Tampere University of Technology

TUTCRIS Research Portal

Case Study of Agile Security Engineering: Building Identity Management for a Government Agency

Research output: Contribution to journalArticleScientificpeer-review


Original languageEnglish
Article number3
Pages (from-to)43-57
Number of pages15
JournalInternational Journal of Secure Software Engineering
Issue number1
Publication statusPublished - Mar 2017
Publication typeA1 Journal article-refereed


Security concerns are increasingly guiding both the design and processes of software-intensive product development. In certain environments, the development of the product requires special security arrangements for development processes, product release, maintenance and hosting, and specific security-oriented processes and governance. Integrating the security engineering processes into agile development methods can have the effect of mitigating the agile methods’ intended benefits.

This article describes a case of a large ICT service provider building a secure identity management system for a sizable government agency. The project was a subject to strict security regulations due to the end product’s critical role. The project was a multi-team, multi-site, standard-regulated security engineering and development work executed following the Scrum framework. The study reports the difficulties in combining security engineering with agile development, provides propositions to enhance Scrum for security engineering activities. Also, an evaluation of the effects of the security work on project cost presented.

Publication forum classification

Field of science, Statistics Finland