This thesis is about an empirical study on the effects of using predominant security mechanisms for integration into Agile methodologies. Claims uncovered throughout our review of literature and research are presented along with our findings, analysis, and interpretation of the qualitative and quantitative phases which underscore the gap in the literature in the past few years. In this thesis the researcher uses the issues raised in the literature and incorporates empirical findings from practitioners working in the field to form a cohesive and complete investigation into the predominant security practices that are suitable to be included into Agile. Current security issues related to and applicable to popular Agile methodologies such as Scrum and eXtreme Programming (XP) are examined along with their effects on the process and the final product are researched, quantified, analyzed, interpreted, and summarized. This is done to gain a more practical and in-depth understanding of the security issues and effectiveness of methods proposed for use in the Agile software development field today. The research considered their potential for inclusion (and possible integration) into Agile methods from multiple perspectives utilizing a mixed method approach of in-depth empirical interviews, empirical surveys, and an academic experiment to test those findings. In this manuscript we present the research along with the findings obtained with our conclusions and the future direction of the research. The contribution of this work is to identify and empirically classify outstanding issues that were agreed upon by practitioners and experts in the field. The most popular of these turned out to be the addition of the security engineer or experienced developers to the Agile team to bolster the resulting software’s security assurance argument. Others aimed at modifying aspects of Agile that were deemed necessary for security include documentation, risk analysis, or the need for better tools. Building software with security in mind and the use of software security controls were also important findings from our qualitative phase of the study. This along with our own findings formed the basis of the comprehensive survey of practitioners to gauge the suitability and feasibility of those issues and solutions for possible inclusion into Agile. The significant findings from our survey suggested that the most suitable mechanisms are the addition of a dedicated Security Engineer and the use of more experienced developers to the Agile team, and the use of software security controls. Based on these results we put together an experimental trial to test the effect of more experienced developers on the Agile team on the process, the final product (which is the software produced), and the people involved (which are stakeholders in Agile projects). The statistically significant result of the experiment was in the affirmation of the hypothesis which stated that the inclusion of more experienced developer(s) to the Agile team increased the team’s overall awareness of security compared to the less experienced team(s).
| Identifer | oai:union.ndltd.org:bl.uk/oai:ethos.bl.uk:635487 |
| Date | January 2014 |
| Creators | Alnatheer, Ahmed |
| Contributors | Gravell, Andrew |
| Publisher | University of Southampton |
| Source Sets | Ethos UK |
| Detected Language | English |
| Type | Electronic Thesis or Dissertation |
| Source | https://eprints.soton.ac.uk/374168/ |
Page generated in 0.0024 seconds