Collaborative security risk estimation in agile software development
Information and Computer Security
ISSN: 2056-4961
Article publication date: 17 June 2019
Issue publication date: 23 September 2019
Abstract
Purpose
Today, agile software development teams in general do not adopt security risk-assessment practices in an ongoing manner to prioritize security work. Protection Poker is a collaborative and lightweight software security risk-estimation technique that is particularly suited for agile teams. Motivated by a desire to understand why security risk assessments have not yet gained widespread adoption in agile development, this study aims to assess to what extent the Protection Poker game would be accepted by agile teams and how it can be successfully integrated into the agile practices.
Design/methodology/approach
Protection Poker was studied in capstone projects, in teams doing a graduate software security course and in sessions with industry representatives. Data were collected via questionnaires, observations and group interviews.
Findings
Results show that Protection Poker has the potential to be adopted by agile teams. Key benefits include good discussions on security and the development project, along with increased knowledge and awareness. Challenges include ensuring efficient use of time and gaining impact on the end product.
Research limitations/implications
Using students allowed easy access to subjects and an ability to collect rich data over time, but at the cost of generalizability to professional settings. Results from interactions with professionals supplement the data from students, showing similarities and differences in their opinions on Protection Poker.
Originality/value
The paper proposes ways to tackle the main obstacles to the adoption of the Protection Poker technique, as identified in this study.
Keywords
Acknowledgements
This work was supported by the SoS-Agile – Science of Security in Agile Software Development project, funded by the Research Council of Norway (grant number 247678). Thanks to the course organizers of TDT4290 (Prof Jon Atle Gulla and Prof John Krogstie) and the participating students at NTNU and North Carolina State University. Thanks to Tosin Daniel Oyetoyan for contribution to the capstone study. Thanks to Prof Pekka Abrahamsson for input on the capstone study design. Thanks also to the companies that participated in the events and to those helping with facilitation at the security conference (Per Håkon Meland and Marie Moe).
Citation
Tøndel, I.A., Jaatun, M.G., Cruzes, D.S. and Williams, L. (2019), "Collaborative security risk estimation in agile software development", Information and Computer Security, Vol. 27 No. 4, pp. 508-535. https://doi.org/10.1108/ICS-12-2018-0138
Publisher
:Emerald Publishing Limited
Copyright © 2019, Emerald Publishing Limited