Article Preview
Top1. Introduction
Companies commonly use the agile development methods, such as Scrum (Schwaber and Beedle, 2001), and Extreme Programming (XP) (Martin, 2003) to develop their evolving software. These methods are associated with better developers’ productivity, product quality, and customers’ satisfaction than the waterfall methods (Dyba and Dingsoyr, 2008). They embrace requirement changes, prefer frequent deliveries, and their practices do not include security engineering activities. These characteristics, and others, make developing secure software using these methods challenging (McGraw, 2002). For instance, it is difficult to implement verification gates in the processes that implement these methods because the cost of these gates is very high, if they were to be repeated several times during the development of the project (Ben Othmane et al., 2014).
Many papers discuss the challenges of developing secure software using the agile development methods. For instance, Benznosov and Kruchten evaluated the mismatches between security assurance methods/techniques and agile practices (Beznosov and P. Kruchten, 2004), Ferdous et al. (Adila, et al., 2014) reviewed the challenges of developing secure software using the Feature Driven Development (FDD) method and assessed the feasibility of integrating security activities into FDD. Companies and researchers proposed some solutions to these challenges. They focus, in general, on enhancing the agile development methods, such as Scrum, XP, FDD and the Dynamic Systems Development Method (DSDM) by introducing security activities and security expert roles in the development process (Sullivan, 2010), (Ben Othmane et al., 2014), (Imran, et al., 2014), (Imran and Izzaty, 2013), (Adila, et al., 2013) and (Sani, et al., 2013). The other challenges are, in general, not addressed.
This paper addresses the following questions:
There are currently no comprehensive systematic literature reviews that address these questions properly. A systematic literature review is a mean to identify, analyze, and interpret the available evidence (from publications) relevant to a research question by using a sound approach (Kitchenham and S. Charters, 2007), (Wohlin, 2012). The answers to both these questions should contribute to identifying the research challenges that the community shall address so organizations can use the agile methods to develop secure software.
The paper reports about a study that examines the validity of the challenges of developing secure software using the agile development methods. It summarizes the challenges reported in 28 publications and evaluates their validity with respect to a set of agile development criteria and developing secure software criteria. It is organized as follows. First we provide a short background about the agile approach and development of secure software in Section 2. Then, we describe in Section 3 the research method that we used to identify and validate the challenges. Next, we present in Section 4 the challenges that we identified from the publications that we selected and analyze the validity of the identified challenges in Section 5. We discuss the limitations and impacts of the study afterwards in Section 6 and conclude the paper in Section 7.
This paper extends our earlier paper presented at the The First International Workshop on Agile Secure Software Development (Oueslati et al. 2015).
Top2. Background
This section provides an overview of the Agile Software Development (ASD) approach and of developing secure software.