Security engineering is an active area of research with multiple subtopics. Agile software engineering has become a subject of research in early 2000s, with early work conducted by Wäyrynen et al. (2004), Kongsli (2006), and Boström et al. (2006). While much of the early research interest concen- trated on the feasibility of agile software security engineering in general, Ge et al. (2007) made one of the initial efforts to develop and describe agile ar- chitectures. Agile quality mechanisms were examined by Huo et al. (2004). More conceptual agile software engineering research was conducted by Baca and Carlsson (2011), with empirical experimentation by e.g. Ayalew et al. (2013), Oyetoyan et al. (2016), and with some noted challenges, by Türpe and Poller (2017). Security assurance in agile development has been focused on by Beznosov and Kruchten (2004) and ben Othmane et al. (2014). A sim- ilar objective to this research has been chosen also by Stirbu and Mikkonen (2018), aiming to achieve regulatory compliance more efficiently by utilizing agile methods, concentrating on the field of software safety.
From a software engineer’s point of view, software security engineering requires an understanding of the security objectives (what and why), and awareness of a wide array of security techniques to implement the required security features and functionalities. Requirements engineering, risk man- agement, quality improvement, estimates and metrics, and formal methods are among the closest practices required to further develop software secu- rity engineering. The improvement process will start at security awareness, created by security research and training. Security is a relatively new focus area in software engineering, and increasing regulatory security constraints force the industry – and research – to meet the demand in an economical and efficient way, inherent to prevalent software engineering methods. The future of security engineering is shared with software engineering, and this requires confluence and compatibility with agile methods.
The reduction of implementation-time errors is a central research topic. In this work, security awareness was identified to be a crucial factor in the systematic reduction of security vulnerabilities. A solution suggested by Adelyar and Norta (2016) is agile agent-oriented modeling, bringing the se- curity principles a concrete part of the software design and implementation. Another approach to find a practical way to improve software security is
aspect-oriented security programming and design, a concept suggested by De Win et al. (2002) and extended upon by e.g. Boström et al. (2005). In industry, the reduction of implementation is typically performed by follow- ing a precompiled list of instructions – a concept described by Tsipenyuk et al. (2005).
A primary mechanism to provide security assurance is to perform vari- ous forms of verification and validation. Recent work in the validation and verification, and the involved methods is extensively summarized by a sys- tematic literature studby by Such et al. (2016) An analysis of risk-based testing approaches was performed by Felderer and Schieferdecker (2014). Current issues and challenges in security testing in software development have been reported by Cruzes et al. (2017).
Software safety is a closely related field of research: Software security and software safety share much of the same methodology and rationale. Agile methods have been used for safety critical work by Fitzgerald et al. (2013); the effect of safety regulation to DevOps has been considered by Laukkarinen et al. (2018). The agile development process has been adopted to formally comply with Capability Maturity Model’s maturity levels by e.g. Marcal et al. (2007); Jakobsen and Sutherland (2009). Cases where hindrances in applying agile to security engineering were found, or agile being detrimental to software security have also been reported by e.g. Türpe and Poller (2017). This indicates a requirement for further research in agile security engineer- ing, and that a divergence in the ways to efficiently produce safer software is required. Research concerning software standards regarding requirement en- gineering has been extensively mapped by Schneider and Berenbach (2013). Security engineering and software engineering are cross-disciplinary prac- tices. System security engineering is defined in the United States Depart- ment of Defence’s guide for protection of trusted systems and networks (2017), page 14, as “an element of system engineering that applies scientific
and engineering principles to identify security vulnerabilities and minimize or contain risks associated with these vulnerabilities”. Information security
research draws methods and theories from e.g. philosophy, history, political science, sociology, psychology, law, statistics, computer science, physics and mathematics, as stated by Anderson (2008).
Software security engineering specifically concentrates on the security
issues within software engineering: Security metrics, formal software devel- opment methods, programming languages, software development method- ologies, and security techniques and tools. There is a substantial overlap of methodologies and practices with software security and software quality improvement, as quality assurance techniques and tools alone do not suffi- ciently address the security-related requirements. Along with most fields of computing, software security engineering is also an opportune field for appli- cations of machine learning and artificial intelligence research. Behavioural
sciences, such as industrial and organizational psychology, are directly ap- plicable to the design and development of secure information systems.
In addition to the above fields of research and application, the research topic includes several directly security-related fields of application. These include protection of intellectual property, identity management, cryptogra- phy, communication security, privacy, investigation of computer crime, and information warfare. Increasing legislative and regulative pressure for pro- tection of privacy and related immaterial rights promotes the privacy-related topics, mandating strict privacy policies for the management of sensitive data. Privacy can not exist without security.
Software security engineering necessarily shares methodologies and char- acteristics with mainstream software engineering methods (Viega and Mc- Graw (2002); McGraw (2006); Anderson (2008)). Consequently, following the software engineering trends, software security engineering is predom- inantly based on automated tools. Software security is also increasingly formalized by regulative requirements, mandating not only secure coding practices, but concrete security features and functionality as a requirement for software development. The methodologies are presented in a design sci- ence framework, as presented by Hevner and March (2004).