Abstract
Agile development methods have pervaded software engineering and are increasingly applied in large projects and organizations. At the same time, security threats and restrictive legislation regarding security and privacy are steadily rising. These two trends of agile software development at scale and increasingly important security requirements are often at odds with each other. Academic literature widely acknowledges the challenges therefrom and discusses approaches to integrate these two partly conflicting trends. However, several researchers point out a need for empirical studies and evaluations of these approaches in practice. To fill this research gap, we conducted a case study in the finance industry. We identified 27 agile security approaches in academic literature. Based on these theoretical findings, we carried out observations, document analysis, and unstructured interviews to identify which approaches the case company applies. We then conducted semi-structured interviews with 10 experts and a survey with 62 participants to evaluate 14 approaches. One of the key results is that role and knowledge approaches, such as dedicated security roles and communities, are especially important in scaled agile development environments. In addition, the most beneficial security activities are easy-to-integrate, such as a security tagging system, peer security code reviews, security stories, and threat poker.We also contribute evaluation criteria as well as drivers and obstacles for the adoption of agile security approaches that can be used for further research and practice.
Conference (0)
There are no subpages or files.