SIG SEC - Information Security and Privacy
Loading...
Paper Type
ERF
Paper Number
1241
Description
Since the Agile Software Development (ASD) Manifesto (Fowler & Highsmith, 2001), ASD has offered a disciplined yet lightweight engineering method to better serve organizations’ application needs in today’s fast-evolving and uncertain business environment. According to the latest State of Agile survey (VersionOne, 2018), an overwhelming 97% of responding organizations practice ASD within the organizations. While ASD has become evolutionary, its nature of speedy development and concept of working software has also brought significant challenges in security risk, including vulnerabilities, exploitations, and breaches. One emerging ASD method is Microservices which integrates third-party open-source libraries for rapid, frequent, and efficient delivery of large and complex applications in cloud environments. These open-source libraries represent the breakthroughs to build applications currently and in the future. However, they are the leading causes of Common Vulnerability Exploitation (CVEs). About 76% of applications have at least one open-source vulnerability that turns out to be attack surfaces exploited by hackers (Veracode, 2021). Indeed, every business is eventually a digitally-enabled business, and security breaches are inevitable (McLaughlin & Gogan, 2018). Yet, the literature indicates ASD security research is still nascent. Witnessing and anticipating the significant impact brought by ASD security risks such as Java-based Log4j, this empirical research investigates the key technical and human vulnerabilities and risks in eight major programming languages and the main challenges to implementing security requirements. We also examine the vulnerability and ASD security impact of Work from Home (WFH), which has increased significantly since COVID-19 and is predicted to remain a new way of working. Partnering with a cloud-based SaaS security company with over 2500 worldwide clients, this research collects qualitative data through interviews and quantitative data from a real-time database regarding ASD vulnerabilities. We identify emerging evidence to support best practices for achieving risk control in ASD and recommend remediations to address vulnerabilities comprehensively and in a timely manner. The findings can help organizations develop policies for ASD security management and compliance. In addition, researchers can apply our results to guide future ASD security risk studies in various contexts of emerging technologies.
Recommended Citation
Xie, Wei; Iyer, Lakshmi; and Simpson, Scott J., "Agile Software Development Vulnerabilities and Challenges: An Empirical Study" (2022). AMCIS 2022 Proceedings. 15.
https://aisel.aisnet.org/amcis2022/sig_sec/sig_sec/15
Agile Software Development Vulnerabilities and Challenges: An Empirical Study
Since the Agile Software Development (ASD) Manifesto (Fowler & Highsmith, 2001), ASD has offered a disciplined yet lightweight engineering method to better serve organizations’ application needs in today’s fast-evolving and uncertain business environment. According to the latest State of Agile survey (VersionOne, 2018), an overwhelming 97% of responding organizations practice ASD within the organizations. While ASD has become evolutionary, its nature of speedy development and concept of working software has also brought significant challenges in security risk, including vulnerabilities, exploitations, and breaches. One emerging ASD method is Microservices which integrates third-party open-source libraries for rapid, frequent, and efficient delivery of large and complex applications in cloud environments. These open-source libraries represent the breakthroughs to build applications currently and in the future. However, they are the leading causes of Common Vulnerability Exploitation (CVEs). About 76% of applications have at least one open-source vulnerability that turns out to be attack surfaces exploited by hackers (Veracode, 2021). Indeed, every business is eventually a digitally-enabled business, and security breaches are inevitable (McLaughlin & Gogan, 2018). Yet, the literature indicates ASD security research is still nascent. Witnessing and anticipating the significant impact brought by ASD security risks such as Java-based Log4j, this empirical research investigates the key technical and human vulnerabilities and risks in eight major programming languages and the main challenges to implementing security requirements. We also examine the vulnerability and ASD security impact of Work from Home (WFH), which has increased significantly since COVID-19 and is predicted to remain a new way of working. Partnering with a cloud-based SaaS security company with over 2500 worldwide clients, this research collects qualitative data through interviews and quantitative data from a real-time database regarding ASD vulnerabilities. We identify emerging evidence to support best practices for achieving risk control in ASD and recommend remediations to address vulnerabilities comprehensively and in a timely manner. The findings can help organizations develop policies for ASD security management and compliance. In addition, researchers can apply our results to guide future ASD security risk studies in various contexts of emerging technologies.
When commenting on articles, please be friendly, welcoming, respectful and abide by the AIS eLibrary Discussion Thread Code of Conduct posted here.
Comments
SIG SEC