Tracking agile security requirements

• Presenter: Johan Peeters
• Type: simulation
• Duration: 120 minutes
• Audience: All

Abstract

Workshop writing and planning abuser stories for a money laundering system.

Benefits of attending

the workshop addresses techniques for tracking complex security requirements in agile projects. It is received wisdom that agile processes are unsuitable for security-sensitive projects. The techniques elaborated in this workshop mitigate these perceived weaknesses.

What will the organiser learn

I am looking forward to refining my views on agile security requirements engineering by confronting them with the experience of agile practitioners.

Session Outline

• 0-20 min: interactive presentation of the system to be built, including user stories. User stories have been written beforehand by the session organizer. They have also been annotated with business value and effort estimates. User stories and their annotations may be changed as a result of insights occuring during the session.
• 20 - 80 min: writing abuser stories.

In order to arrive at abuser stories, the assets needing protection and the potential attackers are investigated jointly by all participants (roughly 1/2 hour). The group is then split in pairs to write abuser stories (approx 20 min). A plenary discussion and assessment of the cost of the respective abuser stories follows.

• 80 - 100 min: planning game.

In this part, the difficulty of refuting the individual abuser stories is assessed. A planning game is played using annotated abuser stories in addition to the habitual annotated user stories.

• 100 - 120 min: evaluation: In how far do abuser stories afford agile security requirements tracking?

History

A precursor of this workshop was held at the AgileOpen 2005 conference. I will also present a paper on this topic at the Symposium on Requirements Engineering for Information Security during the 13^th IEEE International Requirements Engineering Conference. The paper is available from my web site.