dc.contributor.advisor | Sindre, Guttorm | |
dc.contributor.advisor | Abrahamsson, Pekka | |
dc.contributor.advisor | Cruzes, Daniela Soares | |
dc.contributor.advisor | Li, Jingyue | |
dc.contributor.advisor | Jaatun, Martin Gilje | |
dc.contributor.advisor | Boyd, Colin Alexander | |
dc.contributor.author | Tøndel, Inger Anne | |
dc.date.accessioned | 2022-09-29T08:12:13Z | |
dc.date.available | 2022-09-29T08:12:13Z | |
dc.date.issued | 2022 | |
dc.identifier.isbn | 978-82-326-5334-8 | |
dc.identifier.issn | 2703-8084 | |
dc.identifier.uri | https://hdl.handle.net/11250/3022462 | |
dc.description.abstract | Agile software development is driven by business value, and strives towards visible progressthrough features. Consequently, the somewhat invisible and overarching aspect of softwaresecurity is at the risk of being neglected.A key assumption of this thesis is that to achieve adequate security within acceptable costs(“good enough” security), software development projects need to be able to make priorities onwhat security is needed throughout development. The thesis addresses the following overallresearch problem:How can regular security prioritisation be integrated into agile softwaredevelopment so that software products end up with a level of security that is “good enough”?To this end, the thesis investigates 1) what influences the security prioritisation throughout anagile software development project, and 2) how security roles and activities can support an agilesoftware development project in reaching a “good enough” prioritisation of security.The research follows a design science approach, studying and designing process support forcompanies wanting to improve their software security prioritisation. The investigation is centredon small and medium sized companies developing “normal” software, i.e., software that is notsecurity critical nor has security as a key feature of the product. The need for trade-offs andprioritisations between security and other software aspects is likely to be more pressing whensecurity is not a main development goal, and smaller companies have been identified as having ahigher potential for improvement in their software security compared to larger companies.The thesis suggests that to improve prioritisation of security in agile software development,companies can apply regular security prioritisation meetings, and security experts in the companycan be empowered with knowledge on how to influence the security priority. The foundation forthis suggestion is documented in a collection of papers. The thesis offers the following maincontributions that are aimed towards both practitioners and researchers: 1) A conceptual modelof the influences on security priority in agile software development, 2) Identified and evaluatedstrategies that security experts can take in influencing the security priority of agile softwaredevelopment projects, 3) A new and evaluated meeting approach for continuous software securityin agile software development, and 4) Rich descriptions of practical experiences with improvingsoftware security prioritisation, bridging the gap between science and practice. | en_US |
dc.language.iso | eng | en_US |
dc.publisher | NTNU | en_US |
dc.relation.ispartofseries | Doctoral theses at NTNU;2022:285 | |
dc.relation.haspart | Paper A: Tøndel, Inger Anne; Jaatun, Martin Gilje; Cruzes, Daniela Soares; Moe, Nils Brede. Risk Centric Activities in Secure Software Development in Public Organisations. International Journal of Secure Software Engineering (IJSSE) 2017 ;Volum 8.(4) s. 1-30 https://doi.org/10.4018/IJSSE.2017100101
Copyright © 2017, IGI Global | en_US |
dc.relation.haspart | Paper B: Tøndel, Inger Anne; JAATUN, Martin Gilje; Cruzes, Daniela Soares. IT Security Is From Mars, Software Security Is From Venus. IEEE Security and Privacy 2020 ;Volum 18.(4) s. 48-54 https://doi.org/10.1109/MSEC.2020.2969064 | en_US |
dc.relation.haspart | Paper C: Tøndel, Inger Anne; Jaatun, Martin Gilje; Cruzes, Daniela Soares; Williams, Laurie. Collaborative security risk estimation in agile software development. Information and Computer Security 2019 ;Volum 26.(4) https://doi.org/10.1108/ICS-12-2018-0138 | en_US |
dc.relation.haspart | Paper D: Tøndel, Inger Anne; JAATUN, Martin Gilje. Towards a Conceptual Framework for Security Requirements Work in Agile Software Development. International Journal of Systems and Software Security and Protection (IJSSSP) 2020 ;Volum 11.(1) https://doi.org/10.4018/IJSSSP.2020010103
Copyright © 2020, IGI Global | en_US |
dc.relation.haspart | Paper E: Tøndel, Inger Anne; Cruzes, Daniela Soares; Jaatun, Martin Gilje; Rindell, Kalle. The Security Intention Meeting Series as a way to increase visibility of software security decisions in agile development projects. I: ARES '19 Proceedings of the 14th International Conference on Availability, Reliability and Security Canterbury, CA, United Kingdom — August 26 - 29, 2019. Association for Computing Machinery (ACM) 2019 ISBN 978-1-4503-7164-3. s. 1-8 https://doi.org/10.1145/3339252.3340337 | en_US |
dc.relation.haspart | Paper F: Tøndel, Inger Anne; Cruzes, Daniela Soares; Jaatun, Martin Gilje. Achieving "Good Enough" Software Security: The Role of Objectivity. I: EASE '20: Proceedings of the Evaluation and Assessment in Software Engineering. Association for Computing Machinery (ACM) 2020 ISBN 9781450377317. s. 360-365 https://doi.org/10.1145/3383219.3383267 | en_US |
dc.relation.haspart | Paper G: Tøndel, Inger Anne; Cruzes, Daniela Soares; JAATUN, Martin Gilje; Sindre, Guttorm. Influencing the security prioritisation of an agile software development project. Computers & Security 2022 ;Volum 118. https://doi.org/10.1016/j.cose.2022.102744 This is an open access article under the CC BY license | en_US |
dc.relation.haspart | Paper H: Tøndel, Inger Anne; Cruzes, Daniela Soares. Continuous software security through security prioritisation meetings. Journal of Systems and Software 2022 https://doi.org/10.1016/j.jss.2022.111477 This is an open access article under the CC BY license | en_US |
dc.title | Prioritisation of security in agile software development projects | en_US |
dc.type | Doctoral thesis | en_US |
dc.subject.nsi | VDP::Technology: 500::Information and communication technology: 550 | en_US |