Change search
ReferencesLink to record
Permanent link

Direct link
Developing Secure Software: in an Agile Process
Blekinge Institute of Technology, School of Computing.
Responsible organisation
2012 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

Background: Software developers are facing increased pressure to lower development time, release new software versions more frequent to customers and to adapt to a faster market. This new environment forces developers and companies to move from a plan based waterfall development process to a flexible agile process. By minimizing the pre development planning and instead increasing the communication between customers and developers, the agile process tries to create a new, more flexible way of working. This new way of working allows developers to focus their efforts on the features that customers want. With increased connectability and the faster feature release, the security of the software product is stressed. To develop secure software, many companies use security engineering processes that are plan heavy and inflexible. These two approaches are each others opposites and they directly contradict each other. Objective: The objective of the thesis is to evaluate how to develop secure software in an agile process. In particular, what existing best practices can be incorporated into an agile project and still provide the same benefit if the project was using a waterfall process. How the best practices can be incorporated and adapted to fit the process while still measuring the improvement. Some security engineering concepts are useful but the best practice is not agile compatible and would require extensive adaptation to integrate with an agile project. Method: The primary research method used throughout the thesis is case studies conducted in a real industry setting. As secondary methods for data collection a variety of approaches have been used, such as semi-structured interviews, workshops, study of literature, and use of historical data from the industry. Results: The security engineering best practices were investigated though a series of case studies. The base agile and security engineering compatibility was assessed in literature, by developers and in practical studies. The security engineering best practices were group based on their purpose and their compatibility with the agile process. One well known and popular best practice, automated static code analysis, was toughly investigated for its usefulness, deployment and risks of using as part of the process. For the risk analysis practices, a novel approach was introduced and improved. As such, a way of adapting existing practices to agile is proposed. Conclusion: With regard of agile and security engineering we did not find that any of the investigated processes was agile compatible. Agile is reaction driven that adapts to change, while the security engineering processes are proactive and try to prevent threats before they happen. To develop secure software in an agile process the developers should adopt and adapt key concepts from security engineering. These changes will affect the flexibility of the agile process but it is a necessity if developers want the same software security state as security engineering processes can provide.

Place, publisher, year, edition, pages
Karlskrona: Blekinge Institute of Technology , 2012.
Blekinge Institute of Technology Doctoral Dissertation Series, ISSN 1653-2090 ; 5
National Category
Software Engineering Computer Science
URN: urn:nbn:se:bth-00525Local ID: 978-91-7295-229-4OAI: diva2:834902
Available from: 2012-09-18 Created: 2012-04-10 Last updated: 2016-09-06Bibliographically approved

Open Access in DiVA

fulltext(4791 kB)92 downloads
File information
File name FULLTEXT01.pdfFile size 4791 kBChecksum SHA-512
Type fulltextMimetype application/pdf

Search in DiVA

By author/editor
Baca, Dejan
By organisation
School of Computing
Software EngineeringComputer Science

Search outside of DiVA

GoogleGoogle Scholar
Total: 92 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

Total: 245 hits
ReferencesLink to record
Permanent link

Direct link