Security engineering and agile development are often perceived as a clash of cultures. To address this clash, several approaches have been proposed that allow for agile security engineering.... Show More

Security engineering and agile development are often perceived as a clash of cultures. To address this clash, several approaches have been proposed that allow for agile security engineering. Unfortunately, agile development organizations differ in their actual procedures and environmental properties resulting in varying requirements. The authors propose an approach to compare and select methods for agile security engineering. Furthermore, their approach addresses adaptation or construction of a tailored method taking the existing development culture into account. The authors demonstrate the feasibility of their proposal and report early experiences from its application within a small development organization for digital solutions in the automotive domain.

A set of challenges of developing secure software using the agile development approach and methods are reported in the literature. This paper reports about a systematic literature review to identify... Show More

A set of challenges of developing secure software using the agile development approach and methods are reported in the literature. This paper reports about a systematic literature review to identify these challenges and evaluate the causes of each of these challenges, with respect to the agile values, the agile principles, and the security assurance practices. The authors identified in this study 20 challenges, which are reported in 28 publications. They found that 14 of these challenges are valid and 6 are neither caused by agile values and principles, nor by the security assurance practices. The authors also found that 2 of the valid challenges are related to the software development life-cycle, 4 are related to incremental development, 4 are related to security assurance, 2 are related to awareness and collaboration, and 2 are related to security management. These results justify the need for research to make developing secure software smooth.

Including and automating secure software development activities into agile development processes is challenging. Fuzz testing is a practical method for finding vulnerabilities in software, but has... Show More

Including and automating secure software development activities into agile development processes is challenging. Fuzz testing is a practical method for finding vulnerabilities in software, but has some characteristics that do not directly map to existing processes. The main challenge is that fuzzing needs to continue to show value while requiring minimal effort. The authors present experiences and practical ways to utilize fuzzing in software development, and generic ways for developers to keep security in mind.