Security Requirements Engineering in the Agile Era: How Does it Work in Practice?

Currently many software companies attempt the integration of agile project delivery models and security requirements engineering (RE). However, very little is published on how this is achieved in real-life settings. This paper reports on results from a documentary study initiated to understand the agile-ready security practices that organizations use. We selected seven well-documented Security RE frameworks for Agile projects that have been used in practice and carried out a qualitative thematic analysis based on documents describing the frameworks and their supposed use in detail. This resulted in a list of solution practices that focus on introducing artefacts, organizational roles, competencies and activities in order to make sure that security RE is done systematically in agile project organizations. Our conclusion is that Security RE adds up to the documentation in an agile project, as teams introduce new story types, e.g. evil user stories, abuser stories, security stories. Plus, we found that Security RE relies on investments into the security training of the agile project teams and into organizing hack sessions. Last, if companies take security requirements seriously, it seems that they should consider ignoring the gatekeeping role of the agile product owner.