A Lightweight Measurement of Software Security Skills, Usage and Training Needs in Agile Teams

A Lightweight Measurement of Software Security Skills, Usage and Training Needs in Agile Teams

Tosin Daniel Oyetoyan (Department of Software Engineering, Safety & Security, SINTEF Digital, Trondheim, Norway), Martin Gilje Jaatun (Department of Software Engineering, Safety & Security, SINTEF Digital, Trondheim, Norway) and Daniela Soares Cruzes (Department of Software Engineering, Safety & Security, SINTEF Digital, Trondheim, Norway)
Copyright: © 2017 |Pages: 27
DOI: 10.4018/IJSSE.2017010101
OnDemand PDF Download:
No Current Special Offers


Although most organizations understand the need for application security at an abstract level, achieving adequate software security at the sharp end requires taking bold steps to address security practices within the organization. In the Agile software development world, a security engineering process is unacceptable if it is perceived to run counter to the agile values, and agile teams have thus approached software security activities in their own way. To improve security within agile settings requires that management understands the current practices of software security activities within their agile teams. In this study, the authors have used a survey instrument to investigate software security usage, competence, and training needs in two agile organizations. They find that (1) The two organizations perform differently in terms of core software security activities, but are similar when secondary activities that could be leveraged for security are considered (2) regardless of cost or benefit, skill drives the kind of activities that are performed (3) Secure design is expressed as the most important training need by all groups in both organizations (4) Effective software security adoption in agile setting is not automatic, it requires a driver.
Article Preview

1. Introduction

Protecting the organization’s assets from security threats is vital. Security cannot be treated as an add-on functionality or isolated product feature (Gary McGraw, 2006), and it is thus important that security is “built-in” in the process and the product. However, a traditional security engineering process is often associated with additional development efforts and is likely to invoke resentment among agile development teams (ben Othmane et al., 2014; Beznosov & Kruchten, 2004). A software security approach tailored to the agile mind-set thus seems necessary.

Some approaches have been proposed to integrate security activities into agile development, e.g., the Microsoft SDL for Agile (Microsoft, 2012). However, these approaches have been criticised for looking similar to the traditional versions in terms of workload (e.g., performing a long list of security verification and validation tasks) (ben Othmane et al., 2014). As a result, “agile” organizations have approached software security in a way that fits their process and practices. Statistics show that more than 70% of reported vulnerabilities are in the application layer (Fong & Okun, 2007) and not the network. Thus, regardless of whether agile is perceived to be incompatible with any particular secure software development lifecycle, the major discussion we should have is how to improve security within the agile context (Bartsch, 2011). Previous studies (Ayalew et al., 2013; Baca & Carlsson, 2011) have investigated which security activities are practiced in different organizations, and which are compatible with agile practices from cost and benefit perspectives. Using a survey of software security activities among software practitioners, they identify and recommend certain security activities that are compatible with agile practices such as; eliciting security requirements, using a role matrix, risk analysis, employing secure design principles, drawing countermeasure graphs, adhering to coding rules, wielding security tools, penetration testing, and operational planning and readiness.

While these activities could be argued to be beneficial and cost effective to integrate, there are still gaps between what is “adequate” security (Allen, 2005), and what is currently practiced within several organizations. According to Allen (2005), adequate security is defined as “The condition where the protection and sustainability strategies for an organization's critical assets and business processes are commensurate with the organization's tolerance for risk.”

The research presented here is motivated based on the perceived knowledge gaps in software security in agile software development organizations in Norway (Jaatun et al., 2015). In order to address these gaps, management must first understand the current status of software security practices and capability within their organization. This study is carried out in 2 organizations (in the following referred to as “Org-1” and “Org-2”), that develop software in telecommunication and transportation, respectively (see section 3.2.1 for more information on the two organizations). This paper extends our previous work (Oyetoyan et al., 2016) investigating existing practice, skills, and training needs within agile teams, by significantly expanding the background, exploring new dimensions of the data with additional research questions, and deeper discussion of the results. We want to know more on the training needs and understand the relationships between skills and usage of security activities among teams and across roles. The findings are important to guide management decisions towards improving security within their organization.

Complete Article List

Search this Journal:
Open Access Articles: Forthcoming
Volume 8: 4 Issues (2017)
Volume 7: 4 Issues (2016)
Volume 6: 4 Issues (2015)
Volume 5: 4 Issues (2014)
Volume 4: 4 Issues (2013)
Volume 3: 4 Issues (2012)
Volume 2: 4 Issues (2011)
Volume 1: 4 Issues (2010)
View Complete Journal Contents Listing