An Empirical Study on the Relationship between Software Security Skills, Usage and Training needs in Agile Settings
06 September 2016
Protecting organizations assets from malicious attackers is critical in today’s highly threatened environment. The threats landscape is continuously changing. Unfortunately, many organizations still lack an overview regarding what there developers and the rest of the stakeholders are doing to protect their assets. The agile paradigm adds a layer of complexity to software security. Critics have argued that security engineering process does not fit the agile process because it is very heavy. Proposed approaches to integrate security activities into agile have also been criticised to look similar to the traditional versions in terms of workload. As a result, ‘agile’ organizations have approached software security in a way that fits their process and practices. Statistics show that more than 70% of reported vulnerabilities are in the application layer and not the network. Thus, regardless of whether agile is incompatible with secure software development, the major discussion we should have is how to improve security within the agile context. To improve software security practices to “adequate” level for an organization requires that we know what we are doing well and understand what the gap areas are.