Towards Agile Cybersecurity Risk Management for Autonomous Software Engineering Teams

Salin, Hannes; Lundgren, Martin

doi:10.3390/jcp2020015

Cited by 7 publications

(6 citation statements)

References 49 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This indicates that, in order to pick up new security technology such as CLC, even in the first stages of innovation, the prerequisite is to hire people skilled in cryptography, or develop the competence in the organization. This underpins what previous studies have noted regarding the increasingly broad expertise required for decision makers of security controls [5][6][7]. Regardless, this would naturally lead to increased costs, not only in terms of competence development, but also in technology development; an investment which has shown to not always result in a more profitable product [12], thus potentially affecting the decision phase towards a rejection.…”

Section: Gap 2: Best Practicessupporting

confidence: 61%

“…These security controls can be "any process, policy, procedure, guideline, practice or organizational structure, which can be administrative, technical, management, or legal in nature which modify information security risk" ( [4], p. 2). Security controls are typically identified and selected as a result of a risk assessment, often requiring a broad set of skills and knowhow [5][6][7], as it aims to maximize resource allocation as well as benefit the security controls offered in assisting (rather than burdening) organizational operation and development [8]. However, adoption of new security controls often means changes to the organization's environment, which is not always perceived as useful, depending on the organization's change-readiness [9].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A Gap Analysis of the Adoption Maturity of Certificateless Cryptography in Cooperative Intelligent Transportation Systems

Salin,

Lundgren

2023

JCP

Self Cite

View full text Add to dashboard Cite

Cooperative Intelligent Transport Systems (C-ITSs) are an important development for society. C-ITSs enhance road safety, improve traffic efficiency, and promote sustainable transportation through interconnected and intelligent communication between vehicles, infrastructure, and traffic-management systems. Many real-world implementations still consider traditional Public Key Infrastructures (PKI) as the underlying trust model and security control. However, there are challenges with the PKI-based security control from a scalability and revocation perspective. Lately, certificateless cryptography has gained research attention, also in conjunction with C-ITSs, making it a new type of security control to be considered. In this study, we use certificateless cryptography as a candidate to investigate factors affecting decisions (not) to adopt new types of security controls, and study its current gaps, key challenges and possible enablers which can influence the industry. We provide a qualitative study with industry specialists in C-ITSs, combined with a literature analysis of the current state of research in certificateless cryptographic in C-ITS. It was found that only 53% of the current certificateless cryptography literature for C-ITSs in 2022–2023 provide laboratory testing of the protocols, and 0% have testing in real-world settings. However, the trend of research output in the field has been increasing linearly since 2016 with more than eight times as many articles in 2022 compared to 2016. Based on our analysis, using a five-phased Innovation-Decision Model, we found that key reasons affecting adoption are: availability of proof-of-concepts, knowledge beyond current best practices, and a strong buy-in from both stakeholders and standardization bodies.

show abstract

Section: Gap 2: Best Practicessupporting

confidence: 61%

Section: Introductionmentioning

confidence: 99%

A Gap Analysis of the Adoption Maturity of Certificateless Cryptography in Cooperative Intelligent Transportation Systems

Salin,

Lundgren

2023

JCP

Self Cite

View full text Add to dashboard Cite

show abstract

“…Bug bounty programs not only complement existing security assessments performed by organizations but also allow for the discovery of hidden vulnerabilities, thereby contributing to improved software security ( [11]; [12]). Furthermore, they have been proposed as solutions for agile software development teams that lack the necessary baseline level of security skills and awareness, thereby offering an avenue for penetration testing and vulnerability identification [13].…”

Section: B Bug Bounty Programs (Bbps) and Vulnerabilities Relatedmentioning

confidence: 99%

Optimizing Bug Bounty Programs for Efficient Malware-Related Vulnerability Discovery

Yulianto,

Soewito,

Gaol

et al. 2024

IJACSA

View full text Add to dashboard Cite

Conventional security measures struggle to keep pace with the rapidly evolving threat of malware, which demands novel approaches for vulnerability discovery. Although Bug Bounty Programs (BBPs) are promising, they often underperform in attracting researchers, particularly in uncovering malware-related vulnerabilities. This study optimizes BBP structures to maximize engagement and target malware vulnerability discovery, ultimately strengthening cyber defense. Employing a mixed-methods approach, we compared public and private BBPs and analyzed the key factors influencing researcher participation and the types of vulnerabilities discovered. Our findings reveal a blueprint for effective malware-focused BBPs that enable targeted detection, faster patching, and broader software coverage. This empowers researchers and fosters collaboration within the cybersecurity community, significantly reducing the attack surface for malicious actors. However, challenges related to resource sustainability and legal complexity persist. By optimizing BBPs, we unlocked a powerful tool to fight cybercrime.

show abstract

“…This includes identifying privacy-related user stories, defining privacy requirements for each story, and allocating time in sprints to address these requirements. By incorporating privacy into user stories and sprint planning, Agile teams can ensure that privacy is a priority from the outset of a project (Block, 2023, Salin & Lundgren, 2022. Privacy regulations are constantly evolving, and Agile teams must continuously monitor and adapt to these changes.…”

Section: Framework For Integrating Ccpa and Gdpr Within Agile Frameworkmentioning

confidence: 99%

Agile privacy in practice: Integrating CCPA and GDPR within agile frameworks in the U.S. tech scene

Excel G Chukwurah

2024

Int. J. Sci. Res. Updates

View full text Add to dashboard Cite

Agile methodologies have revolutionized software development, enabling teams to deliver products more efficiently and responsively. However, integrating privacy regulations such as the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) within Agile frameworks presents unique challenges. This abstract explores the concept of Agile Privacy in Practice, specifically focusing on how U.S. tech companies can effectively integrate CCPA and GDPR requirements into their Agile development processes. The California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) are landmark privacy regulations that have reshaped the landscape of data protection. These regulations impose stringent requirements on the collection, processing, and storage of personal data, affecting how organizations manage data privacy and comply with legal obligations. In the fast-paced environment of the U.S. tech scene, where Agile methodologies are widely adopted, the challenge lies in reconciling the iterative and dynamic nature of Agile development with the rigid and compliance-driven nature of privacy regulations. To address this challenge, Agile Privacy in Practice proposes a framework that integrates CCPA and GDPR requirements into Agile development processes seamlessly. This framework emphasizes collaboration between cross-functional teams, including privacy experts, legal counsel, and developers, from the early stages of product development. By incorporating privacy considerations into user stories, sprint planning, and retrospectives, teams can identify and address privacy risks iteratively, ensuring that products comply with regulatory requirements. Furthermore, Agile Privacy in Practice advocates for continuous monitoring and adaptation to evolving privacy regulations. By establishing a feedback loop that captures lessons learned from each sprint, teams can refine their approach to privacy compliance and incorporate best practices into future iterations. This approach not only enhances compliance with CCPA and GDPR but also fosters a culture of privacy awareness and responsibility within organizations. In conclusion, Agile Privacy in Practice offers a pragmatic and adaptable framework for U.S. tech companies to navigate the complex landscape of privacy regulations while leveraging the benefits of Agile methodologies. By integrating privacy considerations into the Agile development lifecycle, organizations can mitigate privacy risks, enhance trust with customers, and drive innovation in the digital economy.

show abstract

Towards Agile Cybersecurity Risk Management for Autonomous Software Engineering Teams

Cited by 7 publications

References 49 publications

A Gap Analysis of the Adoption Maturity of Certificateless Cryptography in Cooperative Intelligent Transportation Systems

A Gap Analysis of the Adoption Maturity of Certificateless Cryptography in Cooperative Intelligent Transportation Systems

Optimizing Bug Bounty Programs for Efficient Malware-Related Vulnerability Discovery

Agile privacy in practice: Integrating CCPA and GDPR within agile frameworks in the U.S. tech scene

Contact Info

Product

Resources

About