An Empirical Investigation of Agile Information Systems Development for Cybersecurity

Abstract

AbstractCybersecurity has been identified as a major challenge confronting the digital world, neglecting cybersecurity techniques during software design and development increases the risk of malicious attacks. Thus, there is a need to make security an integral part of the agile information system development process. In this exploratory study, we empirically explore the agile security practices adopted by software developers and security professionals. Data was collected by conducting ten semi-structured interviews with agile practitioners from seven companies in the United Kingdom (UK). The study was conducted between August–November 2020. An approach informed by grounded theory was used for data analysis including Open coding, Memoing, Constant comparison and Theoretical saturation. The security practices identified in this study were categorized into roles, ceremonies and artefacts and mapped onto the different phases of the Software Development Lifecycle (SDLC). We discovered practitioners use five artefacts: security backlog documentation, software security baseline standards, security test plan templates, information security and security audit checklists; and that there are more artefacts than roles and ceremonies. Also, while most practitioners rely on automated tools for software security testing, only one practitioner mentioned conducting security tests manually. These practices that we have identified comprise a novel taxonomy which form the main research contribution of this paper.KeywordsAgile security practicesAgile information systems developmentCybersecuritySoftware security testingSecurity specialistGrounded TheoryAutomated test tools