Combining software engineering and security engineering on a methodolog- ical level opens several avenues for research, many of them covered in the section describing the limitations. Each development phase in the security development lifecycle provides room for improvement over current software and system engineering practices. This involves iterative and incremental risk management and design practices, as well as security implementation, and verification and validation practices. Continuous delivery models tie the security incident management to the development life cycle and calls for specialized tools with a security aspect, as well as efficient work management and organizing methods. Security assurance should similarly be automated and kept up to date with the actual security controls and structures currently utilized; security assurance can be useful in three roles: security evidence, security guidance, and security forensics – preferably all three at once. Defin- ing security rationale and setting the security objectives is a combination of understanding the security threats and the value of the information assets to be protected. In software security engineering these are to be combined with the resources at disposal as effectively as possible: efficient and sys- tematic security management is a foundation of an organization’s software security. Security education creates awareness which guides and motivates the security work.
Much of software engineering work and publications are purely techni- cal and not published on academic forums. Convergence of industry and academia is beneficial for both. Theoretical work and practical innovations follow and enable each other. Merging practices and shared information is beneficial for all: this should include the principles guiding information se- curity and especially security regulation. In software security, quantitative and qualitative data should be the driver for the development of both reg- ulative and technical frameworks. Efficiency and security are tangible, yet elusive goals: effectiveness and competitiveness can be maintained only by constant, ongoing change.
A major part of the future work is practical and empirical research. The main topics in these areas are security architectures, security techniques, and security tools. Metrics, as a component of security improvement, and security verification and security management, provide further interesting
research topics. The security maturity models suggest the security effort be measured, with quite fragmentary practical suggestions to what should be measured, and how. To measure the effectiveness and efficacy of security, metrics, and monitoring are to be developed. Engineering of security re- quirements and objectives is directly connected to system engineering, and the iterative and incremental models are yet to be applied into this field. Guiding the software development work by security rationale as the mini- mum viable security could benefit from aspect-oriented and agent-oriented design and implementation techniques. These are all bound together by the use of a development methodology and security activities, which were the focus area of this research.
Developing secure software is a result of skill and resources combined into a managed process. The strategic goal is improved software security using pre-emptive means: risk mitigation where it can be done most effec- tively. The strategic goal is achieved by education and awareness, and by methodological and technological innovation. The research presented in this thesis provides a framework for implementing this security strategy: Tech- niques to assess and analyze security risk, to form a security rationale, and to produce provably secure software efficiently.
Software security is in an ongoing competition with constantly evolv- ing security threats. The theory of natural selection by Charles Darwin (1859) appears directly applicable to information security in organizations and software projects: The ones that succeed are the ones most adaptable to change. The evolution of methodologies has defined new prerequisites, into which software security engineering and security regulation will now have to adapt.
Abrahamsson, P., Babar, M. A., and Kruchten, P. (2010). Agility and architecture: Can they coexist? IEEE Software, 27(2):16–22.
Abrahamsson, P., Salo, O., Ronkainen, J., and Warsta, J. (2002). Agile software development methods: Review and analysis. VTT publication
478.
Abrahamsson, P., Warsta, J., Siponen, M. T., and Ronkainen, J. (2003). New directions on agile methods: A comparative analysis. In Proceedings
of the 25th International Conference on Software Engineering, ICSE ’03,
pages 244–254, Washington, DC, USA. IEEE Computer Society.
Adelyar, S. H. and Norta, A. (2016). Towards a secure agile software de- velopment process. In 2016 10th International Conference on the Quality
of Information and Communications Technology (QUATIC), volume 00,
pages 101–106.
Ahmad, M. O., Markkula, J., and Oivo, M. (2013). Kanban in software development: A systematic literature review. In 2013 39th Euromicro
Conference on Software Engineering and Advanced Applications, pages
9–16.
Ambler, S. W. and Lines, M. (2012a). Disciplined Agile Delivery: A Prac-
titioner’s Guide to Agile Software Delivery in the Enterprise. IBM Press,
1st edition.
Ambler, S. W. and Lines, M. (2012b). Disciplined Agile Delivery: A Prac-
titioner’s Guide to Agile Software Delivery in the Enterprise. IBM Press.
Anderson, D. J., Concas, G., Lunesu, M. I., Marchesi, M., and Zhang, H. (2012). A comparative study of scrum and kanban approaches on a real case study using simulation. In Wohlin, C., editor, Agile Processes in
Software Engineering and Extreme Programming, pages 123–137, Berlin,
Anderson, J. C., Rungtusanatham, M., and Schroeder, R. G. (1994). A the- ory of quality management underlying the deming management method.
Academy of Management Review, 19(3):472–509.
Anderson, R. J. (2008). Security Engineering: A Guide to Building Depend-
able Distributed Systems. Wiley Publishing, 2nd edition.
Avizienis, A., Laprie, J. C., Randell, B., and Landwehr, C. (2004). Ba- sic concepts and taxonomy of dependable and secure computing. IEEE
Transactions on Dependable and Secure Computing, 1(1):11–33.
Ayalew, T., Kidane, T., and Carlsson, B. (2013). Identification and Eval-
uation of Security Activities in Agile Projects, pages 139–153. Springer
Berlin Heidelberg, Berlin, Heidelberg.
Baca, D. and Carlsson, B. (2011). Agile development with security engi- neering activities. In Proceedings of the 2011 International Conference on
Software and Systems Process, ICSSP ’11, pages 149–158, New York, NY,
USA. ACM.
Baskerville, R. and Siponen, M. (2002). An information security meta- policy for emergent organizations. Logistics Information Management, 15(5/6):337–346.
Bayuk, J. and Mostashari, A. (2013). Measuring systems security. Systems
Engineering, 16(1):1–14.
Beck, K. (2000). Extreme Programming Explained: Embrace Change.
Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA.
Beck, K., Beedle, M., Van Bennekum, A., Cockburn, A., Cunningham, W., Fowler, M., Grenning, J., Highsmith, J., Hunt, A., Jeffries, R., et al. (2001). Manifesto for agile software development. Online at http://www.agilemanifesto.org.
Bellomo, S., Kruchten, P., Nord, R. L., and Ozkaya, I. (2014). How to agilely architect an agile architecture. Cutter IT Journal, 27(2):12–17.
ben Othmane, L., Angin, P., Weffers, H., and Bhargava, B. (2014). Extend- ing the agile development process to develop acceptably secure software.
IEEE Transactions on Dependable and Secure Computing, 11(6):497–509.
Beznosov, K. and Kruchten, P. (2004). Towards agile security assurance. In Proceedings of the 2004 Workshop on New Security Paradigms, NSPW ’04, pages 47–54, New York, NY, USA. ACM.
Blackburn, J. D., Scudder, G. D., and Wassenhove, L. N. V. (1996). Im- proving speed and productivity of software development: a global sur- vey of software developers. IEEE Transactions on Software Engineering, 22(12):875–885.
Boehm, B. (2006). Some future trends and implications for systems and software engineering processes. Systems Engineering, 9(1):1–19.
Boehm, B. and Turner, R. (2003a). Balancing Agility and Discipline: A
Guide for the Perplexed. Addison-Wesley, New York.
Boehm, B. and Turner, R. (2003b). Observations on balancing discipline and agility. In Proceedings of the Agile Development Conference, 2003.
ADC 2003, pages 32–39.
Boehm, B. and Turner, R. (2004). Balancing agility and discipline: evaluat- ing and integrating agile and plan-driven methods. In Proceedings. 26th
International Conference on Software Engineering, pages 718–719.
Boehm, B. W. (1991). Software risk management: principles and practices.
IEEE Software, 8(1):32–41.
Boström, G., Henkel, M., and Wäyrynen, J. (2005). Aspects in the agile toolbox. In Bergmans, L., Gybels, K., Tarr, P., and Ernst, E., editors,
Software Engineering Properties of Languages and Aspect Technologies.
Boström, G., Wäyrynen, J., Bodén, M., Beznosov, K., and Kruchten, P. (2006). Extending XP practices to support security requirements engi- neering. In Proceedings of the 2006 International Workshop on Software
Engineering for Secure Systems, SESS ’06, pages 11–18, New York, NY,
USA. ACM.
Bruegge, B. and Dutoit, A. H. (2003). Object-Oriented Software Engineer-
ing: Using UML, Patterns and Java, Second Edition. Prentice-Hall, Inc.,
Upper Saddle River, NJ, USA.
Brunet, P. (2000). Kaizen in japan. In IEE Seminar. Kaizen: From Under-
standing to Action (Ref. No. 2000/035), pages 1/1–1/10.
CCRA (2017a). The common criteria part 1: Introduction and general model, version 3.1.
CCRA (2017b). The common criteria part 2: Security functional compo- nents, version 3.1.
CCRA (2017c). The common criteria part 3: Security assurance compo- nents, version 3.1.
Chapple, M., Stewart, J. M., and Gibson, D. (2018). (ISC) 2 CISSP Certified
Information Systems Security Professional Official Study Guide. John
Wiley & Sons, 8th edition.
Cleghorn, L. (2013). Network defense methodology: A comparison of de- fense in depth and defense in breadth. Journal of Information Security, 4(3):144–149.
Cockburn, A. (2000). Writing effective use cases, The crystal collection for
software professionals. Addison-Wesley Professional.
Cockburn, A. (2002). Agile Software Development. Addison-Wesley Long- man Publishing Co., Inc., Boston, MA, USA.
Cockburn, A. (2006). Agile Software Development: The Cooperative Game
(2nd Edition) (Agile Software Development Series). Addison-Wesley Pro-
fessional.
Conboy, K., Fitzgerald, B., and Golden, W. (2005). Agility in information systems development: A three-tiered framework. In Baskerville, R. L., Mathiassen, L., Pries-Heje, J., and DeGross, J. I., editors, Business Agility
and Information Technology Diffusion: IFIP TC8 WG 8.6 International Working Conference May 8–11, 2005, Atlanta, Georgia, U.S.A., pages
35–49, Boston, MA. Springer US.
Creswell, J. W. (2003). Research Design: Qualitative and Quantitative and
Mixed Methods Approaches. SAGE Publications, Inc., Thousand Oaks,
California, 2nd edition.
Cruzes, D. S., Felderer, M., Oyetoyan, T. D., Gander, M., and Pekaric, I. (2017). How is security testing done in agile teams? a cross-case analysis of four software teams. In Baumeister, H., Lichter, H., and Riebisch, M., editors, Agile Processes in Software Engineering and Extreme Program-
ming, pages 201–216, Cham. Springer International Publishing.
Darwin, C. (1859). On the origin of species by means of natural selection. Murray, London.
Davis, N. (2005). Secure software development life cycle processes: A tech- nology scouting report. Technical report, Carnegie-Mellon University Soft- ware Engineering Institute, Pittsburgh, PA.
De Win, B., Vanhaute, B., and De Decker, B. (2002). Security through aspect-oriented programming. In De Decker, B., Piessens, F., Smits, J., and Van Herreweghen, E., editors, Advances in Network and Distributed
on Network Security November 26–27, 2001, Leuven, Belgium, pages 125–
138, Boston, MA. Springer US.
Department of Defence Information Analysis Center (2018). DoD Cyberse- curity Policy Chart, December 2018.
Dijkstra, E. W. (1972). The humble programmer. Communications of the
ACM, 15(10):859–866.
DoD (1985a). GUIDANCE FOR APPLYING THE DEPARTMENT OF
DEFENSE TRUSTED COMPUTER SYSTEM EVALUATION CRITE- RIA IN SPECIFIC ENVIRONMENTS. United States Department of
Defence.
DoD (1985b). TRUSTED COMPUTER SYSTEM EVALUATION CRITE-
RIA. United States Department of Defence.
Dorca, V., Munteanu, R., Popescu, S., Chioreanu, A., and Peleskei, C. (2016). Agile approach with kanban in information security risk manage- ment. In 2016 IEEE International Conference on Automation, Quality
and Testing, Robotics (AQTR), pages 1–6.
Elahi, G., Yu, E., Li, T., and Liu, L. (2011). Security requirements engi- neering in the wild: A survey of common practices. In 2011 IEEE 35th
Annual Computer Software and Applications Conference, pages 314–319.
Felderer, M. and Schieferdecker, I. (2014). A taxonomy of risk-based test- ing. International Journal on Software Tools for Technology Transfer, 16(5):559–568.
Fitzgerald, B., Stol, K., O’Sullivan, R., and O’Brien, D. (2013). Scaling agile methods to regulated environments: An industry case study. In 2013 35th
International Conference on Software Engineering (ICSE), pages 863–872.
Fitzgerald, B., Stol, K.-J., O’Sullivan, R., and O’Brien, D. (2013). Scaling agile methods to regulated environments: An industry case study. In Pro-
ceedings of the 2013 International Conference on Software Engineering,
ICSE ’13, pages 863–872.
Ge, X., Paige, R., Polack, F., and Brooke, P. (2007). Extreme programming security practices. In Concas, G., Damiani, E., Scotto, M., and Succi, G., editors, Agile Processes in Software Engineering and Extreme Program-
ming, volume 4536 of Lecture Notes in Computer Science, pages 226–230.
Springer Berlin Heidelberg.
Glass, R. L. (2003). Facts and Fallacies of Software Engineering. Addison- Wesley Professional.
Hamidovic, H. (2012). Fundamental concepts of IT security assurance.
ISACA Journal, 2:45.
Herath, T. and Rao, H. (2009). Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness.
Decision Support Systems, 47(2):154 – 165.
Hevner, A. and March, S. T. (2004). Design science research in information systems. MIS quarterly, 28(1):75–105.
Holvitie, J., Licorish, S. A., Spínola, R. O., Hyrynsalmi, S., MacDonell, S. G., Mendes, T. S., Buchan, J., and Leppänen, V. (2017). Technical debt and agile software development practices and processes: An industry practitioner survey. Information and Software Technology.
Howard, M. (2004). Building more secure software with improved develop- ment processes. IEEE Security Privacy, 2(6):63–65.
Howard, M. and Lipner, S. (2006). The Security Development Lifecycle. Microsoft Press, Redmond, WA, USA.
Huo, M., Verner, J., Liming, Z., and Babar, M. (2004). Software qual- ity and agile methods. In Proceedings of the 28th Annual International
Computer Software and Applications Conference, 2004. COMPSAC 2004.,
pages 520–525.
Hutchins, E. M., Cloppert, M. J., and Amin, R. M. (2011). Intelligence- driven computer network defense informed by analysis of adversary cam- paigns and intrusion kill chains. Leading Issues in Information Warfare
& Security Research, 1(1):80–106.
ICS-CERT (2016). Recommended Practice: Improving Industrial Control
System Cybersecurity with Defense-in-Depth Strategies. U.S. Homeland
Security.
Ingalsbe, J. A., Kunimatsu, L., Baeten, T., and Mead, N. R. (2008). Threat modeling: Diving into the deep end. IEEE Software, 25(1):28–34.
ISO/IEC Sstandard 27034-1:2011 (2011). Information technology — Secu-
rity techniques — Application security — Part 1: Overview and concepts.
ISO/IEC.
ISO/IEC Standard 15026-1:2013 (2013). Systems and software engineering
– Systems and software assurance – Part 1: Concepts and Vocabulary.
ISO/IEC.
ISO/IEC Standard 15026-2:2011 (2011). Systems and software engineering
ISO/IEC Standard 15288 (2015). Systems and software engineering – Sys-
tem life cycle processes. ISO/IEC.
ISO/IEC Standard 15408-1:2009 (2014). Information technology - Security
techniques - Evaluation criteria for IT security. ISO/IEC, 3rd edition.
ISO/IEC Standard 15443-1:2012 (2012). Information technology – Security
techniques – Security assurance framework – Part 1: Introduction and concepts. ISO/IEC.
ISO/IEC Standard 21827:2008 (2008). Information Technology – Security
Techniques – Systems Security Engineering – Capability Maturity Model (SSE-CMM). ISO/IEC, 2nd edition.
ISO/IEC Standard 27005:2018 (2018). Information technology — Security
techniques — Information security risk management. ISO/IEC.
ISO/IEC standard 33001:2015 (2015). Information technology – Process assessment – Concepts and terminology. ISO/IEC.
ISO/IEC/IEEE Standard for Systems and software engineering (2010). In- ternational Standard - Systems and software engineering – Vocabulary.
ISO/IEC/IEEE 24765:2010(E), pages 1–418.
ISO/IEC/IEEE Standard for Systems and Software Engineering Life Cy- cle Management (2018). International Standard - Systems and software engineering - Life cycle management - Part 1: Guidelines for life cycle management. ISO/IEC/IEEE 24748-1:2018, pages 1–82.
Jakobsen, C. R. and Sutherland, J. (2009). Scrum and CMMI Going from Good to Great. In 2009 Agile Conference, pages 333–337.
Järvinen, P. (2004). Research questions guiding selection of an appropriate research method. Series of Publications D – Net Publications D–2004– 5, Department of Computer Sciences, University of Tampere, Tampere, Finland.
Karlstrom, D. and Runeson, P. (2005). Combining agile methods with stage- gate project management. IEEE Software, 22(3):43–49.
Kim, G., Debois, P., Willis, J., and Humble, J. (2016). The DevOps Hand-
book: How to Create World-Class Agility, Reliability, and Security in Technology Organizations. IT Revolution Press.
Kitchenham, B., Brereton, O. P., Budgen, D., Turner, M., Bailey, J., and Linkman, S. (2009). Systematic literature reviews in software engineering – a systematic literature review. Information and Software Technology,
51(1):7 – 15. Special Section - Most Cited Articles in 2002 and Regular Research Papers.
Kitchenham, B. A. and Pfleeger, S. L. (2002). Principles of survey research part 2: Designing a survey. SIGSOFT Softw. Eng. Notes, 27(1):18–20. Knaster, R. and Leffingwell, D. (2018). SAFe 4.5 Distilled: Applying
the Scaled Agile Framework for Lean Software and Systems Engineering.
Addison-Wesley Professional, 2nd edition.
Kniberg, H. and Ivarsson, A. (2012). Scaling Agile @ Spo- tify. https://creativeheldstab.com/wp-content/uploads/2014/09/scaling- agile-spotify-11.pdf.
Kongsli, V. (2006). Towards agile security in web applications. In Compan-
ion to the 21st ACM SIGPLAN Symposium on Object-oriented Program- ming Systems, Languages, and Applications, OOPSLA ’06, pages 805–808,
New York, NY, USA. ACM.
Kruchten, P. (2000). The Rational Unified Process: An Introduction, Second
Edition. Addison-Wesley Longman Publishing Co., Inc., Boston, MA,
USA, 2nd edition.
Kruchten, P. (2010). Software architecture and agile software development: A clash of two cultures? In Proceedings of the 32Nd ACM/IEEE Interna-
tional Conference on Software Engineering - Volume 2, ICSE ’10, pages
497–498, New York, NY, USA. ACM.
Krutz, R. L. and Vines, R. D. (2010). Cloud Security: A Comprehensive
Guide to Secure Cloud Computing. Wiley Publishing.
Laukkarinen, T., Kuusinen, K., and Mikkonen, T. (2018). Regulated soft- ware meets devops. Information and Software Technology, 97:176 – 178.
Licorish, S. A., Holvitie, J., Hyrynsalmi, S., Leppänen, V., Spínola, R. O., Mendes, T. S., MacDonell, S. G., and Buchan, J. (2016). Adoption and suitability of software development methods and practices. In 2016 23rd
Asia-Pacific Software Engineering Conference (APSEC), pages 369–372.
Marcal, A. S. C., Soares, F. S. F., and Belchior, A. D. (2007). Mapping cmmi project management process areas to scrum practices. In 31st IEEE
Software Engineering Workshop (SEW 2007), pages 13–22.
McGraw, G. (2006). Software Security: Building Security In. Addison- Wesley Professional.
Mead, N. (2015). Security Quality Requirements Engineering (SQUARE). Software Engineering Institute (SEI).
Mead, N. R. and Stehney, T. (2005). Security quality requirements engi- neering (square) methodology. SIGSOFT Softw. Eng. Notes, 30(4):1–7.
Microsoft (2017). Agile development using microsoft security development lifecycle.
MITRE CVE (2018). National Vulnerability Database.
Mohan, V. and Othmane, L. B. (2016). SecDevOps: Is it a marketing buzzword? - mapping research on security in DevOps. In 2016 11th
International Conference on Availability, Reliability and Security (ARES),
pages 542–547.
Moyon, F., Beckers, K., Klepper, S., Lachberger, P., and Bruegge, B. (2018). Towards continuous security compliance in agile software development at scale. In 2018 IEEE/ACM 4th International Workshop on Rapid Contin-
uous Software Engineering (RCoSE), pages 31–34.
NIST (2006). Standard for minimum security requirements for federal in- formation and information systems. Federal Information Processing Stan- dards (FIPS) publication 200.
NIST NVD (2018). National Vulnerability Database.
OWASP SAMM (2017). Software assurance maturity model.
Oyetoyan, T. D., Cruzes, D. S., and Jaatun, M. G. (2016). An empiri- cal study on the relationship between software security skills, usage and training needs in agile settings. In 2016 11th International Conference on
Availability, Reliability and Security (ARES), pages 548–555.
Patiño, S., Solís, E. F., Yoo, S. G., and Arroyo, R. (2018). Ict risk man- agement methodology proposal for governmental entities based on iso/iec 27005. In 2018 International Conference on eDemocracy eGovernment
(ICEDEG), pages 75–82.
Pfleeger, S. L. and Kitchenham, B. A. (2001). Principles of survey research: Part 1: Turning lemons into lemonade. SIGSOFT Softw. Eng. Notes, 26(6):16–18.
Ponemon Institute (2017). Cost of cyber crime study. Accenture and Ponemon Institute LLC.
Ponemon Institute (2018). Cost of data breach study. IBM Security and
Ponemon Institute LLC.
Poppendieck, M. and Poppendieck, T. (2003). Lean Software Development:
Poth, A., Sasabe, S., Mas, A., and Mesquida, A. (2018). Lean and agile soft- ware process improvement in traditional and agile environments. Journal
of Software: Evolution and Process, 0(0).
Ramesh, B., Cao, L., and Baskerville, R. (2010). Agile requirements engi- neering practices and challenges: an empirical study. Information Systems
Journal, 20(5):449–480.
Rantala, O.-P. and Kievari, T. (2016). Maailman luotetuinta digitaalista liiketoimintaa. suomen tietoturvallisuusstrategia.
Rindell, K. and Holvitie, J. (2019). Security Risk Assessment and Manage- ment as Technical Debt. In Proceedings of the IEEE Cyber Science 2019
Conference, June 3–4, 2019, Oxford, UK. IEEE.
Rindell, K., Holvitie, J., Ruohonen, J., Hyrynsalmi, S., and Leppänen, V. (2019a). Industry Survey of Secure Engineering Practices in Software Engineering. Article in Review.
Rindell, K., Hyrynsalmi, S., and Leppänen, V. (2015a). A comparison of security assurance support of agile software development methods. In
Proceedings of the 16th International Conference on Computer Systems and Technologies, CompSysTech ’15, pages 61–68, New York, NY, USA.
ACM.
Rindell, K., Hyrynsalmi, S., and Leppänen, V. (2015b). Securing Scrum for VAHTI. In Nummenmaa, J., Sievi-Korte, O., and Mäkinen, E., editors,
Proceedings of 14th Symposium on Programming Languages and Software Tools, pages 236–250, Tampere, Finland. University of Tampere.
Rindell, K., Hyrynsalmi, S., and Leppänen, V. (2016). Case Study of Agile Security Engineering: Building Identity Management for a Government Agency. In Proceedings of Availability, Reliability and Security (ARES),
2016 11th International Conference, pages 556–563.
Rindell, K., Hyrynsalmi, S., and Leppänen, V. (2017a). Busting a Myth: Review of Agile Security Engineering Methods. In Proceedings of the 12th
International Conference on Availability, Reliability and Security, ARES
’17, pages 74:1–74:10, New York, NY, USA. ACM.
Rindell, K., Hyrynsalmi, S., and Leppänen, V. (2017b). Case Study of Agile Security Engineering: Building Identity Management for a Government Agency. International Journal of Secure Software Engineering, 8(8):43– 57.
Rindell, K., Hyrynsalmi, S., and Leppänen, V. (2018a). Aligning Security Objectives With Agile Software Development. In In proceedings of XP ’18
Companion, May 21–25, 2018, Porto, Portugal, XP’18, pages 0–0, New
York, NY, USA. ACM.
Rindell, K., Hyrynsalmi, S., and Leppänen, V. (2018b). Fitting Security into Agile Software Development. International Journal of Systems and
Software Security and Protection (IJSSSP), 9(1):47–70.
Rindell, K., Hyrynsalmi, S., and Leppänen, V. (2019b). Challenges in Agile Security Engineering: A Case Study. In Exploring Security in Software
Architecture and Design, chapter 12, pages 287–312. IGI Global.
Rindell, K., Hyrynsalmi, S., and Leppänen, V. (2019c). Security Assur- ance in Agile Software Development Methods: An Analysis of Scrum, XP and Kanban. In Exploring Security in Software Architecture and Design, chapter 3, pages 47–68. IGI Global.
Rindell, K., Ruohonen, J., and Hyrynsalmi, S. (2018c). Surveying Secure Software Development Practices in Finland. In Proceedings of the 13th
International Conference on Availability, Reliability and Security, ARES
2018, pages 6:1–6:7, New York, NY, USA. ACM.
Rodríguez, P., Markkula, J., Oivo, M., and Turula, K. (2012). Survey on ag- ile and lean usage in Finnish software industry. In Proceedings of the 2012