Delegation-Based Agile Secure Software Development Approach for Small and Medium-Sized Businesses

Delegation-Based Agile Secure Software Development Approach for Small and Medium-Sized Businesses

Software engineering often follows a particular methodology. Throughout the software development industry, an increasing share of enterprises follow agile principles. However, engineering adequately secure software, even though required by some international standards, remains challenging. That is p...

Full description

Saved in:
Bibliographic Details
Main Authors: Anze Mihelic, Simon Vrhovec, Blaz Markelj, Tomaz Hovelja
Format: Article
Language:English
Published: IEEE 2024-01-01
Series:IEEE Access
Subjects:
Software security
secure software engineering (SSE)
engineering of secure software (ESS)
lean
software development management
Online Access:https://ieeexplore.ieee.org/document/10788687/
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Software engineering often follows a particular methodology. Throughout the software development industry, an increasing share of enterprises follow agile principles. However, engineering adequately secure software, even though required by some international standards, remains challenging. That is particularly true when enterprises use agile approaches. Additionally, existing agile, secure software engineering approaches proposed in the literature are poorly suited for small and medium-sized enterprises (SMEs). While some suggest permanently embedding security in agile, these solutions are rigid and often limited to specific methods like Scrum or Extreme Programming. This paper introduces a situational agile approach for secure software development, namely ATTRACT, which does not require a particular method to be used by the development team and is designed as a temporary add-on to the existing method. It takes a software development method used by an enterprise as is and builds on it. It is designed to incrementally enhance security knowledge and awareness within the development team; thus, it is especially suited for SMEs. The approach was tested in a real-world longitudinal multiple-case study. The results indicate that this approach enhanced security awareness, improved code quality, and encouraged tailored security implementations. Although results indicate an adaptation phase, teams generally found that the approach met their expectations.
ISSN:2169-3536

Similar Items