Success of software development process is defined by its ability to
transform the business objectives into requirements and requirements
into functionality. Software typically has also security objectives,
achieved by security engineering activities. In contrast to the
iterative and incremental software development process, security
engineering is defined by sequential life cycle models. Security
and business objectives are thus implemented using conflicting
approaches. To pinpoint the incompatibilities between the methodologies,
this study maps the security engineering activities into
common agile software development practises, processes and artifacts.
The security engineering activities are extracted from several
security development lifecyclemodels: Microsoft SDL, the ISO Common
Criteria and OWASP SAMM and the agile activities from an
industry survey. The organizational and technical aspects of the
mapping are considered primarily from the point of view of achieving
the security objectives set for the software engineering process:
setting security requirements for design, their implementation and
verification, and releasing secure software through efficient software
security development process.