To main content

Influencing the security prioritisation of an agile software development project

Abstract

Software security is a complex topic, and for development projects it can be challenging to assess what security is necessary and cost-effective. Agile Software Development (ASD) values self-management. Thus, teams and their Product Owners are expected to also manage software security prioritisation. In this paper we build on the notion that security experts who want to influence the priority given to security in ASD need to do this through interactions and support for teams rather than prescribing certain activities or priorities. But to do this effectively, there is a need to understand what hinders and supports teams in prioritising security. Based on a longitudinal case study, this article offers insight into the strategy used by one security professional in an SME to influence the priority of security in software development projects in the company. The main result is a model of influences on security prioritisation that can assist in understanding what supports or hinders the prioritisation of security in ASD, thus providing recommendations for security professionals. Two alternative strategies are outlined for software security in ASD – prescribed and emerging – where we hypothesise that an emerging approach can be more relevant for SMEs doing ASD, and that this can impact how such companies should consider software security maturity.

Category

Academic article

Client

  • Research Council of Norway (RCN) / 247678

Language

English

Author(s)

Affiliation

  • Norwegian University of Science and Technology
  • SINTEF Digital / Software Engineering, Safety and Security

Year

2022

Published in

Computers & Security

ISSN

0167-4048

Publisher

Elsevier

Volume

118

Issue

102744,

View this publication at Cristin