SoS-Agile: Science of Security in Agile Software Development

Security breaches are happening all around us. Software systems have developed to the point that we use and depend upon them daily in the same way that we depend upon traditional infrastructures and utilities such as power and transportation. The value of sensitive information in software systems is constantly increasing as well as the corresponding threats, but measures to reduce the resulting vulnerability are not developed at the same pace. The consequences of this lack of investment in software security can be catastrophic. Continuous Development is now a de facto standard for development in Norway and even though it does not explicitly address security issues, there is a great potential for embedding security into a continuous development approach. Existing security activities need to be redesigned and scientifically understood to integrate effectively with agile practices. SoS-Agile investigated two fundamental challenges: the need for a scientific approach to security research, and the integration of software security and continuous software development. SoS-Agile based the scientific approach in action research with software companies: FARA, Telenor, and Visma are the main companies in the project, introducing innovative ways to perform security work inside of the software development teams, or evaluating the effects of different approaches on the teams. Other companies have also collaborated with the project in the diverse case studies we have been performing in the project. Some results in this project: 1)Further development of the game named Protection Poker for analyzing how the changes in features affect security; 2)Many companies have now performed self-assessment of their security activities developed in the project based on BSIMM; 3)We have reached better understanding of how to create a software security program that works for self-managed teams; 4)We have developed an approach to onboard developers in software security activities; 5)Increased usage of Static Analysis Tools in software development in participating companies; 6)Introduction of the use of threat modelling the agile development in participating companies; 7)JiraSecPlugin, a simple-to-use plugin for classifying recorded issues in Jira as security; 8)The security intention meeting is is a way for the companies to create more awareness of the security in the projects: 9) Security Chartering is a way to empower the development teams towards security; 10) Security Retrofitting is a way to refactor the security program to fit the needs and effectiveness needed for the security program; 11) We have launched a governance model for an Ambidextrous Security Program in software organisations for sustainable software security programs; SoS-Agile has contributed to continually enhance the scientific excellence of the research in Norway, stimulated new interdisciplinary innovative approaches to improve the security of software systems, and strengthened competitiveness in industry, promoting Norway as a cutting-edge research and innovation nation in secure software development. The papers published in this project are based on data collected from the Norwegian companies, and besides the scientific papers, we focused intensively on disseminating the academic results in the participating companies and other companies that we collaborate with in case studies and action research.

The contribution of this project to the science of security is beyond all the papers and presentations that we have produced. The companies maturity in security and the amount of knowledge created was beyond our expectations. There is still an increasing demand of the software companies for the knowledge we have created in this project, and also students from NTNU and UIO are reaching us for supervision constantly. So the educational aspects of the project were also fulfilled and will create even greater results on the years to come. The project have created an opportunity to educate more than 10 master students, 2 PhD students and 2 postdocs in software security in Agile. These are multiplications of this knowledge. In terms of publications we have many that are submitted and we are waiting for the answers.

Security breaches are happening all around us. Software systems have developed to the point that we use and depend upon them daily in the same way that we depend upon traditional infrastructures and utilities such as power and transportation. The value of sensitive information in software systems is constantly increasing as well as the corresponding threats, but measures to reduce the resulting vulnerability are not developed at the same pace. The consequences of this lack of investment in software security can be catastrophic. Scrum is now a de facto standard for development in Norway and even though it does not explicitly address security issues, there is a great potential for embedding security into an agile approach. The research in the area of software security is characterised by a huge number of methods (all based on a waterfall software development), a lack of credible empirical evaluation; and a split between industry practice and academic research. Existing security activities need to be redesigned and scientifically understood to integrate effectively with agile practices. SoS-Agile will investigate two fundamental challenges: the need for a scientific approach to security research, and the integration of software security and agile software development. Our aim is to empirically understand how software systems can be designed, built, and maintained to systematically address security issues across an agile development lifecycle. Hence, to advance software security practice through explicitly addressing software vulnerabilities with empirical approaches to gather data, analyse those data, and develop new theories for the Science of Security. SoS-Agile will enhance the scientific excellence of the research in Norway, stimulate new interdisciplinary innovative approaches to improve the security of software systems, and strengthen competitiveness in industry, promoting Norway as a cutting-edge research and innovation nation in secure software development.