Repository logo

Secure requirements engineering in a constrained agile environment.

Thumbnail Image



Journal Title

Journal ISSN

Volume Title



Requirements Engineering (RE) is a software engineering process that takes place early in the software development life cycle namely, during the planning phase of software development. A list of highly refined requirements that is the blueprint for the system, is the output of this process. It is vital to address critical issues such as security within RE, to prevent patching and hot fixing later. Exorbitant losses can be prevented through secure systems development. The purpose of this research study was to delineate the Agile RE practices through a sequential explanatory mixed methods study approach to explicate the relationship between RE practices and the security of an application. An in-depth literature review was undertaken to understand RE processes and security approaches during application development. This mixed methods research study was contextualised at seventeen software development companies in South Africa. Data was collected in three phases. In the first phase, the researcher used a field survey questionnaire as the primary research instrument to gather data on Agile RE practices such as elicitation, security approaches and requirements prioritisation. In phase two of the data collection, interviews were used as a qualitative data gathering tool to explain, triangulate and strengthen the survey results. The security of live Agile Software Development artifacts were then randomly evaluated using a dynamic analysis security testing (DAST) tool. To contribute to the body of knowledge, the researcher used fuzzy logics and fuzzy sets to develop an automated fuzzy tool that assists requirements engineers to control client requirements. The Design Science Research Methodology, an Information Systems (IS) theoretical framework, guided the development of the automated fuzzy software tool. The automated fuzzy tool was evaluated in phase three of data collection and showed positive results for ranking client requirements in Agile RE. The major finding of this study was that although Agile RE practices in the real world are aligned to mainstream RE, proper security approaches are lacking. The problem is exacerbated by the lack of web application security knowledge and insufficient application security training by requirements engineers. The study concludes that poor security practices in Agile RE are having a negative impact on the security of the Agile Software Development product. As an implication of this study, the researcher suggests stricter adherences by practitioners to Agile Software Development principles and values as outlined in the Agile Manifesto and Agile Security Manifesto.


Doctoral degree. University of KwaZulu-Natal, Durban.