Agile Development of Secure Software for Small and Medium-Sized Enterprises

Although agile methods gained popularity and became globally widespread, developing secure software with agile methods remains a challenge. Method elements (i.e., roles, activities, and artifacts) that aim to increase software security on one hand can reduce the characteristic agility of agile methods on the other. The overall aim of this paper is to provide small- and medium-sized enterprises (SMEs) with the means to improve the sustainability of their software development process in terms of software security despite their limitations, such as low capacity and/or financial resources. Although software engineering literature offers various security elements, there is one key research gap that hinders the ability to provide such means. It remains unclear not only how much individual security elements contribute to software security but also how they impact the agility and costs of software development. To address the gap, we identified security elements found in the literature and evaluated them for their impact on software security, agility, and costs in an international study among practitioners. Finally, we developed a novel lightweight approach for evaluating agile methods from a security perspective. The developed approach can help SMEs to adapt their software development to their needs.

Automated summary

Although agile methods are widely used, developing secure software remains a challenge. This paper aims to provide small and medium-sized enterprises (SMEs) with means to improve the sustainability of their software development process in terms of security. However, there is a research gap regarding the contribution of individual security elements to software security and their impact on agility and costs. To address this gap, a study was conducted to evaluate security elements found in the literature and develop a lightweight approach for evaluating agile methods from a security perspective, which can help SMEs adapt their software development process to their needs.