ChapterPDF Available

Towards Risk-Driven Security Requirements Management in Agile Software Development

Authors:
D. Ionita at University of Twente
D. Ionita
Coco van der Velden
Coco van der Velden
Coco van der Velden
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Henk-Jan Klein Ikkink
Henk-Jan Klein Ikkink
Henk-Jan Klein Ikkink
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Eelko Neven
Eelko Neven
Eelko Neven
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Show all 6 authorsHide
Download full-text PDF
Read full-text
Download citation

Abstract and Figures

The focus on user stories in agile means non-functional requirements, such as security, are not always explicit. This makes it hard for the development team to implement the required functionality in a reliable, secure way. Security checklists can help but they do not consider the application’s context and are not part of the product backlog. In this paper we explore whether these issues can be addressed by a framework which uses a risk assessment process, a mapping of threats to security features, and a repository of operationalized security features to populate the product backlog with prioritized security requirements. The approach highlights the relevance of each security feature to product owners while ensuring the knowledge and time required to implement security requirements is made available to developers. We applied and evaluated the framework at a Dutch medium-sized software development company with promising results.
Figures - uploaded by D. Ionita
Author content
All figure content in this area was uploaded by D. Ionita
Content may be subject to copyright.
Content uploaded by D. Ionita
Author content
All content in this area was uploaded by D. Ionita on Oct 31, 2019
Content may be subject to copyright.
Towards risk-driven security requirements
management in agile software development?
Dan Ionita1, Coco van der Velden2, Henk-Jan Klein Ikkink2, Eelko Neven2,
Maya Daneva1, and Michael Kuipers2
1University of Twente, Department Cybersecurity and Safety
Enschede, The Netherlands
{d.ionita,m.daneva}@utwente.nl
https://scs.ewi.utwente.nl/
2Centric B.V., Gouda, The Netherlands
{coco.van.der.velden,henk-jan.klein.ikkink,eelko.neven,michael.kuipers}@centric.eu
Abstract. The focus on user stories in agile means non-functional re-
quirements, such as security, are not always explicit. This makes it hard
for the development team to implement the required functionality in a
reliable, secure way. Security checklists can help but they do not consider
the applications context and are not part of the product backlog.
In this paper we explore whether these issues can be addressed by a
framework which uses a risk assessment process, a mapping of threats
to security features, and a repository of operationalized security features
to populate the product backlog with prioritized security requirements.
The approach highlights the relevance of each security feature to product
owners while ensuring the knowledge and time required to implement
security requirements is made available to developers. We applied and
evaluated the framework at a Dutch medium-sized software development
company with promising results.
Keywords: Secure software development ·Security requirements ·Risk
assessment ·Empirical research method
1 Introduction
Agile software development relies on the team’s ability to decompose, refine, and
operationalize high-level user requirements such as user stories. The majority of
users and customers lack awareness of the security risks in the implementation
and usage of the software and settle for compliance. Furthermore, most agile
teams do not have a security expert on board. Therefore, product owners (POs)
have a hard time identifying and prioritizing security requirements and develop-
ers often rely on security checklists which are not integrated with agile project
management processes and tools. This results in software which fails to properly
mitigate many risks relevant to its users or its application domain.
?Supported by The Netherlands Organisation for Scientific Research (NWO) in the
context of cyber-security research (grant number 628.001.011)
2 D. Ionita et al.
To address this, we propose a secure software development framework con-
sisting of (1) a high-level risk assessment process to be undertaken with the
application’s stakeholders, (2) a mapping of threats to security requirements
and (3) a searchable repository of security requirements integrated with agile
project management tools. The goal of the risk assessment is to identify and
prioritize risks, the mapping is used to derive high level security requirements
(i.e. features) based on these risks, and the repository makes it easy to inject
these features together with their operationalizations into the agile development
workflow. The three components work together to support risk-driven selection,
prioritization and implementation of security requirements in a way that requires
minimal security knowledge and effort from users, customers, and POs. As a
whole, the approach is designed to provide traceability of security requirements
and forces the development team to consider the effort required to implement
security features in their planning.
The framework aims to align with the agile manifesto[3]. First, it provides a
means to discuss security with the customer of an agile project. Second, it pro-
duces a list of prioritized requirements in a format that can be directly imported
into product backlogs. Third, it leaves it up to the teams to break down the re-
quirements into tasks and add these to sprints. Fourth, it includes control points
for testing the implementation. Fifth, it is able to respond to changes in the risk
landscape. Furthermore, the framework was applied in a real-life organization
and its evaluation shows promising results.
In what follows, Section 2 summarizes our research methodology. Sections 3
and 4 position our work in relation to the real-world problems that we want to
address as well as related publications. Section 5 introduces our framework based
on a practical example of how this was implemented at Centric, a medium-sized
software development company. Section 6 discusses our preliminary evaluation
and Section 7 draws wraps up with conclusions and future work.
2 Research methodology
This paper is the result of an extensive collaboration between the University of
Twente and Centric B.V., a medium-sized Dutch application provider. Therefore,
the underlying methodology applied throughout the research is Technical Action
Research (TAR): a technique is designed and applied to a real-life problem in
order to draw conclusions about both the technique and the problem. TAR
helps both the company, in that it is provided with a working solution, and the
researcher, in that he/she has the opportunity to perform real-life validation[20].
Problem investigation To better understand the problem context, we did a litera-
ture survey on security requirements management in agile software development.
In parallel, we interviewed security coordinators, penetration testers, develop-
ers, POs, as well as the management and governance team working on various
projects within Centric. The findings are summarized in the Section 3.
Risk-driven security requirements management in agile 3
Treatment design To define our solution direction, we explored literature on
strategies for incorporating security in agile workflows. The findings are sum-
marized in Section 4. We designed a framework which aligns with some of these
strategies while addressing the issues highlighted by the problem investigation.
Each component of the framework was developed iteratively in consultation with
relevant stakeholders from Centric. The framework is described in Section 5.
Treatment validation To validate the proposed treatment we ran five focus
groups within Centric where we applied the risk assessment methodology de-
scribed in Section 5.1. We systematically compared the results of applying the
mapping described in Section 5.2 to the judgment of security experts. Finally,
we created a template project according to the repository structure proposed
in Section 5.3 in a major issue tracking software and ran a survey to assess its
usability and utility.
3 Motivation and background
Established approaches to security engineering as part of software development
fail to address the particular needs of agile [2]. As a result, security considerations
in agile software development are often based on security baselines, despite the
fact that best practice insists security should be risk-driven [1,8,4]. ”Discrete
techniques” such as security checklists integrate very poorly into agile approaches
[18]. The requirements listed in baselines and checklists don’t always have an
owner and are often considered towards the end of development[19].
Daneva & Wang[5] indicate that security requirements engineering in agile
boils down to documenting risks and mitigations. But POs, as well as devel-
opers, often lack security knowledge[19]. Our framework provides assistance in
formulating risk scenarios and centralizes security knowledge, making it easily
reusable across teams and even across projects.
Daneva and Wang also point out that the gate-keeping role of the PO often
hampers the elicitation and implementation of security requirements. This is
mainly because agile is business-value-driven [3] and security is hard to ”sell”
[6]. We propose mitigating this by highlighting the business value in terms of
risk reduction that each security requirements provides.
Furthermore, our informal interviews and conversations with domain experts
and stakeholders revealed that:
Security requirements are not risk-based. We mitigate this by maintaining a
mapping base of risks and requirements.
Security requirements are not user-driven. We mitigate this by prescribing a
non-technical risk assessment methodology.
Security requirements are not application-specific. We mitigate this by link-
ing requirements to the result of the risk assessment.
Penetration tests are standardized. We mitigate this by generating a list of
the most important security requirements to be tested.
4 D. Ionita et al.
Security requirement documents are missing implementation-specifics. We
mitigate this by maintaining a central repository of operationalized security
features.
It’s hard to keep track of the implementation status of security requirements.
We mitigate this by making security requirements available on issue trackers.
4 Related work
Siponen et al [18] conclude that an agile security requirements management
technique must include a quantified risk assessment in the requirements analysis
phase. Security requirements should be explicitly included in the design phase,
their implementation must be monitored throughout the implementation phase
and they should be tested in the testing phase. Our proposal mandates starting
with a risk assessment, including the resulting requirements in the planning and
effort estimations, and making sure acceptance criteria are known and tested.
A notable approach for eliciting security requirements in agile are abuser
stories. Similar to abuse cases, they document threat scenarios [14,15]. However,
this approach has some caveats. E.g. several threat scenarios can be mitigated
by the same security feature, sometimes with different efficiency. And since most
issue trackers do not allow a backlog item to have multiple parents, defining
these as backlog items results in many security requirements being duplicated.
This would also fail to reflect the relative importance of security features with
regard to their efficacy and the number of threat scenarios they mitigate. In
order to avoid these issues, our approach maintains a separate overview of threat
scenarios as part of the risk assessment document described in Section 5.1.
Terpstra et al. [19] performed a practitioner survey of problems and coping
strategies for handling security requirements in agile project management and
agile software development projects. The methodology proposed in this paper
aligns well with many of these strategies. For example, by adding security fea-
tures including acceptance criteria - to the backlog we are making sure they
are considered during effort estimations, and that these features are part of the
definition of done.
5 The proposed framework
The aim of the framework is to support the identification, prioritization and
implementation of security requirements in an agile workflow. Its application
consists of three phases:
1. Risk assessment: Each risk is quantified and mapped to one or more of
threats in consultation with relevant stakeholders (the left side of Figure 5).
This performed according to a pre-defined risk assessment methodology de-
scribed in 5.1 below.
Risk-driven security requirements management in agile 5
2. Prioritization of security requirements: Based on the ranked list of
threats resulting from the risk assessment, a prioritized list of security re-
quirements is automatically derived (the middle part of Figure 5). This is
achieved by means of an intermediary threat-requirement map described in
5.2 below.
3. Populate product backlog: The PO imports the relevant security require-
ments with associated priorities to the product backlog of his agile issue
tracking tool of choice (the right side of the Figure 5). This is facilitated by
means of a security requirements repository described in 5.3 below.
PBIs Features Epic
Ranked
threats
Prioritized
security
requirements
Tea m
Foundation
Server
Risk
assessment
1. Identify risks
Describe in natural
language
2. For each risk
Classify (C/I/A)
Identify threat agent(s)
Identify threat(s)
Estimate likelihood
Estimate impact
Prioritization of security
requirements (automatic)
Populate
product
backlog
(manual)
Risk
assessment
(manual)
Security
Desc + CP
Desc + CP
Desc + CP
Desc + CP
SR 1 SR 3
Threats Security
requirements
Threat A
Threat B
SR 1
SR 2
SR 3
SR 2
Desc + CP
Fig. 1. Overview of the proposed framework
5.1 The risk assessment methodology
Most secure software development guidelines such as the CIP Overheid[12] or the
ISO 27000x series [9,10,11] recommend performing a risk or threat assessment
as early in the software lifecycle as possible. This helps avoid architectural risks
and reduces the amount of work needed to fix security issues late in the project.
But more importantly, it provides a good understanding of the most significant
threats and risks.
In our framework, risk assessment serves as a starting point. Its results are
to be correlated with the mapping described in the following section in order
to produce a ranked list of security requirements. To this end, the risk assess-
ment must be correct and complete, and should therefore be performed in close
consultation with the PO and customer in order to make sure the most rel-
evant risks are identified, that the impact estimations are accurate, and that
the resulting mitigations are taken into consideration during agile planning. In
6 D. Ionita et al.
addition, the assessment must produce output which can be consumed by the
threat-requirement map, namely a quantitative ranked list of pre-defined threats.
Structure We use a spreadsheet as the basis for our assessment, see Figure 5.1.
It consists of the following columns:
Risk label - a brief description of the risk.
Explanation - an description of the process by which the risk could materialize.
Type - Confidentiality, Integrity, or Availability.
Threat agent(s) - An individual or group which are likely to try to materialize
the risk.
Threat(s) - One or more cyber-threats by which the risk could materialize.
Likelihood - The expected frequency with which the Threat agent would at-
tempt to use the Threat in order to materialize the risk.
Impact - The cost or loss caused by the occurrence of the risk.
Rating - Likelihood x Impact.
Risk label Explanation Type
C/I/A Threat agent(s) Threat(s)
Likelihood
(0-100)
Impact
(0-100)
Expose data of
famous people
Employee accidentaly leaks per sonal (sensitive)
information of Politicians o r celeberties. E.g.HR
reviews, medical info, leave.
Confidentiality Insiders Information
leakage 50 50
Data breach -
famous people
Hacker beach the system. Po liticians, Royal and
celeberties have personal ( sensitive) exposed. E.g.
HR reviews, medical info, leave.
Confidentiality Cyber-crimin als Data breach 20 55
Hacktivist leak
sensitive info
Hackivist - targeted attack e.g. salary data of
politicians and charities, to e xpose controversial
information.
Confidentiality Hacktivists Data breach,
Phishing 565
Fraudulent
contract
adjustments
HR contracts are adjusted for personal benefit. E.g.
salary, or contract hours. Integrity Insiders
Insider threat,
Web-based
attack
10 15
Fig. 2. Fragment of a risk assessment
Process The table (Fig. 5.1) is filled in from left to right, however, we found
that first selecting a likely threat agent stimulates creativity. This is in line with
the philosophy of the Intel’s Threat Agent Risk Assessment[17] which starts by
agreeing on a list of relevant threat agents. Each risk is given a label, described
in free text, and classified in terms as confidentiality, integrity, or availability. In
order to further scope down the risk and ensure consensus among participants,
a relevant threat agent(s) is chosen if one was not chosen already. It is possible
that the same risk produces a different impact, or manifests with a different
likelihood depending on the threat agent and their purpose. Therefore, the same
risk may appear on multiple rows, but mapped to a different threat agent. Then,
each risk is mapped to one or more of the pre-defined threats. Finally, each risk
is quantified in terms of likelihood and impact which are multiplied in order to
obtain a risk rating.
Risk-driven security requirements management in agile 7
5.2 The threat-feature map
To arrive at the ranked list of security requirements needed to populate the prod-
uct backlog, a mapping between the threat taxonomy used in the risk assessment
and a set of security features is necessary. To strengthen the usability and jus-
tifyability of the mapping, the list of threats should be based on an established
threat taxonomy such as ENISA’s[7] or Intel’s [17], and the list of requirements
should be based on established secure software development guidelines such as
OAWSP[16] or Grip on SSD [13]. Note that there is a many-to-many relationship
between threats and requirements. Furthermore, this relationship is not binary;
some security requirements are better at mitigating a threat than others. This
relevance factor should also be reflected in the mapping.
Fig. 3. A simple example of using the threat-requirements map for prioritization
Figure 5.2 shows a simple example of using the mapping to automatically
derive a list of prioritized requirements:
1. Sum up the rating of each risk where a particular threat is mentioned, we
obtain a ranked list of threats with relative ratings.
2. Then, for each security requirement, sum up the relative rating of each threat
it mitigates multiplied by the threats’ relevance factor.
What we end up with is a ranked list of security requirements with relative
ratings. These rating is finally normalized to a scale which matches the one used
in sprint planning, usually 1 to 4.
5.3 The security requirements repository
An important aspect of the proposed methodology is that it helps the develop-
ment team account for security requirements during sprint planning by making
prioritized security requirements available on the product backlog. Therefore,
the ranked list of requirements produced by applying the threat-requirement
mapping to the results of the risk assessment needs to find their way into the
8 D. Ionita et al.
product backlog. Furthermore, these requirements need to be operationalized.
To facilitate this, we propose creating a repository of security requirements in
the agile issue tracking software being used by the development team. To be
able to do so, we overload established agile terminology to accommodate secu-
rity requirements, as shown in Figure 5.3 below. The security features stored in
the mapping of 5.2 are defined as Features and their respective requirements are
stored as User Stories.
Epic
Feature
ProductBacklogItem(scrum)
UserStory(agile)
Security
Security
feature
Securityrequirement
Fig. 4. Casting security requirements into the agile taxonomy
In order to promote accessibility and re-usability of this knowledge, we pro-
pose storing the repository as a template project in the software development
project management toolkit of choice (e.g. Microsoft TFS/VSTS or JIRA).
Based on the results of applying the mapping described in Section 5.2, the PO
can import the relevant security features from the repository and assign priorities
to them. This can be done manually or by means of an extension such as Issue
templates for JIRA3. As long as the selected features are imported together with
their children (i.e. the associated backlog items), then all relevant information
will be visible on the developers backlog.
Implementation of the requirements can then take place as per the agile
philosophy: the requirements are broken down into tasks, effort estimations are
performed, and the tasks are assigned to sprints, based on the priorities of their
parent features.
6 First evaluation
In order to evaluate the proposed framework, we tested each of its three compo-
nents individually in practical settings. Specifically, we investigated whether:
1. the risk assessment methodology is usable;
2. the threat-requirement map produces a correct ranking of security features;
3https://marketplace.atlassian.com/apps/1211044/issue-templates-for-jira
Risk-driven security requirements management in agile 9
3. and the security requirements repository is able to store a security require-
ments knowledge base.
We used ENISA’s Threat Landscape [7] as a source for threats and CIP Over-
heid’s Grip on Secure Software Development [13] as a source of security features
and requirements. Both knowledge bases are well established in academia as well
as practice and are actively maintained. The threats were added as a drop-down
to the risk assessment spreadsheet, the requirements were added to the secu-
rity requirements repository, and they were both mapped to each other in the
threat-feature map.
The risk assessment methodology We performed a total of five assessments
together with the PO and one other stakeholder of five different applications from
a variety of domains: finance, HR, retail, social, and privacy. The risk assessment
sessions lasted between two and three hours and resulted in the identification of
an average of 18 risk scenarios per assessment. All assessments were facilitated
by at least one of the authors.
We observed the participants found the exercise engaging and simply going
through each threat helped them identify risks they had not considered. We also
administered a questionnaire after each session, the results of which are shown
in Table 1.
Table 1. Practitioner feedback on the risk assessment methodology
Question Average rating (1-5)
Has the assessment helped you identify risks? 3.2
Has the assessment helped you understand risks? 3
Has the assessment helped you select security requirements? 3
Would you execute the assessment with clients? 3.2
How easy was performing the assessment? 3.4
Would you recommend the assessment to others? 4.4
Is the assessment suitable for agile processes? 1.8
After the assessment, participants felt they have a better awareness and
understanding of the risks their application is exposed to. Even though the
questionnaire was administered before the participants were shown the resulting
feature prioritization, many stated the assessment helped them think of impor-
tant security requirements. On average, the participants felt the assessment was
not difficult, despite lacking security expertise and having no security experts
in the session. Participants also indicated they would perform the assessment
with a client and that they highly recommend other teams perform one. The
assessment was not deemed suitable for agile processes. However, the assess-
ment is meant as an entry point in order to obtain a list of requirements and
priorities without security knowledge; once the requirements are copied to the
10 D. Ionita et al.
project backlog, their implementation can take place in an agile way. Further-
more, changes to the application’s risk profile can be reflected in the assessment
in order to re-calibrate the priorities at any time.
The threat-feature map In order to assess the feasibility of defining a map-
ping of threats to security features, the authors manually mapped the 15 threats
maintained by ENISA[7] to the 27 security features part of the CIP Overheid’s
Grip on SSD[13]. For each threat, we evaluated the likelihood (high-medium-low)
it would exploit common one of the web-application vulnerabilities used inter-
nally for penetration testing. Then, for each vulnerability, we specified which
security feature is able to mitigate it. The result was a matrix of relevance fac-
tors for each threat-feature tuple.
We asked three security experts in our partner organization to manually
assign priorities of 0 (do not implement) to 4 (critical) to each of the security
features in our mapping given the results of one of the risk assessment. Each
expert was given the assessment of a different application but none of the experts
were familiar with the application itself nor were they involved in creating the
mapping. The threat-feature map only uses the threat and risk rating columns,
however, the human assessors could base their judgment on the entire table.
Table 2 compares the automated prioritization to the manual one for each
application. In two of the three assessments the automatically generated results
differed significantly from the expert judgment. However, the automatically as-
signed priorities were similar to the manual ones for the HR system. Across
the three assessments 1-in-4 of security features were assigned the same priority
by the mapping and the expert. Of the features which were assigned different
priorities, 57% deviated by one.
Table 2. Statistical comparison of the automated prioritisation vs. expert judgment
Application Privacy HR Taxes
Correct guesses 3 8 9
Off by 1 14 14 7
Correlation -0.18 0.28 0.12
p-value 0.82 0.07 0.26
Despite promising results with the HR application, the mapping has overall
failed to deliver a prioritization significantly better than random when compared
to expert judgment. Either (1) the mapping is ncorrect or incomplete, or (2)
judging the priorities is difficult and error-prone. Both explanations could be
investigated given higher availability of experts by (1) using the expert judgments
to infer a mapping or (2) measuring inter-expert agreement.
The security requirements repository To validate our claim that the struc-
ture proposed in Figure 5.3 is able to encode any security requirement we de-
Risk-driven security requirements management in agile 11
fined a template project in Microsoft Team Foundation Server (TFS) and used
it to store the entire set of high-level security requirements, operationalized re-
quirements, and control points mandated by the CIP Overheid’s Grip on Secure
Software Development. We also wrote a script which is able to import these
requirements into any other TFS project. We are currently working on a graph-
ical TFS extension to make this process easier and allow users to also assign
priorities during the import (more on this in Section 7).
7 Conclusions
Simply performing a risk assessment as described in Section 5.1 raises awareness
of security issues. Experts did not always agree with the priorities assigned by
the threat-requirement mapping, but found manual prioritization difficult. Fi-
nally, we showed how the availability, usability, and maintainability of a security
baseline can be improved by storing it as a linked collection of backlog items.
We believe our framework can help agile development teams take security into
account during by providing a first indication of the most important security
features, their priority, and the tasks required. Security experts should still be
involved during implementation and testing; they can use the assessment and
initial prioritization as a starting point or reference.
The proposed framework was developed and tested at a single Dutch soft-
ware developer, and only applied to mobile and web applications. However, the
developer makes use of standard stacks, development practices, and supporting
tools. Therefore, following Wieringa[20], we think that the framework could po-
tentially be applicable to other organizations that have similar organizational
and software development context to the one of our partnering Dutch company.
Nevertheless, we are looking for industry partners to refine the threat-feature
map and strengthen our evaluation. We also want to extend the security require-
ments repository with technology-specific and domain-specific requirements to
enable selection as well as prioritization. Finally, we are exploring using Artificial
Intelligence to prioritize requirements based on prioritizations of experts.
References
1. Ayman Hammoudeh: A risk-driven approach to security, from check boxes to risk
management frameworks (2016), https://securityintelligence.com/a-risk-
driven-approach-to-security- from-check-boxes-to-risk- management-
frameworks/
2. Baskerville, R.: Agile security for information warfare: A call for research. ECIS
2004 Proceedings p. 13 (2004)
3. Beck, K., Beedle, M., van Bennekum, A., Cockburn, A., Cunningham, W., Fowler,
M., Grenning, J., Highsmith, J., Hunt, A., Jeffries, R., Kern, J., Marick, B., Martin,
R.C., Mellor, S., Schwaber, K., Sutherland, J., Thomas, D.: Manifesto for Agile
Software Development (2001)
4. Boehm, B.W.: A spiral model of software development and enhancement. Com-
puter 21(5), 61–72 (1988)
12 D. Ionita et al.
5. Daneva, M., Wang, C.: Security requirements engineering in the agile era:
How does it work in practice? In: 2018 IEEE 1st International Workshop on
Quality Requirements in Agile Projects (QuaRAP). pp. 10–13 (Aug 2018).
https://doi.org/10.1109/QuaRAP.2018.00008
6. Davis, A.: Return on security investment–proving it’s worth it. Network Security
2005(11), 8–10 (2005)
7. ENISA Threat Landscape 2017: 15 Top Cyber-Threats and Trends. Tech.
rep., European Union Agency For Network and Information Security (2017).
https://doi.org/10.2824/967192
8. Goldfarb, J.: Risk-driven security: The approach to keep pace with ad-
vanced threats (2015), https://www.securityweek.com/risk-driven-security-
approach-keep-pace-advanced- threats
9. Information technology – Security techniques – Information security management
systems – Requirements. Standard ISO 27001:2005, International Organization for
Standardization (ISO) (2005)
10. Information technology – Security techniques – Code of practice for information
security management. Standard ISO 27002:2005, International Organization for
Standardization (ISO) (2005)
11. Information technology – Security techniques – Information security risk manage-
ment. Standard ISO 27005:2011, International Organization for Standardization
(ISO) (2011)
12. Koers, M., Paans, R., van der Veer, R., Kok, C., Breeman, J.: Grip
on secure software development (ssd): the client at the helm, version
2.0. Tech. rep., Centrum voor Informatiebeveiliging en Privacybescherming
(CIP) (March 2015), https://www.cip-overheid.nl/wp-content/uploads/2018/
01/20160622 Grip on SSD The method v2 0 EN.pdf
13. Koers, M., Tewarie, W.: Grip on secure software development (ssd): Se-
curity requirements for (web) applications, version 2.0. Tech. rep., Cen-
trum voor Informatiebeveiliging en Privacybescherming (CIP) (Oct 2014),
https://www.cip-overheid.nl/wp-content/uploads/2018/08/20180821-Grip-
on-SSD-Security-requirements- v2.0-2.pdf
14. McDermott, J.: Abuse-case-based assurance arguments. In: Computer Security Ap-
plications Conference, 2001. ACSAC 2001. Proceedings 17th Annual. pp. 366–374.
IEEE (2001)
15. McDermott, J., Fox, C.: Using abuse case models for security requirements analysis.
In: Computer Security Applications Conference, 1999.(ACSAC’99) Proceedings.
15th Annual. pp. 55–64. IEEE (1999)
16. OWASP: Top 10–2013: The ten most critical web application security risks. The
Open Web Application Security Project (2013)
17. Rosenquist, M.: Prioritizing information security risks with threat agent risk as-
sessment. Intel Corporation White Paper (2009)
18. Siponen, M., Baskerville, R., Kuivalainen, T.: Integrating security into agile devel-
opment methods. In: System Sciences, 2005. HICSS’05. Proceedings of the 38th
Annual Hawaii International Conference on. pp. 185a–185a. IEEE (2005)
19. Terpstra, E., Daneva, M., Wang, C.: Agile practitioners understanding of security
requirements: Insights from a grounded theory analysis. In: 2017 IEEE 25th Inter-
national Requirements Engineering Conference Workshops (REW). pp. 439–442.
IEEE (2017)
20. Wieringa, R.J.: Design science methodology for information systems and software
engineering. Springer (2014)
... ✓ US4USec should include an AC section, which should be designed to accommodate the AC for the USec requirements. 4. Assisting/empowering users to express/specify their NFR: several researchers propose the use of NFR elicitation/reasoning/validation taxonomies [15], a searchable repository of security requirements [16], and Heuristics [8,13] to facilitate the incorporation of NFR aspects into US. ⊕ Users may not be able to express/specify their NFR, and they need to be empowered and assisted to do that [15,16,8,13]. ...
... 4. Assisting/empowering users to express/specify their NFR: several researchers propose the use of NFR elicitation/reasoning/validation taxonomies [15], a searchable repository of security requirements [16], and Heuristics [8,13] to facilitate the incorporation of NFR aspects into US. ⊕ Users may not be able to express/specify their NFR, and they need to be empowered and assisted to do that [15,16,8,13]. ⊖ Assisting users may influence their behavior and their specified requirements. ✓ US4USec could benefit from the use of USec heuristics to facilitate the incorporation of USec aspects into US. 5. Considering more than the user perspective and/or engaging others besides the user in furnishing the US and its corresponding AC: several works suggested considering the developers' perspectives [5], involving an expert group to evaluate US considering quality aspects, and it is wellaccepted that product owners are, usually, responsible for writing AC [16]. ...
... ⊖ Assisting users may influence their behavior and their specified requirements. ✓ US4USec could benefit from the use of USec heuristics to facilitate the incorporation of USec aspects into US. 5. Considering more than the user perspective and/or engaging others besides the user in furnishing the US and its corresponding AC: several works suggested considering the developers' perspectives [5], involving an expert group to evaluate US considering quality aspects, and it is wellaccepted that product owners are, usually, responsible for writing AC [16]. ...
US4USec: A User Story Model for Usable Security
Chapter
Full-text available
  • May 2024
Constant integration of new technologies in our daily lives exposes us to various security threats. While numerous security solutions have been developed to protect us from these threats, they fail due to users’ insufficient comprehension of how to employ them optimally. This challenge often stems from inadequate capture of Usable Security (USec) requirements, leading to these requirements being overlooked or not properly considered in the final solution, resulting in barely usable security solutions. A viable solution is to adeptly capturing USec requirements. Although techniques like User Stories (US) have gained popularity for focusing on users’ needs, they encounter difficulties when dealing with non-functional requirements (NFR), like USec. This occurs due to the lack of well-defined US models explicitly tailored to address these particular requirements. This paper aims to tackle this issue by proposing US4USec, a US model tailored for USec. US4USec has been constructed based on best practices for the consideration and integration of NFR into US models that have been identified via a Systematic Literature Review (SLR). The coverage and completeness of US4USec have been demonstrated by applying it to a set of security US.
View
... The main difference is that planning, modeling, prioritization, and monitoring activities are commonly performed at the operational level. These are activities such as security "games" (as mentioned earlier), security test cases and test plan reviews, attack surface recognition and reduction [44], security goals identification [45,51], security meetings [13], defining criticalities [44], and prioritization of security requirements [64]. On the other hand, risk management activities are performed at the strategic level. ...
... The security prioritization and monitoring group is a set of activities that prioritize specific security goals, requirements, activities, and monitor their implementation (e.g., business impact analysis, protection poker, continuous aligning of business and security goals). [42][43][44][45][46]48,51,56,64,70,71] Risk management (RiskManag) Risk management activities help identify, assess, and control threats to the end product on a strategic level (e.g., risk identification, risk assessment, hazard analysis). [45,47,[50][51][52][53][54][55][64][65][66] Security planning and threat modeling (SPlanModel) Security planning and threat modeling are activities for structured identification of potential operational threats, such as structural vulnerabilities or the absence of appropriate safeguards (e.g., security modeling, threat modeling). ...
... [42][43][44][45][46]48,51,56,64,70,71] Risk management (RiskManag) Risk management activities help identify, assess, and control threats to the end product on a strategic level (e.g., risk identification, risk assessment, hazard analysis). [45,47,[50][51][52][53][54][55][64][65][66] Security planning and threat modeling (SPlanModel) Security planning and threat modeling are activities for structured identification of potential operational threats, such as structural vulnerabilities or the absence of appropriate safeguards (e.g., security modeling, threat modeling). [44,45,51,52,55,67,68] Security requirements engineering (SReqEng) ...
Agile Development of Secure Software for Small and Medium-Sized Enterprises
Article
Full-text available
  • Jan 2023
Although agile methods gained popularity and became globally widespread, developing secure software with agile methods remains a challenge. Method elements (i.e., roles, activities, and artifacts) that aim to increase software security on one hand can reduce the characteristic agility of agile methods on the other. The overall aim of this paper is to provide small- and medium-sized enterprises (SMEs) with the means to improve the sustainability of their software development process in terms of software security despite their limitations, such as low capacity and/or financial resources. Although software engineering literature offers various security elements, there is one key research gap that hinders the ability to provide such means. It remains unclear not only how much individual security elements contribute to software security but also how they impact the agility and costs of software development. To address the gap, we identified security elements found in the literature and evaluated them for their impact on software security, agility, and costs in an international study among practitioners. Finally, we developed a novel lightweight approach for evaluating agile methods from a security perspective. The developed approach can help SMEs to adapt their software development to their needs.
View
... However, several similarities in the proposed security solutions can be observed. For example, variations in security testing [12][13][14], risk analysis [15][16][17], threat modeling [18][19][20], and security-related backlogs [21][22][23] can be found in the literature, just to name a few. Hence, there is a benefit of consolidating all proposed security elements found in the AESS literature to gain insights into the variety of the proposed solutions and their elements and set the grounds for the future development of security solutions by exposing the knowledge gaps and possible over-saturation of particular security elements. ...
Identifying Key Activities, Artifacts and Roles in Agile Engineering of Secure Software with Hierarchical Clustering
Article
Full-text available
  • Apr 2023
Different activities, artifacts, and roles can be found in the literature on the agile engineering of secure software (AESS). The purpose of this paper is to consolidate them and thus identify key activities, artifacts, and roles that can be employed in AESS. To gain initial sets of activities, artifacts, and roles, the literature was first extensively reviewed. Activities, artifacts, and roles were then cross-evaluated with similarity matrices. Finally, similarity matrices were converted into distance matrices, enabling the use of Ward’s hierarchical clustering method for consolidating activities, artifacts, and roles into clusters. Clusters of activities, artifacts, and roles were then named as key activities, artifacts, and roles. We identified seven key activities (i.e., security auditing, security analysis and testing, security training, security prioritization and monitoring, risk management, security planning and threat modeling; and security requirements engineering), five key artifacts (i.e., security requirement artifacts, security repositories, security reports, security tags, and security policies), and four key roles (i.e., security guru, security developer, penetration tester, and security team) in AESS. The identified key activities, artifacts, and roles can be used by software development teams to improve their software engineering processes in terms of software security.
View
... However, the object of their research is not on software development projects. Ionita et al. proposed a secure software development framework with a manual stakeholder risk assessment process integrated with agile project management tools [9]. Qazi et al. introduced and operationalized a new method for prioritizing project risks using risk matrix data on construction projects [10]. ...
Predicting Risk Matrix in Software Development Projects using BERT and K-Means
Conference Paper
  • Oct 2022
This study aimed to create a risk matrix model for a software development project with 60.000 datasets from the Stack Overflow Question on Kaggle.com. BERT has been used for sentence embedding techniques to represent entire sentences and their semantic information as vectors, K-Means has been used to group sentences and calculate the frequency of occurrence so that the probability is expressed in the vertical direction, and TextBlob estimates the severity of the impact with sentiment analysis represented in the horizontal direction. Validation with BERT on the cluster formed by K-Means by creating a classification text with 86% accuracy results with 30 epochs. The proposed risk matrix formation model is a novelty that can be integrated into the risk management framework. The model determines risk priorities, especially in software development projects.
View
... Most selected primary studies proposed a technique, method, or tool to address privacy or security in agile software development [41,48,55,60,62,63,67,[70][71][72]. Regarding the specific context of the LGPD, some selected papers proposed a process, protocol, method, framework, or checklist [22,29,31,32,76]. ...
Guidelines adopted by agile teams in privacy requirements elicitation after the Brazilian general data protection law (LGPD) implementation
Article
Full-text available
  • Nov 2022
  • REQUIR ENG
The Brazilian General Data Protection Law (LGPD) implementation has impacted activities carried out by the software development teams. Due to it, developers had to become aware of the existing techniques and tools to carry out privacy requirements elicitation. Extending our previous work, we have investigated the actions taken by organizations regarding the LGPD, specifically in software development, considering the perception of agile development teams after two years of the LGPD implementation. In addition, we also investigated the perception of an agile team regarding the practices, techniques, and tools previously cited by practitioners as potential solutions for use in this context, along with techniques already in use in the current context. We have conducted a systematic literature review (SLR) and selected 36 primary studies. Furthermore, we have conducted a survey with 53 IT practitioners and semi-structured interviews with ten practitioners. The LGPD principles are known by most agile teams and are being implemented by the organizations, although the existing tools to support privacy requirements elicitation are still underused by agile teams. Moreover, agile teams consider that software requirements and software construction are the most impacted areas of knowledge by the LGPD, and most of them use user stories in privacy requirements elicitation. Our findings reveal that agile teams and Brazilian organizations are more concerned with user data privacy issues after the LGPD became effective. However, agile teams still face challenges in privacy requirements elicitation.
View
... Article (C11) presents a framework to help Agile development teams consider security priority in software risk. The framework was developed and tested on a single software developer in the Netherlands and only applied to mobile and web applications [56]. Therefore, this framework only covers one aspect of risk management, so it is necessary to develop a framework for other elements. ...
Risk Management in Software Development Projects: A Systematic Literature Review
Article
Full-text available
  • Oct 2022
Risk Management is an integral part of every project. Risk management must estimate the risks’ significance, especially in the SDLC process, and mitigate those risks. Since 2016, many papers and journals have researched planning, design, and risk control in software development projects over the last five years. This study aims to find the most exciting topics for researchers in risk management, especially in software engineering projects. This paper takes a systematic approach to reviewing articles containing risk management in software development projects. This study collects papers and journals included in the international online library database, then summarizes them according to the stages of the PICOC methodology. This paper results in the focus of research in the last five years on Agile methods. The current issue is that many researchers are trying to explicitly integrate risk management into the Agile development process by creating a comprehensive risk management framework. This SLR helps future research get a theoretical basis to solve the studied problem. The SLR explains the focuses of previous research, analysis of research results, and the weaknesses of the investigation. For further study, take one of the topic papers, do a critical review, and find research gaps.
View
View
Functional and Non‐Functional Requirements in Agile Software Development
Chapter
  • Feb 2023
Requirements analysis is an important step in assessing whether a system or software project will succeed. The most prevalent types of requirements are functional and non‐functional requirements. The essential characteristics that the system should deliver that the end‐user specifically demands are known as functional requirements. Non‐functional requirements are the minimum requirements that the system must meet in order to meet the project contract's requirements. The importance of these characteristics, as well as the extent to which they are implemented, varies from project to project. In Agile Software Development (ASD), functional requirements are prioritized, while non‐functional requirements are neglected, resulting in worse software quality and higher customer complaints. The stories of non‐functional requirements are examined, and acceptance parameters are defined, in order to solve these quality challenges. It is also essential to evaluate the developed system against the desires of the customer to increase customer satisfaction. The proposed chapter lays out the various ways of gathering functional and non‐functional requirements and testing them in the context of agile software development.
View
Minimizing Cost, Effort, and Implementation Complexity for Adopting Security Requirements in an Agile Development Process for Cyber‐Physical Systems
Chapter
  • Feb 2023
There have been development and improvement of numerous software engineering practices but we still need to find and adopt strategies to make the software more secure. Many software engineering practices currently being utilized have been rolled out prior to the development of the World Wide Web and internet and thus lags in ensuring defense against remotely performed and complex cyberattacks. We have techniques to automate the customer functionality requirement process which can be provided explicitly by the customer as well, but something that a customer expects implicitly from the developed system is the security requirements which the developers should be taken into consideration. Agile software development has a provision to adopt changes at the later stages, but the cost and effort of implementation get progressively more exponential in later stages. Moreover, the security requirements might not fix all the bugs in later stages of development. Hence there is a need to use effective strategies at the beginning of the project to define significant functional and security requirements to minimize the efforts, cost, and implementation complexities at the later stages of the agile software development life cycle. There have been improvements in defining the customer functionality requirements but the security defining mechanisms are still immature. This paper thus discusses the existing works that determine the implicit security requirements in the form of security compliance mechanisms, formal methods of security, security modeling techniques. It discusses techniques namely Fault Tree Analysis (FTA), Failure Modes and Effect Analysis (FMEA), System theoretic process analysis (STPA), Attack Tree Analysis (ATA), and many more. Also, a secure agile development framework is proposed to reduce the costs and efforts throughout the development. The key aspects of our framework rely on aggressive training, prototype development, plan and replan in the prototyping phase, integration of testing in each iteration, and implementation as per security standards.
View
Influencing the security prioritisation of an agile software development project
Article
Full-text available
  • Apr 2022
  • COMPUT SECUR
Software security is a complex topic, and for development projects it can be challenging to assess what security is necessary and cost-effective. Agile Software Development (ASD) values self-management. Thus, teams and their Product Owners are expected to also manage software security prioritisation. In this paper we build on the notion that security experts who want to influence the priority given to security in ASD need to do this through interactions and support for teams rather than prescribing certain activities or priorities. But to do this effectively, there is a need to understand what hinders and supports teams in prioritising security. Based on a longitudinal case study, this article offers insight into the strategy used by one security professional in an SME to influence the priority of security in software development projects in the company. The main result is a model of influences on security prioritisation that can assist in understanding what supports or hinders the prioritisation of security in ASD, thus providing recommendations for security professionals. Two alternative strategies are outlined for software security in ASD – prescribed and emerging – where we hypothesise that an emerging approach can be more relevant for SMEs doing ASD, and that this can impact how such companies should consider software security maturity.
View
View
View
Integrating Security into Agile Development Methods
Conference Paper
Full-text available
  • Feb 2005
Software developers can use agile software development methods to build secure information systems. Current agile methods have few (if any) explicit security features. While several discrete security methods (such as checklists and management standards) can supplement agile methods, few of these integrate seamlessly into other software development methods. Because of the severe constraints imposed by agile methods, these discrete security techniques integrate very poorly into agile approaches. This article demonstrates how the security features can be integrated into agile methods.
View
Agile Security For Information Warfare: A Call For Research.
Conference Paper
Full-text available
  • Jan 2004
The context of information security is changing dramatically. Networking technologies have driven the global expansion of electronic commerce. Electronic commerce is increasingly engaging sophisticated advances like digital agents and web services. As a result of such advances, the information systems architectures that must be secured are becoming dynamic: shifting landscapes of changing vulnerabilities. At the same time, the threats in these landscapes are also becoming more sophisticated and dynamic. Information warfare is raising the stakes in information security by leveling intensive and highly novel threats against civilian systems. Information security researchers need to develop organizational approaches and methodologies that respond to this new context. The conflation of information warfare and short cycle development theories promises new information security practices. These approaches and methodologies would effectively lead to agile information security development. Agile information security development anticipates threats and rapidly deploys necessary safeguards in the context of shifting systems landscapes amid pervasive systems threats.
View
Abuse-case-based assurance arguments
Conference Paper
Full-text available
  • Jan 2002
This paper describes an extension to abuse-case-based security requirements analysis that provides a lightweight means of increasing assurance in security relevant software. The approach is adaptable to lightweight software development processes but results in a concrete and explicit assurance argument. Like abuse-case-based security requirements analysis, this approach is suitable for use in projects without security experts. When used in this way (without security experts) it will not produce as much assurance as the more traditional alternatives, but arguably give better results than ad hoc consideration of security issues.
View
View
Design Science Methodology for Information Systems and Software Engineering
Book
  • Jan 2014
This book provides guidelines for practicing design science in the fields of information systems and software engineering research. A design process usually iterates over two activities: first designing an artifact that improves something for stakeholders and subsequently empirically investigating the performance of that artifact in its context. This validation in context is a key feature of the book - since an artifact is designed for a context, it should also be validated in this context.
View
Return on security investment - Proving it's worth it
Article
  • Nov 2005
The pressure is mounting on security professionals to justify what they spend. But up to now proving return on investment has proved very tricky – and frustrating. Certain methods of demonstrating a return on investment - often termed return on security investment (ROSI) – have been advanced, but use remains limited. As a result, security projects are often justified on fear, uncertainty and doubt. Justifying investment can be problematic because information security often delivers non-financial benefits, rather than an increase in revenue or a reduction in costs. Also, there is a lack of clear guidance about calculating the financial benefits of information security activities – not to mention the fact that security professionals usually don't have a financial background. Before reviewing some key purchasing trends, we take a look at a fresh approach, backed by many global corporations, to getting ROSI on track. In today's business environment, security professionals are increasingly under pressure to justify the investments made in information security by their organisations. Various methods of demonstrating a return on investment – often termed return on security investment (ROSI) – have been advanced, but use remains limited. As a result, security projects are often justified on fear, uncertainty and doubt.
View
A Spiral Model of Software Development and Enhancement
Article
  • Jan 1988
  • Software Eng Notes
This chapter describes a spiral model of software development and enhancement. The spiral model of the software process has been evolving for several years, based on experience with various refinements of the waterfall model as applied to large government software projects. The spiral model can accommodate most previous models as special cases and further provides guidance as to which combination of previous models best fits a given software situation. Development of the TRW Software Productivity System (TRW-SPS) is its most complete application to date. The chapter illustrates the radial dimension that represents the cumulative cost incurred in accomplishing the steps to date and the angular dimension that represents the progress made in completing each cycle of the spiral.
View
A Spiral Model of Software Development
Article
  • Jun 1988
This article opens with a short description of software process models and the issues they address. Subsequent sections outline the process steps involved in the spiral model; illustrate the application of the spiral model to a software project, using the TRW Software Productivity Project as an example; summarize the primary advantages and implications involved in using the spiral model and the primary difficulties in using it at its current incomplete level of elaboration; and present resulting conclusions. Background on software process models The primary functions of a software process model are to determine the order of the stages involved in software development and evolution and to establish the transition criteria for progressing from one stage to the next. These include completion criteria for the current stage plus choice criteria and entrance criteria for the next stage. Thus, a process model addresses the following software project questions:
View