Gustav Boström ; Jaana Wäyrynen ; Marine Bodén, ; Konstantin Beznosov ; Philippe Kruchten

06 February 2006

Abstract: This paper proposes a way of extending eXtreme Programming (XP) practices, in particular the original planning game and the coding guidelines, to aid the developers and the customer to engineer security requirements while maintaining the iterative and rapid feedback-driven nature of XP. More specifically, these steps result in two new security-specific flavours of XP User stories: Abuser stories (threat scenarios) and Security-related User stories (security functionalities). The introduced extensions also aid in formulating security-specific coding and design standards to be used in the project, as well as in understanding the need for supporting specific Security-related User stories by the system. The proposed extensions have been tested in a student project.

Keyword(s): Security Engineering ; Requirements ; Agile Software Development ; eXtreme Programming ; Development methodology

Published in: Gustav Boström, Jaana Wäyrynen, Marine Bodén, Konstantin Beznosov, Philippe Kruchten, "Extending XP Practices to Support Security Requirements Engineering," Proceedings of Workshop on Software Engineering for Secure Systems (SESS), Shanghai, China, ACM, 20–21 May, 2006, pp.11-17.: