Collaborative security risk estimation in agile software development. (25th September 2019)
- Record Type:
- Journal Article
- Title:
- Collaborative security risk estimation in agile software development. (25th September 2019)
- Main Title:
- Collaborative security risk estimation in agile software development
- Authors:
- Tøndel, Inger Anne
Jaatun, Martin Gilje
Cruzes, Daniela Soares
Williams, Laurie - Abstract:
- Abstract : Purpose: Today, agile software development teams in general do not adopt security risk-assessment practices in an ongoing manner to prioritize security work. Protection Poker is a collaborative and lightweight software security risk-estimation technique that is particularly suited for agile teams. Motivated by a desire to understand why security risk assessments have not yet gained widespread adoption in agile development, this study aims to assess to what extent the Protection Poker game would be accepted by agile teams and how it can be successfully integrated into the agile practices. Design/methodology/approach: Protection Poker was studied in capstone projects, in teams doing a graduate software security course and in sessions with industry representatives. Data were collected via questionnaires, observations and group interviews. Findings: Results show that Protection Poker has the potential to be adopted by agile teams. Key benefits include good discussions on security and the development project, along with increased knowledge and awareness. Challenges include ensuring efficient use of time and gaining impact on the end product. Research limitations/implications: Using students allowed easy access to subjects and an ability to collect rich data over time, but at the cost of generalizability to professional settings. Results from interactions with professionals supplement the data from students, showing similarities and differences in their opinions onAbstract : Purpose: Today, agile software development teams in general do not adopt security risk-assessment practices in an ongoing manner to prioritize security work. Protection Poker is a collaborative and lightweight software security risk-estimation technique that is particularly suited for agile teams. Motivated by a desire to understand why security risk assessments have not yet gained widespread adoption in agile development, this study aims to assess to what extent the Protection Poker game would be accepted by agile teams and how it can be successfully integrated into the agile practices. Design/methodology/approach: Protection Poker was studied in capstone projects, in teams doing a graduate software security course and in sessions with industry representatives. Data were collected via questionnaires, observations and group interviews. Findings: Results show that Protection Poker has the potential to be adopted by agile teams. Key benefits include good discussions on security and the development project, along with increased knowledge and awareness. Challenges include ensuring efficient use of time and gaining impact on the end product. Research limitations/implications: Using students allowed easy access to subjects and an ability to collect rich data over time, but at the cost of generalizability to professional settings. Results from interactions with professionals supplement the data from students, showing similarities and differences in their opinions on Protection Poker. Originality/value: The paper proposes ways to tackle the main obstacles to the adoption of the Protection Poker technique, as identified in this study. … (more)
- Is Part Of:
- Information and computer security. Volume 27:Number 4(2019)
- Journal:
- Information and computer security
- Issue:
- Volume 27:Number 4(2019)
- Issue Display:
- Volume 27, Issue 4 (2019)
- Year:
- 2019
- Volume:
- 27
- Issue:
- 4
- Issue Sort Value:
- 2019-0027-0004-0000
- Page Start:
- 508
- Page End:
- 535
- Publication Date:
- 2019-09-25
- Subjects:
- Case study -- Risk assessments -- Agile development -- Protection Poker -- Secure software engineering -- Software security
Computer security -- Management -- Periodicals
Computer networks -- Security measures -- Periodicals
Data protection -- Management -- Periodicals
658.47 - Journal URLs:
- http://www.emeraldinsight.com/loi/ics ↗
http://www.emeraldinsight.com/ ↗ - DOI:
- 10.1108/ICS-12-2018-0138 ↗
- Languages:
- English
- ISSNs:
- 2056-4961
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - 4481.796000
British Library DSC - BLDSS-3PM
British Library HMNTS - ELD Digital store - Ingest File:
- 17457.xml