Article Preview
Top1. Introduction
Protecting the organization’s assets from security threats is vital. Security cannot be treated as an add-on functionality or isolated product feature (Gary McGraw, 2006), and it is thus important that security is “built-in” in the process and the product. However, a traditional security engineering process is often associated with additional development efforts and is likely to invoke resentment among agile development teams (ben Othmane et al., 2014; Beznosov & Kruchten, 2004). A software security approach tailored to the agile mind-set thus seems necessary.
Some approaches have been proposed to integrate security activities into agile development, e.g., the Microsoft SDL for Agile (Microsoft, 2012). However, these approaches have been criticised for looking similar to the traditional versions in terms of workload (e.g., performing a long list of security verification and validation tasks) (ben Othmane et al., 2014). As a result, “agile” organizations have approached software security in a way that fits their process and practices. Statistics show that more than 70% of reported vulnerabilities are in the application layer (Fong & Okun, 2007) and not the network. Thus, regardless of whether agile is perceived to be incompatible with any particular secure software development lifecycle, the major discussion we should have is how to improve security within the agile context (Bartsch, 2011). Previous studies (Ayalew et al., 2013; Baca & Carlsson, 2011) have investigated which security activities are practiced in different organizations, and which are compatible with agile practices from cost and benefit perspectives. Using a survey of software security activities among software practitioners, they identify and recommend certain security activities that are compatible with agile practices such as; eliciting security requirements, using a role matrix, risk analysis, employing secure design principles, drawing countermeasure graphs, adhering to coding rules, wielding security tools, penetration testing, and operational planning and readiness.
While these activities could be argued to be beneficial and cost effective to integrate, there are still gaps between what is “adequate” security (Allen, 2005), and what is currently practiced within several organizations. According to Allen (2005), adequate security is defined as “The condition where the protection and sustainability strategies for an organization's critical assets and business processes are commensurate with the organization's tolerance for risk.”
The research presented here is motivated based on the perceived knowledge gaps in software security in agile software development organizations in Norway (Jaatun et al., 2015). In order to address these gaps, management must first understand the current status of software security practices and capability within their organization. This study is carried out in 2 organizations (in the following referred to as “Org-1” and “Org-2”), that develop software in telecommunication and transportation, respectively (see section 3.2.1 for more information on the two organizations). This paper extends our previous work (Oyetoyan et al., 2016) investigating existing practice, skills, and training needs within agile teams, by significantly expanding the background, exploring new dimensions of the data with additional research questions, and deeper discussion of the results. We want to know more on the training needs and understand the relationships between skills and usage of security activities among teams and across roles. The findings are important to guide management decisions towards improving security within their organization.