Is risk management agile enough to secure software applications?

Industry in all sectors is experiencing a profound digital transformation that puts software at the core of their businesses [1]. In order to react to continuously changing user requirements and dynamic markets, companies need to build robust software factories that allow them to increase their agility in order to remain competitive. This increasingly rapid transformation poses significant challenges, as software factories need to continue guaranteeing high quality software, while dynamism and usual agile short-term planning increases the level and number of risks. In particular, agile methodologies have emerged to focus on quickly delivering quality Functional Requirements (FRs). However, Non-Functional Requirements (NFRs), such as those related to security, are usually not sufficiently identified, modeled, and linked and mechanisms to control risk related to NFRs are not clear. Continuous re-factoring of the application architecture and code makes it more difficult to implement effective mechanisms to continuously control risks in agile software development processes in large enterprises, using frameworks like SAFe [2]. For instance, in SAFe, work is planned and synchronized through Program Increments (PI) [3]. It is also in PI planning when product features are decomposed into user stories and risk analysis is done related to expected features and to these user stories. Because of this, nonfunctional requirements which are usually not represented through these user stories, tend to be unintentionally diminished in terms of importance [4] and commonly ignored during the risk analysis.

In general, several challenges need to be tackled to integrate risk analysis related to NFRs:

  • Self-managed teams do not have sufficient expertise on risk analysis.
  • Collective inter-team code ownership makes it difficult to control potential risks related to a particular component or subsystem.
  • Traditional risk analysis practices for software development do not easily translate to agile.
  • Analysis of risks should be continuous.
  • Tools to manage risk in agile do not foster collaboration.

Risk mitigation

These challenges require the scientific community to come up with new solutions. For example the lack of self managed teams with sufficient risk management capabilities can be countered by research into intelligent recommendation systems. Research into enabling continuous risk management can provide mechanisms and tools that resolve a challenge of implementing continuous analysis of risks.

In MUSA, we created the first collaborative tool for agile risk management. Based on a kanban, multiple stakeholders can collaborate remotely to manage risk together. Well-known risk management strategies, such as STRIDE, are embedded in this tool to enable continuous risk analysis. In this way, beyond the work done in each PI every 2-3 months, it is possible to continue working to enhance and control risk. The effect that this ultimately has in the system is a much more efficient overall control on NFRs. This significantly mitigates the risk of agile methodologies overlooking NFRs and, in particular, security aspects that, if ignored at early development stages, may result in unexpected investments of several millions of euros to secure multi-cloud applications.

Among the multiple applications a tool like this may have, in the MUSA context, we use it to feed a recommendation system. As the number of cloud services available in the market grows, choosing the right cloud service and the right cloud service provider according to the requirements of our application becomes a much more difficult task. The MUSA recommendation system is able to provide recommendations based on the capacity of available cloud service providers to provide solutions that effectively mitigate potential risks detected with our agile risk management tool.

It is clear that a balance has to be struck between managing risk during the development process and not overloading or slowing the momentum of an agile methodology. MUSA solutions brings a potential solution to tackle this challenge.

[1] McKendrick, J. (2015, April 30). Every Company Now A Technology Company: Latest Round Of Mergers And Acquisitions Con.rms It. Forbes. Retrieved from

[2] Scaled Agile Framework:

[3] Program Increments:

[4] Mark Merkow and Lakshmikanth Raghavan. 2011. An Ecosystem for Continuously Secure Application Software. RUGGED Software, CrossTalk March/April. (2011).

Author: Victor Muntes, CA Technologies Development Spain SAU

Share this post