Delegation-Based Agile Secure Software Development Approach for Small and Medium-Sized Businesses

Abstract

Read online

Software engineering often follows a particular methodology. Throughout the software development industry, an increasing share of enterprises follow agile principles. However, engineering adequately secure software, even though required by some international standards, remains challenging. That is particularly true when enterprises use agile approaches. Additionally, existing agile, secure software engineering approaches proposed in the literature are poorly suited for small and medium-sized enterprises (SMEs). While some suggest permanently embedding security in agile, these solutions are rigid and often limited to specific methods like Scrum or Extreme Programming. This paper introduces a situational agile approach for secure software development, namely ATTRACT, which does not require a particular method to be used by the development team and is designed as a temporary add-on to the existing method. It takes a software development method used by an enterprise as is and builds on it. It is designed to incrementally enhance security knowledge and awareness within the development team; thus, it is especially suited for SMEs. The approach was tested in a real-world longitudinal multiple-case study. The results indicate that this approach enhanced security awareness, improved code quality, and encouraged tailored security implementations. Although results indicate an adaptation phase, teams generally found that the approach met their expectations.

Keywords

• Software security
• secure software engineering (SSE)
• engineering of secure software (ESS)
• lean
• software development management