Secure Agile Software Development with Scrum Strategy

doi:10.21203/rs.3.rs-2788523/v1

Download PDF

Research Article

Secure Agile Software Development with Scrum Strategy

https://doi.org/10.21203/rs.3.rs-2788523/v1

This work is licensed under a CC BY 4.0 License

Version 1

posted

You are reading this latest preprint version

The implementation of software development strategies while developing a software is important for a project's roadmap. In traditional methods, the project is defined before the start of the project, delivery times and costs are determined. After each of the project development stages is completed, another development stage is started. However, communication is important in software projects developed by agile methods and processes are more flexible. It is possible to make innovation or changes at any time of the project. Scrum is an important strategy used for agile software development. Scrum is an important strategy used for agile software development. When the Scrum strategy is examined, it can be seen that agility and safety principles do not overlap at some points. At this point, models that allow security activities to cooperate with agile methods and work within the framework of Scrum come to the fore. In this study, studies to eliminate this incompatibility based on scientific evidence were analyzed. In this analysis, results of the Bibliometric Network Analysis and Co-Occurrence Network Construction for software development of the Scrum model were revealed. These results show that security processes have a place in the Scrum field. The inclusion of security in the process during the software development phase will enable a more robust system design in response to future security vulnerabilities.

Scrum

Agile Software Development

Security

bibliometric network analysis

co-occurrence network construction

In a software development process, there are generally planning, analysis, design, programming and test stages. There are different stakeholders in each of these stages. These stakeholders can be developers, users, customers, sponsors and institutions that carry out the project. In particular, addictions between stakeholders are important. In this context, the complex processes that require intensive interactions between stakeholders should be managed in developing information systems. With this management, usually misunderstood user requirements, planning errors, budget, late delivery or non -satisfactory user experiences can be prevented. Agile development methodologies such as Scrum and Extreme Programming are recommended in the literature in the solution of problems that may occur in such processes and to prevent these problems before the emergence of these problems [1–4]. In proposed studies, the focus task is based on the design between the design, the source coding, the development processes, the user experience and the interaction between the ecosystems.

In Scrum strategy, popular agile approaches do not have security roles or activities. In contrast, various extensions have been developed to Scrum and other agile frames to integrate security into the process [1]. In the Scrum strategy, it is not determined in detail how to perform development work, including software safety [2]. On the contrary, it involves the management of software to be successful and the ability of development teams to organize their own work. In addition, an environment in which the project can take responsibility is created [3]. These individuals, and make interactions valuable. It increases motivation to highlight interaction rather than processes and tools. From this perspective, there is no difficulty in giving priority to security in Scrum strategy. Software development, which contains security architectures, is usually provided through support [4]. As a result, the teams in the Scrum must be made understandable together what supports and prevents the priority of security.

The researches that presented in the literature found that there is often a distinction between software security and Scrum strategy [5]. Therefore, it may be less than optimal in many organizations to address security processes as a support [6]. In addition, the product owners in Scrum are responsible for prioritizing the accumulation list. For this reason, product owners are the officials who need to be interacted to determine the priority given to the security requirements. However, with this interaction, safety processes can be included in software development with Scrum strategy [7].

The investigation of regular user experience in agile methods is a priority. This enables users to be included in the development. On the other hand, agile methods include ceremonies, works and roles. All of these transactions are aimed at analyzing the difficulties that may arise in communication in project development. In cases where communication becomes difficult, arranged environments are controlled by various rules and regulations. In addition, non -functional additional requirements are created. These additional requirements provide the integration of the efficacy of communication and facilitate consultation with field experts. When adapted to the needs of this regulated environment, agile methods are appropriate [8].

In this study, it was tried to demonstrate how strategies were followed for the solution of security problems for a software developed with the SCRUM strategy. In the light of the research questions directed within the scope of the study, the experimental results of the study were presented with Vos Viewer software and Web of Science Tools. It was seen that this is possible with analyzes such as Scrum with Security, Bibliometric Network Analysis, Co-Occurrence Network Construction. The most prominent result is to include the SCRUM strategy in order to include the Security processes in the software development phase. Therefore, security prioritization includes a large group of individuals and their daily choices and priorities. Although various difficulties are well documented in the literature, more information is needed about which difficulties are valid in which situations. Furthermore, studies have shown that the difficulties identified in a company are generally valid for other companies [9].

The web of science (WOS) link databases were selected as Scrum software development studies. In these databases, a very high amount of literature research is obtained.

In the emphasized literature, the 4 basic elements have emerged especially regarding security. These are Microsoft's Security Development Life Cycle (SDL), comprehensive light application safety process (CLASP), contact points (CT) and common criteria (CC). These 4 elements are the most popular and widely accepted Security processes worldwide. SDL has been proposed by Microsoft to increase the reliability of the software development process as well as reducing maintenance costs [10]. The SDL spiral is derived from the model and is used to reduce errors related to software safety. For this reason, role matrix, security requirements, basic security training, quality doors, threat modeling, design requirements, attack surface reduction, cost analysis, security tools, coding rules, static analysis, dynamic analysis, blurred test, event intervention planning, attack surface Examination, code review and final security examination is performed [11]. The CC includes an ISO certified process. It allows users to set safety and requirements. Respectively, definitions, security requirements, critical assets, risk analysis, unified modelling language security, requirements consist of safety activities to agree on the examination of requirements and warehouse improvement: [12]. CT is a framework that can be applied to various software structures. It contributes to the development of the safety and quality features of the final product. Safety requirements, risk analysis, abuse, assumption documents, static code analysis, infiltration test, red tool test, external examination and risk -based test consist of 9 different safety activities [13]. CLASP provides a framework that expresses the security requirements set in the Open Web Application Security Project. Looking at the frame; Periodic training, starting education, abuse states, resources and confidence limits, system requirements and design safety analysis, security metrics, identify operational environment, determine global security policy, determine user roles and resources, determine the attack surface, design security. It has a very comprehensive methodology such as implementing the principles, security architecture, code signing, and identification of security tests, implementation and performing, safety examination at the resource level, operational planning and preparation [14].

Previous studies, motivated by the popularity of the Scrum software development strategy, have made great contributions to the review of the use of Scrum in overcoming Security problems.

Ghani et al. conducted research on security accumulation list, which is one of the important efforts in developing software with Scrum. The authors obtained as a result of experiments that the agility increased when the security accumulation list (SB) was applied when the agility of phases is not taken into consideration [15].

Maier et al. investigated how to apply the Scrum model of Security. In the authors' research, it includes an opinion questionnaire about an architecture that has been minimized by security vulnerabilities by including security processes in an application developed with Java. According to the results of the questionnaire, Systems Security Engineering - Capability Maturity model was found to be moderately solved [16].

Erdogan et al. conducted research on the expanded agile security test. In the study, it was stated that a web application developed with agile architecture has become more efficient by determining security deficits [17].

Poller et al. presented research to evaluate the security processes in software development. In the research, Security training was given to software developers. When we look at the security deficits that occur as a result of these trainings, they observed that developers' understanding of these issues has developed. However, in the study, it was seen that the developers accepted a need for an unchanged need, but it was seen that they had protected a structure that prevented change. As a result, support should be provided for Security, but the interaction between the structure and established application should be considered. This change must also be managed [18].

Singh et al. presented a survey of security processes on agile software development. In the study, problems such as software project management problems and lack of requirements were demonstrated as an important obstacle to agile software development. If the process of developing agile software development is to be aware of such problems, it has been presented as a result of the fact that these difficulties occur when these difficulties occur [19].

McDonald et al. has dealt with safe agile software according to the training curriculum. In the study, it was obtained by reports that it should be dealt with how to introduce agility and security in the best way to beginners. [20].

Gomero-Fanny et al. has investigated how an e-commerce site can be safe in design according to Scrum principles. This research study was tried on a prototype that implements Scrum methodology. In addition to information security in the methodology in the study, it indicates that the problem can be solved by establishing continuous communication between stakeholders. A useful model was put forward by scoring the sprints in the Scrum design with various scoring methods [21].

Smith et al. took over a different Security solution in software development with Scrum. In this solution, three cyber incident intervention exercises were analyzed during software development. With the feedback received, it was focused on incomplete or faulty areas. As a result, the time spent to restore normal operations of the event intervention teams was reduced. In addition, uncertainties in the sense of security were managed [22].

Sharma et al. has done research on how security activities can be integrated into the Scrum software development environment. As a result of the research, it was obtained that the presentation of services and products in smaller groups allowed security experts to integrate software development safety activities with agile methodologies without any problems [23].

Tøndel et al. presented a case analysis of a security professional in the development of agile software. According to the observations in the case analysis, the existing maturity models with activity -oriented maturity models were expressed with an impact category model that provides an overview of the characteristics of situations that may affect the priority given to security in development projects [24].

Although studies are carried out in the literature based on the relationship between Scrum strategy and Security, Scrum with Security, Bibliometric Network Analysis, Co-Occurrence Network Construction relationship is needed clearly. In this study, by scanning literature and various analyzes, the search for solutions to the Scrum Security relationship was revealed.

While developing a software project, the teams established try to achieve certain goals within a timeline. However, the emergence of a problem such as changing requirements during development makes it necessary for a software development model to be included in the process. One of the effective methods used to avoid such problems is the Waterfall approach [25]. Although it is possible to solve certain problems with this approach, the method is insufficient in solving the needs of the developers and the problems that may arise during the release [26]. Agile Scrum software development framework is recommended to overcome such problems that arise in the waterfall approach [27]. This method is iteratively designed to be flexible with changing requirements during development. Short development periods are preferred in the method instead of developing the software in the very long term. These short development periods are called sprints. Thanks to sprints, a solution resistant to changes in requirements is obtained [28]. It encourages such incremental progress by organizing development in User Stories, which are individual tasks that are created and completed as software requirements that may arise in such a situation are discovered. The Scrum approach, on the other hand, is derived as a method of adapting agile practices to a project. Scrum provides a gradual and immediate approach to agile development. For this, the planning, design and development phases of the project are structured.

Each task is defined so that it can be completed within the time allotted to a sprint. Each developer takes responsibility for completing certain tasks. Backlogs are created at each sprint planning meeting. Thus, while each developer works independently on the tasks assigned to him, the developers share the same work list. At the end of a sprint, the remaining unfinished tasks in the Backlog are analyzed during the sprint retrospective [29].

A Scrum strategy consists of three roles: Scrum Master, Product Owner, or Team Member. The Scrum Master administers Scrum, chairs all meetings, ultimately creates the Backlog for each sprint, and manages the analysis of unfinished tasks in a sprint retrospective. The Product Owner represents the interests of Stakeholders and users. Finally, Team Members are developers who implement tasks during each sprint [30].

3.1. Research Questions

In this study, research was conducted on security concerns in software development with an agile method such as Scrum. In this context, two research questions were generated. Accordingly, the research questions of our study are as follows:

RQ1. Can security be ensured in agile software development?

RQ2. How to develop software with a security module with Scrum strategy?

In this context, the results presented in the literature were investigated. The methodologies used to address security concerns regarding the results of this research are presented. First, a literature review was conducted on software developed with the Scrum method. The search was limited to studies conducted in 2018 and after. In the context of the literature studies, the results of security concerns and solutions were revealed.

3.2. Dataset of the study

During the data collection phase, it was selected with certain criteria to search for the most relevant articles. First of all, we choose WOS, which contains comprehensive scientific data and literature, as a practical database. In addition, WOS is an ideal tool for researching interdisciplinary research topics. As the second criterion, keywords are determined to obtain the most relevant previous literature. The keyword search strategy was determined as two main concepts, Scrum and Security. A more specific target was set with these two keywords. Afterwards, it was aimed to limit the scope of articles in the field of engineering. For this purpose, four key points have been put forward to ensure the reliability of the analytical results. These are respectively the scope of the keyword search is within the entire article, the target search is based on the Boolean operator, the document type is Article, and the subject area is limited to Engineering. The data set was presented with a total of 86 articles.

Vos viewer software was used to analyze the security related studies using the agile method. The tools of the Web of Science (WOS) website were used to obtain the metadata of the studies in the literature to transfer them to this software. Metadata of 96 studies, which were accessed using the keywords "Scrum" and "Security", were exported in a txt file. The content of this file includes the name of the study, the authors of the study, the name of the study, the year of the study, references and citations of the study. Statistical analysis results using these data were presented under different headings. The distribution analysis according to the years of the first analysis is presented in Fig. 1.

When the graph in Fig. 1 is examined, it is seen that the number of researches on security handling in the Scrum development method has increased especially in recent years. There is diversity in the areas that work with Scrum. The statistical results of these areas are presented in Fig. 2.

It is seen that there is a significant density in the fields of Scrum and security, especially in Computer Science Information Systems, Computer Science Theory Methods, Engineering Electrical Electronics and Computer Science Software Engineering in Fig. 2.

In terms of Citations Topic Meso, the results in Fig. 3 were obtained. It is observed that there is a very large work intensity especially in the field of software engineering. In addition, it is seen that Scrum and security are discussed in different disciplines.

When we look at the publication titles, we come across different journals and conferences. Table 1 was obtained when these were evaluated out of 86 publications scanned in WOS.

Table 1

Distribution of the Publication Titles
Publication Titles	Record Count
International Journal of Computer Science and Network Security	9
Human Computer Interactıon A Serıes of Monographs Edited Volumes and Texts	2
Iberian Conference on Information Systems and Technologies	2
Advances In Information and Communication Technology	2
Integratıng User Centered Desıgn in Agıle Development	2
Lecture Notes in Business Information Processing	2
International Conference on Software Security and Assurance	2
11th International Conference on Availability Reliability and Security Ares	2
13th International Technology Education and Development Conference	1
15th International Conference on Advanced Trends in Radio Electronics Telecommunications And Computer Engıneering	1
1st International Conference on Information Security Privacy	1
19th Asıa Pacific Software Engıneering Conference	1
5th International Conference on Cyber Conflict	1
9th International Conference on Availability Reliability and Security Ares	1
International Conference on Computer Graphics Vision and Information Security	1
2nd International Conference on Computing Technology and Information Management	1
International Conference on Computer Science and Engineering	1
International Conference on Engıneering Technology and Innovation	1
IEEE Biennial Congress of Argentina Argencon	1
IEEE International Conference on Technology Management Operations and Decisions	1
International Symposium on Computer Consumer and Control	1
4th Iberian Conference on Information Systems and Technologıes	1
3rd Cyber Security in Networking Conference	1
4th International Conference on Computer Science and Engineering	1
IEEE Chilean Conference on Electrical Electronics Engineering Information and Communıcation Technologies	1

In Table 1, the numbers of publications expressing the Security Scrum relationship made according to the publication titles are expressed. These were listed as journals and conferences. In addition, it is seen that there are studies from other disciplines such as education and management.

Vos viewer which is used for the analysis of this metadata obtained with WOS is a software tool specifically designed to create and visualize bibliometric maps and create graphical representations of maps of scientific articles. Vos viewer can create clusters of nodes in networks. The algorithm used for clustering has several parameters that can be adjusted, such as resolution and minimum cluster size. The Resolution parameter determines the verbosity of the clusters and cannot take a negative value. We used the default value of 1 for the resolution parameter in our research. We determined the first analysis result as a keyword report.

Keyword report allows to determine the popularity of research topics, the possibility of citation, and the decrease in the use of the keyword. It can also potentially identify trending research topics, both now and in the past, with the keyword report.

Figure 4 shows the Vos viewer result obtained with the keyword report. Keywords associated with Scrum are shown in this chart. It is seen in this chart that the security keyword also has an important place.

The citation report, which is the report in which the journals in which the cited studies are published within a year are listed, and thus the most successful journals are determined, is shown in Fig. 5.

The intensities are shown according to the citation numbers of the publications made with Scrum and security in Fig. 5. The graph in which these intensities and the density of citations made on the basis of the author are presented cumulatively is presented in Fig. 6. The relationships between the studies were expressed in the form presented as the co-citation report in Fig. 6.

When we look at the literature, studies in which security processes are automatically or manually included in software development stand out. Nath et al. proposed a score range map that identifies vulnerability to classify the source code of the software. There are encouraging quality reviews and controls of lead developers are also made available for review, with this scoring map, [31]. Bayram et al. obtained systematic literature searches published in the field of agile software development from Web of Science, Science Direct, Scopus and IEEE academic databases. They analyzed the relationships between authors, publications, researchers, institutions, publication sources and countries with Vos viewer and Gephi social network analysis tools. In the experimental results, especially the results related to the distribution of studies in this field were shared [32].

In the framework presented in the study, a statistical analysis was presented on how the Scrum strategy and Security requirements were met. First, security vulnerabilities in software development were expressed in the literature with Scrum, one of the agile software development methods. The solutions were produced for the problems in the field of security, with 4 different solutions offered for these vulnerabilities. In particular, an analysis was carried out using metadata created by researchers about the elimination of security vulnerabilities in the field of agile software development. As a result of the analysis, various results were obtained in the field of Scrum and security. It was obtained that starting with Scrum during the software development phase in eliminating the problems caused by security vulnerabilities has an important place. In addition, there is a close relationship between the keywords Scrum and security, there are more studies in the field of computer science, and studies in the field of security and software are especially accepted. These results show that security processes have a place in the Scrum field. The inclusion of security in the process during the software development phase will enable a more robust system design in response to future security vulnerabilities.

Compliance with Ethical Standards

Conflict of interest

The authors declare that they have no conflict of interest.

Ethical approval

This article does not contain any studies with human participants or animals performed by any of the authors.

Funding

This work was not funded by any organization.

Credit author statement

Ömer KASIM: Conceptualization, Methodology, Software, Data curation, Writing- Original draft preparation, Visualization, Investigation, Supervision., Software, Validation, Writing- Reviewing and Editing,

Williams, L., Meneely, A., & Shipley, G. (2010). Protection poker: The new software security" game". IEEE Security & Privacy, 8(3), 14-20.
Hron, M., & Obwegeser, N. (2022). Why and how is Scrum being adapted in practice: A systematic review. Journal of Systems and Software, 183, 111110.
López, L., Manzano, M., Gómez, C., Oriol, M., Farré, C., Franch, X., ... & Vollmer, A. M. (2021). QaSD: a quality-aware strategic dashboard for supporting decision makers in agile software development. Science of Computer Programming, 202, 102568.
Weir, C., Becker, I., Noble, J., Blair, L., Sasse, M. A., & Rashid, A. (2020). Interventions for long‐term software security: Creating a lightweight program of assurance techniques for developers. Software: Practice and Experience, 50(3), 275-298.
Tøndel, I. A., & Cruzes, D. S. (2022). Continuous software security through security prioritisation meetings. Journal of Systems and Software, 194, 111477.
Palombo, H., Ziaie Tabari, A., Lende, D., Ligatti, J., & Ou, X. (2020, August). An ethnographic understanding of software (in) security and a co-creation model to improve secure software development. In Proceedings of the Sixteenth Symposium on Usable Privacy and Security.
Alsaqaf, W., Daneva, M., & Wieringa, R. (2017). Quality requirements in large-scale distributed agile projects–a systematic literature review. In Requirements Engineering: Foundation for Software Quality: 23rd International Working Conference, REFSQ 2017, Essen, Germany, February 27–March 2, 2017, Proceedings 23 (pp. 219-234). Springer International Publishing.
Behutiye, W., Karhapää, P., López, L., Burgués, X., Martínez-Fernández, S., Vollmer, A. M., ... & Oivo, M. (2020). Management of quality requirements in agile and rapid software development: A systematic mapping study. Information and software technology, 123, 106225.
Karhapää, P., Behutiye, W., Rodríguez, P., Oivo, M., Costal, D., Franch, X., ... & Abherve, A. (2021). Strategies to manage quality requirements in agile software development: a multiple case study. Empirical Software Engineering, 26(2), 28.
Bugeja, J., Vogel, B., Jacobsson, A., & Varshney, R. (2019, March). IoTSM: an end-to-end security model for IoT ecosystems. In 2019 IEEE International Conference on Pervasive Computing and Communications Workshops (PerCom Workshops) (pp. 267-272). IEEE.
Simpson, J. J., Simpson, M. J., Endicott-Popovsky, B., & Popovsky, V. (2010). Secure software education: A contextual model-based approach. International Journal of Secure Software Engineering (IJSSE), 1(4), 35-61.
Rindell, K., Ruohonen, J., Holvitie, J., Hyrynsalmi, S., & Leppänen, V. (2021). Security in agile software development: A practitioner survey. Information and Software Technology, 131, 106488.
Lischka, A., Wolfering-Zoerner, M., & Faust, E. (2019). Generating Value Through Digitalization: Simple and Digital. Future Telco: Successful Positioning of Network Operators in the Digital Age, 371-380.
Moyo, S., & Mnkandla, E. (2020). A novel lightweight solo software development methodology with optimum security practices. IEEE Access, 8, 33735-33747.
Ghani, I., Azham, Z., & Jeong, S. R. (2014). Integrating software security into agile-Scrum method. KSII Transactions on Internet and Information Systems (TIIS), 8(2), 646-663.
Maier, P., Ma, Z., & Bloem, R. (2017, August). Towards a secure Scrum process for agile web application development. In Proceedings of the 12th International Conference on Availability, Reliability and Security (pp. 1-8).
Erdogan, G., Meland, P. H., & Mathieson, D. (2010). Security testing in agile web application development-a case study using the east methodology. In Agile Processes in Software Engineering and Extreme Programming: 11th International Conference, XP 2010, Trondheim, Norway, June 1-4, 2010. Proceedings 11 (pp. 14-27). Springer Berlin Heidelberg.
Poller, A., Kocksch, L., Türpe, S., Epp, F. A., & Kinder-Kurlanda, K. (2017, February). Can security become a routine? A study of organizational change in an agile software development group. In Proceedings of the 2017 ACM conference on computer supported cooperative work and social computing (pp. 2489-2503).
Singh, N., Patel, P., & Datta, S. (2021, December). A survey on security and human-related challenges in agile software deployment. In 2021 International Conference on Computational Science and Computational Intelligence (CSCI) (pp. 1976-1982). IEEE.
McDonald, J. T., Trigg, T. H., Roberts, C. E., & Darden, B. J. (2016). Security in agile development: Pedagogic lessons from an undergraduate software engineering case study. In Cyber Security: Second International Symposium, CSS 2015, Coeur d'Alene, ID, USA, April 7-8, 2015, Revised Selected Papers 2 (pp. 127-141). Springer International Publishing.
Gomero-Fanny, V., Bengy, A. R., & Andrade-Arenas, L. (2021). Prototype of web system for organizations dedicated to e-commerce under the Scrum methodology. International Journal of Advanced Computer Science and Applications, 12(1).
Smith, R., Janicke, H., He, Y., Ferra, F., & Albakri, A. (2021). The agile incident response for industrial control systems (AIR4ICS) framework. Computers & Security, 109, 102398.
Sharma, A., & Bawa, R. K. (2020). Identification and integration of security activities for secure agile development. International Journal of Information Technology, 1-14.
Tøndel, I. A., Cruzes, D. S., Jaatun, M. G., & Sindre, G. (2022). Influencing the security prioritisation of an agile software development project. Computers & Security, 118, 102744.
Sharma, K., & Bala, M. (2021). New failure rate model for iterative software development life cycle process. Automated Software Engineering, 28(2), 9.
Kosztyán, Z. T., Novák, G., Jakab, R., Szalkai, I., & Hegedűs, C. (2023). A matrix-based flexible project-planning library and indicators. Expert Systems with Applications, 216, 119472.
Rahy, S., & Bass, J. M. (2022). Managing non‐functional requirements in agile software development. IET Software, 16(1), 60-72.
Chantit, S., & Essebaa, I. (2021). Towards an automatic model-based Scrum Methodology. Procedia Computer Science, 184, 797-802.
Przybyłek, A., Albecka, M., Springer, O., & Kowalski, W. (2022). Game-based Sprint retrospectives: multiple action research. Empirical Software Engineering, 27, 1-56.
Aurisch, R., Ahmed, M., & Barkat, A. (2021). An outlook at Agile methodologies for the independent games developer. International Journal of Computers and Applications, 43(8), 812-818.
Nath, P., Mushahary, J. R., Roy, U., Brahma, M., & Singh, P. K. (2023). AI and Blockchain-based source code vulnerability detection and prevention system for multiparty software development. Computers and Electrical Engineering, 106, 108607.
Bayram, E., Doğan, B., & Tunalı, V. (2022). A Tertiary Study And Social Network Analysis On Agile Software Development Methodology. International Journal of Advances in Engineering and Pure Sciences, 33, 35-46.

No competing interests reported.

Download PDF

Version 1

posted

You are reading this latest preprint version

Secure Agile Software Development with Scrum Strategy

Status:

Version 1

Abstract

Figures

1. Introduction

2. Related Works

3. Material And Methods

3.1. Research Questions

3.2. Dataset of the study

4. Results And Discussions

5. Conclusion

Declarations

References

Additional Declarations

Status:

Version 1