Evaluation of the Challenges of Developing Secure Software Using the Agile Approach

Evaluation of the Challenges of Developing Secure Software Using the Agile Approach

Hela Oueslati (Technical University Darmstadt, Darmstadt, Germany), Mohammad Masudur Rahman (Technical University Darmstadt, Darmstadt, Germany), Lotfi ben Othmane (Fraunhofer SIT, Darmstadt, Germany), Imran Ghani (Universiti Teknologi Malaysia, Malaysia) and Adila Firdaus Bt Arbain (Universiti Teknologi Malaysia, Malaysia)
Copyright: © 2016 |Pages: 21
DOI: 10.4018/IJSSE.2016010102
OnDemand PDF Download:
$30.00
List Price: $37.50

Abstract

A set of challenges of developing secure software using the agile development approach and methods are reported in the literature. This paper reports about a systematic literature review to identify these challenges and evaluate the causes of each of these challenges, with respect to the agile values, the agile principles, and the security assurance practices. The authors identified in this study 20 challenges, which are reported in 28 publications. They found that 14 of these challenges are valid and 6 are neither caused by agile values and principles, nor by the security assurance practices. The authors also found that 2 of the valid challenges are related to the software development life-cycle, 4 are related to incremental development, 4 are related to security assurance, 2 are related to awareness and collaboration, and 2 are related to security management. These results justify the need for research to make developing secure software smooth.
Article Preview

1. Introduction

Companies commonly use the agile development methods, such as Scrum (Schwaber and Beedle, 2001), and Extreme Programming (XP) (Martin, 2003) to develop their evolving software. These methods are associated with better developers’ productivity, product quality, and customers’ satisfaction than the waterfall methods (Dyba and Dingsoyr, 2008). They embrace requirement changes, prefer frequent deliveries, and their practices do not include security engineering activities. These characteristics, and others, make developing secure software using these methods challenging (McGraw, 2002). For instance, it is difficult to implement verification gates in the processes that implement these methods because the cost of these gates is very high, if they were to be repeated several times during the development of the project (Ben Othmane et al., 2014).

Many papers discuss the challenges of developing secure software using the agile development methods. For instance, Benznosov and Kruchten evaluated the mismatches between security assurance methods/techniques and agile practices (Beznosov and P. Kruchten, 2004), Ferdous et al. (Adila, et al., 2014) reviewed the challenges of developing secure software using the Feature Driven Development (FDD) method and assessed the feasibility of integrating security activities into FDD. Companies and researchers proposed some solutions to these challenges. They focus, in general, on enhancing the agile development methods, such as Scrum, XP, FDD and the Dynamic Systems Development Method (DSDM) by introducing security activities and security expert roles in the development process (Sullivan, 2010), (Ben Othmane et al., 2014), (Imran, et al., 2014), (Imran and Izzaty, 2013), (Adila, et al., 2013) and (Sani, et al., 2013). The other challenges are, in general, not addressed.

This paper addresses the following questions:

  • What are the challenges of developing secure software using the agile methods that have been proposed in the literature?

  • And are these challenges valid?

There are currently no comprehensive systematic literature reviews that address these questions properly. A systematic literature review is a mean to identify, analyze, and interpret the available evidence (from publications) relevant to a research question by using a sound approach (Kitchenham and S. Charters, 2007), (Wohlin, 2012). The answers to both these questions should contribute to identifying the research challenges that the community shall address so organizations can use the agile methods to develop secure software.

The paper reports about a study that examines the validity of the challenges of developing secure software using the agile development methods. It summarizes the challenges reported in 28 publications and evaluates their validity with respect to a set of agile development criteria and developing secure software criteria. It is organized as follows. First we provide a short background about the agile approach and development of secure software in Section 2. Then, we describe in Section 3 the research method that we used to identify and validate the challenges. Next, we present in Section 4 the challenges that we identified from the publications that we selected and analyze the validity of the identified challenges in Section 5. We discuss the limitations and impacts of the study afterwards in Section 6 and conclude the paper in Section 7.

This paper extends our earlier paper presented at the The First International Workshop on Agile Secure Software Development (Oueslati et al. 2015).

2. Background

This section provides an overview of the Agile Software Development (ASD) approach and of developing secure software.

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 8: 4 Issues (2017): 2 Released, 2 Forthcoming
Volume 7: 4 Issues (2016)
Volume 6: 4 Issues (2015)
Volume 5: 4 Issues (2014)
Volume 4: 4 Issues (2013)
Volume 3: 4 Issues (2012)
Volume 2: 4 Issues (2011)
Volume 1: 4 Issues (2010)
View Complete Journal Contents Listing