Engineering methods are essential in software development, and form a crucial element in the design and implementation of software security. Security engineering processes and activities have a long and well-standardized history of integration with software development methods. The inception of iterative and incremental software development methods raised suspicions of an inherent incompatibility between the traditional non-agile security processes and the new agile methods. This suspicion still affects the attitude towards agile security. To examine and explore this myth, this study presents a literature review of a selected set of agile secure software development methods. A systematic literature method was used to find the definitive set of secure agile software development methods, of which a core set of 11 papers was selected for analysis, and the security activities documented in the methods were extracted. The results show a wide and well-documented adaptation of security activities in agile software development, with the observed activities covering the whole security development life cycle. Based on the analysis, the inherent insecurity of the agile software development methods can be declared to be a mere myth.
Kalle Rindell (University of Turku), Sami Hyrynsalmi (Tampere University of Technology), Ville Leppänen (University of Turku): Busting a Myth: Review of Agile Security Engineering Methods
Presented at the International Conference on Availability, Reliability and Security (ARES) SSE 2017