An empirical investigation of agile information systems development for cybersecurity

Abstract

Cybersecurity has been identified as a major challenge confronting the digital world,
neglecting cybersecurity techniques during software design and development increases the risk
of malicious attacks. Thus, there is a need to make security an integral part of the agile information system development process. In this exploratory study, we empirically explore the agile
security practices adopted by software developers and security professionals. Data was collected
by conducting ten semi-structured interviews with agile practitioners from seven companies in
the United Kingdom (UK). The study was conducted between August – November 2020. An
approach informed by grounded theory was used for data analysis including Open coding, Memoing, Constant comparison and Theoretical saturation. The security practices identified in this
study were categorized into roles, ceremonies and artefacts and mapped onto the different phases
of the Software Development Lifecycle (SDLC). We discovered practitioners use five artefacts:
security backlog documentation, software security baseline standards, security test plan templates, information security and security audit checklists; and that there are more artefacts than
roles and ceremonies. Also, while most practitioners rely on automated tools for software security
testing, only one practitioner mentioned conducting security tests manually. These practices that
we have identified comprise a novel taxonomy which form the main research contribution of this
paper.