ORIGINAL RESEARCH Identification and integration of security activities for secure agile development Amit Sharma 1 • R. K. Bawa 1 Received: 16 May 2019 / Accepted: 26 February 2020 Ó Bharati Vidyapeeth’s Institute of Computer Applications and Management 2020 Abstract Agile software development is receiving the attention of software developers and researchers thanks to its fast software delivery and flexible development plan capabilities. The fast release and simplified documentation thus leads to the preference of the agile development model over several other traditional models. This, however, also raises critical concerns about the security issues. In this research work, we propose a framework for secure agile development. The selection of development methodology among agile versus plan driven approaches and the par- ticular agile development method among Extreme Pro- gramming (XP), Crystal Clear, Scrum, Lean Development, Dynamic Software Development Method and Feature- Driven Development is made on the basis of the specific requirements of the project using empirical methods like AHP and PROMETHEE. Systematic Literature Review (SLR) and survey study are used to obtain the authentic industrial feedback, followed by the application of non- parametric statistical tests to identify and select the most suitable and beneficial security activities from well known security engineering processes like CLASP, Common Criteria, Cigital Touchpoints and Microsoft’s SDL. A lightweight method is also introduced for integrating these security activities identified from SLR and survey study, using a dynamic integration algorithm without compromising the agility of the process. The proposed framework for integration of these security activities is implemented in java to automate the entire process and provides maximum benefit at a low integration cost. Keywords Agile development Á Security engineering Á Agile security Á CLASP Á Common Criteria Á Cigital Touchpoints Á Microsoft SDL 1 Introduction Agile development follows an informal and flexible approach which is different from plan-driven development which relies on extensive formalization and documenta- tion. A very limited amount of formalization is required in agile development wherever necessary. It usually lays emphasis on informal, dynamic and tacit knowledge-driven methods to develop high business-value projects. The Agile Manifesto [1] clearly describes these core values. The highest priority is given to continuous and early delivery of the software to satisfy the customer. Changing requirements are welcomed, even late in the development. For the customer’s competitive advantage, agile processes accommodate these changes. The primary measure of the progress is the working software. The best designs and architectures evolve from self-organizing teams. Although the agile development approach is getting acceptance across the globe, it is found to have certain disadvantages related to security in software development [2, 3]. The main security issues with agile development arise from the informal communication, self-organizing team, tacit knowledge-driven methods and trust on indi- viduals, as they conflict with the assurance and quality activities as required by conventional secure software Electronic supplementary material The online version of this article (https://doi.org/10.1007/s41870-020-00446-4) contains sup- plementary material, which is available to authorized users. & Amit Sharma amitsharmapkl@gmail.com R. K. Bawa rajesh.k.bawa@gmail.com 1 Punjabi University, Patiala, Punjab, India 123 Int. j. inf. tecnol. https://doi.org/10.1007/s41870-020-00446-4