TY - GEN
T1 - Adoption of Information Security Practices in Large-Scale Agile Software Development
T2 - 18th International Conference on Availability, Reliability and Security, ARES 2023
AU - Nägele, Sascha
AU - Korn, Lorena
AU - Matthes, Florian
N1 - Publisher Copyright:
© 2023 ACM.
PY - 2023/8/29
Y1 - 2023/8/29
N2 - Agile development methods have pervaded software engineering and are increasingly applied in large projects and organizations. At the same time, security threats and restrictive legislation regarding security and privacy are steadily rising. These two trends of agile software development at scale and increasingly important security requirements are often at odds with each other. Academic literature widely acknowledges the challenges therefrom and discusses approaches to integrate these two partly conflicting trends. However, several researchers point out a need for empirical studies and evaluations of these approaches in practice. To fill this research gap, we conducted a case study in the finance industry. We identified 27 agile security approaches in academic literature. Based on these theoretical findings, we carried out observations, document analysis, and unstructured interviews to identify which approaches the case company applies. We then conducted semi-structured interviews with 10 experts and a survey with 62 participants to evaluate 14 approaches. One of the key results is that role and knowledge approaches, such as dedicated security roles and communities, are especially important in scaled agile development environments. In addition, the most beneficial security activities are easy-to-integrate, such as a security tagging system, peer security code reviews, security stories, and threat poker. We also contribute evaluation criteria as well as drivers and obstacles for the adoption of agile security approaches that can be used for further research and practice.
AB - Agile development methods have pervaded software engineering and are increasingly applied in large projects and organizations. At the same time, security threats and restrictive legislation regarding security and privacy are steadily rising. These two trends of agile software development at scale and increasingly important security requirements are often at odds with each other. Academic literature widely acknowledges the challenges therefrom and discusses approaches to integrate these two partly conflicting trends. However, several researchers point out a need for empirical studies and evaluations of these approaches in practice. To fill this research gap, we conducted a case study in the finance industry. We identified 27 agile security approaches in academic literature. Based on these theoretical findings, we carried out observations, document analysis, and unstructured interviews to identify which approaches the case company applies. We then conducted semi-structured interviews with 10 experts and a survey with 62 participants to evaluate 14 approaches. One of the key results is that role and knowledge approaches, such as dedicated security roles and communities, are especially important in scaled agile development environments. In addition, the most beneficial security activities are easy-to-integrate, such as a security tagging system, peer security code reviews, security stories, and threat poker. We also contribute evaluation criteria as well as drivers and obstacles for the adoption of agile security approaches that can be used for further research and practice.
KW - case study
KW - large-scale agile
KW - security
KW - software development
UR - http://www.scopus.com/inward/record.url?scp=85169671925&partnerID=8YFLogxK
U2 - 10.1145/3600160.3600170
DO - 10.1145/3600160.3600170
M3 - Conference contribution
AN - SCOPUS:85169671925
T3 - ACM International Conference Proceeding Series
BT - ARES 2023 - 18th International Conference on Availability, Reliability and Security, Proceedings
PB - Association for Computing Machinery
Y2 - 29 August 2023 through 1 September 2023
ER -