements – or scarcely present at all – such as (architectural) documentation. Corresponding tasks are perceived as documentation-heavy and impeding the fast-moving pace of agile development methods. Requiring a global perspective to become effective (e.g., a system model), these tasks appear to be incompatible with piece-wise product increments that are at the very center of agile methods. In these regards, threat modeling and mitigation is just a part of security risk management, for which Franqueira et al. (2011) compiled a table of mismatches with the agile philosophy.
To address this issue, several approaches have been proposed that allow for agile security engineering (e.g., Jeffries (2012) and Kazerooni & Sethi (2011)). Unfortunately, agile development organizations differ in their actual procedure and environmental properties. Therefore, a specific approach designed for agile threat assessment and mitigation doesn’t necessarily fit to a given agile development organization.
We propose an approach to compare and select methods for agile security engineering focusing on threat assessment and mitigation as prominent example. Our approach applies concepts from the method engineering discipline in order to analyze and disassemble existing methods. Resulting method fragments provide a foundation for the comparison of methods. Utilizing these fragments, a method engineer may adapt or construct a tailored agile threat assessment and mitigation method for an organization taking existing development culture into account.
The remainder of this paper is structured as follows: After this introduction we depict work related to our approach and provide necessary background on method engineering. The following section analyzes and disassembles selected approaches for agile threat assessment and mitigation and presents the resulting method fragments. Section 4 identifies and describes properties that we use to differentiate existing approaches. Application of our approach is demonstrated in section 5 and includes early feedback from a small development organization. A final section concludes and provides an outlook on further research.