A Novel Practice-Based Process Model for Secure Agile Software Development

Abstract

Nigeria is ranked second globally after India in reported incidences of cyberattacks. Attackers usually exploit vulnerabilities in software which may not have considered security features during the development process. Agile methodologies are a well-established paradigm in the software development field. Its adoption has contributed to improving software quality. However, agile software products remain vulnerable to security challenges and susceptible to
cyberattacks. Agile methods also tend to neglect non-functional requirements such as security. Despite its significance, there is paucity of research addressing security. The problem tackled in this research is the lack of security practices integration in agile software development. Thus, this thesis aims to improve security of the software development process when using agile methods through the developed secure process model.

The methodology arising from the research context is a multi-methods qualitative approach divided into four phases involving 35 practitioners from 17 organisations. The first phase describes an exploratory case study conducted to empirically explore the agile security practices adopted by software developers and security professionals in United Kingdom (UK). The second phase involves conducting semi-structured interviews to investigate the impact of
regulatory policy for building secure agile software in Nigeria. The third phase developed a novel practice-based agile software development process model derived from the results of the interview data analysis conducted. Finally, the model was preliminarily validated through a focus group comprising of 5 senior agile cybersecurity professionals to evaluate its relevancy and novelty. The focus group was conducted online, comprising predominantly UK
practitioners previously interviewed, along with a few participants who were not involved in the earlier stages of data collection. The model was also applied at a Nigerian company involved in secure agile software development.

Using the adopted methodology, this thesis presents a taxonomy of security practices identified in the UK research sites. They were categorized according to agile use in organisation - roles, ceremonies, and artefacts. Based on the analysis of interviews conducted in Nigeria, a grounded theory of the security challenges confronting agile practitioners was also developed which was termed Policy Adherence Challenges (PAC) model. The four challenges identified are: (a) a lack of collaboration between security and agile teams; (b) the tendency to use foreign software hosting companies; (c) a poor cybersecurity culture; and (d) the high cost of building secure agile software. Also, the model developed in this thesis used swim lane diagrams to highlight the process flow of security activities. 24 security practices were identified and organized into a process flow. The practices were mapped onto five swim lanes each representing an agile role. The preliminary model evaluation conducted through a focus group workshop proposed a new practice, in response to an observed lack of collaborative ceremonies, to disseminate awareness of and hence compliance with security standards. Further evaluation of the secure process model led to several positive changes in the chosen organisation. These include enhanced collaboration through introducing security retrospectives sessions, intervention to reduce manager’s work tasks by introducing a security champion role, action to enhance team security competence by reducing collaborative gap with senior roles which form mitigation mechanisms to improve regulatory compliance in the global south context. This research
recommends practitioners integrate practices such as the proposed “compliance sprint” to improve the security of their products thereby reducing the incidences of cyberattacks. Also, there is need for government action by creating the enabling environment to ensure compliance to regulatory policies and security standards for practitioners developing secure software products.