{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,3]],"date-time":"2026-06-03T08:55:01Z","timestamp":1780476901061,"version":"3.54.1"},"publisher-location":"Cham","reference-count":26,"publisher":"Springer International Publishing","isbn-type":[{"value":"9783319916019","type":"print"},{"value":"9783319916026","type":"electronic"}],"license":[{"start":{"date-parts":[[2018,1,1]],"date-time":"2018-01-01T00:00:00Z","timestamp":1514764800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2018]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>It is claimed that integrating agile and security in practice is challenging. There is the notion that security is a heavy process, requires expertise, and consumes developers\u2019 time. These contrast with the agile vision. Regardless of these challenges, it is important for organizations to address security within their agile processes since critical assets must be protected against attacks. One way is to integrate tools that could help to identify security weaknesses during implementation and suggest methods to refactor them. We used quantitative and qualitative approaches to investigate the efficiency of the tools and what they mean to the actual users (i.e. developers) at Telenor Digital. Our findings, although not surprising, show that several barriers exist both in terms of tool\u2019s performance and developers\u2019 perceptions. We suggest practical ways for improvement.<\/jats:p>","DOI":"10.1007\/978-3-319-91602-6_6","type":"book-chapter","created":{"date-parts":[[2018,5,16]],"date-time":"2018-05-16T13:13:43Z","timestamp":1526476423000},"page":"86-103","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":34,"title":["Myths and Facts About Static Application Security Testing Tools: An Action Research at Telenor Digital"],"prefix":"10.1007","author":[{"given":"Tosin Daniel","family":"Oyetoyan","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Bisera","family":"Milosheska","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Mari","family":"Grini","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Daniela","family":"Soares Cruzes","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"297","published-online":{"date-parts":[[2018,5,17]]},"reference":[{"key":"6_CR1","unstructured":"Bugtraq mailing list. http:\/\/seclists.org\/bugtraq\/. Accessed 10 May 2017"},{"key":"6_CR2","unstructured":"Owasp. benchmark. https:\/\/www.owasp.org\/index.php\/Benchmark. Accessed 20 Oct 2016"},{"key":"6_CR3","doi-asserted-by":"crossref","unstructured":"Austin, A., Williams, L.: One technique is not enough: a comparison of vulnerability discovery techniques. In: 2011 International Symposium on Empirical Software Engineering and Measurement (ESEM), pp. 97\u2013106. IEEE (2011)","DOI":"10.1109\/ESEM.2011.18"},{"issue":"3","key":"6_CR4","doi-asserted-by":"publisher","first-page":"259","DOI":"10.1002\/spe.2109","volume":"43","author":"D Baca","year":"2013","unstructured":"Baca, D., Carlsson, B., Petersen, K., Lundberg, L.: Improving software security with static automated code analysis in an industry setting. Softw. Pract. Exp. 43(3), 259\u2013279 (2013)","journal-title":"Softw. Pract. Exp."},{"issue":"6","key":"6_CR5","doi-asserted-by":"publisher","first-page":"497","DOI":"10.1109\/TDSC.2014.2298011","volume":"11","author":"L ben Othmane","year":"2014","unstructured":"ben Othmane, L., Angin, P., Weffers, H., Bhargava, B.: Extending the agile development process to develop acceptably secure software. IEEE Trans. Dependable Secur. Comput. 11(6), 497\u2013509 (2014)","journal-title":"IEEE Trans. Dependable Secur. Comput."},{"key":"6_CR6","doi-asserted-by":"crossref","unstructured":"Beznosov, K., Kruchten, P.: Towards agile security assurance. In: Proceedings of the 2004 Workshop on New Security Paradigms, pp. 47\u201354. ACM (2004)","DOI":"10.1145\/1065907.1066034"},{"key":"6_CR7","unstructured":"Charest, N.R.T., Wu, Y.: Comparison of static analysis tools for Java using the Juliet test suite. In: 11th International Conference on Cyber Warfare and Security, pp. 431\u2013438 (2016)"},{"issue":"6","key":"6_CR8","doi-asserted-by":"publisher","first-page":"76","DOI":"10.1109\/MSP.2004.111","volume":"2","author":"B Chess","year":"2004","unstructured":"Chess, B., McGraw, G.: Static analysis for security. IEEE Secur. Privacy 2(6), 76\u201379 (2004)","journal-title":"IEEE Secur. Privacy"},{"key":"6_CR9","series-title":"Lecture Notes in Business Information Processing","doi-asserted-by":"publisher","first-page":"201","DOI":"10.1007\/978-3-319-57633-6_13","volume-title":"Agile Processes in Software Engineering and Extreme Programming","author":"D Soares Cruzes","year":"2017","unstructured":"Soares Cruzes, D., Felderer, M., Oyetoyan, T.D., Gander, M., Pekaric, I.: How is security testing done in agile teams? A cross-case analysis of four software teams. In: Baumeister, H., Lichter, H., Riebisch, M. (eds.) XP 2017. LNBIP, vol. 283, pp. 201\u2013216. Springer, Cham (2017). https:\/\/doi.org\/10.1007\/978-3-319-57633-6_13"},{"issue":"8","key":"6_CR10","doi-asserted-by":"publisher","first-page":"1462","DOI":"10.1016\/j.infsof.2013.02.005","volume":"55","author":"G D\u00edaz","year":"2013","unstructured":"D\u00edaz, G., Bermejo, J.R.: Static analysis of source code security: assessment of tools against samate tests. Inf. Softw. Technol. 55(8), 1462\u20131476 (2013)","journal-title":"Inf. Softw. Technol."},{"key":"6_CR11","doi-asserted-by":"publisher","first-page":"5","DOI":"10.1016\/j.entcs.2008.06.039","volume":"217","author":"P Emanuelsson","year":"2008","unstructured":"Emanuelsson, P., Nilsson, U.: A comparative study of industrial static analysis tools. Electron. Notes Theor. Comput. Sci. 217, 5\u201321 (2008)","journal-title":"Electron. Notes Theor. Comput. Sci."},{"key":"6_CR12","doi-asserted-by":"crossref","unstructured":"Fong, E., Okun, V.: Web application scanners: definitions and functions. In: 40th Annual Hawaii International Conference on System Sciences, 2007, HICSS 2007, pp. 280b\u2013280b. IEEE (2007)","DOI":"10.1109\/HICSS.2007.611"},{"key":"6_CR13","unstructured":"Center for Assured Software. CAS static analysis tool study - methodology. https:\/\/samate.nist.gov\/docs\/CAS%202012%20Static%20Analysis%20Tool%20Study%20Methodology.pdf. Accessed 20 Oct 2016"},{"key":"6_CR14","unstructured":"Center for Assured Software. Juliet test suite v1.2 for c\/c++ user guide. https:\/\/samate.nist.gov\/SRD\/resources\/Juliet_Test_Suite_v1.2_for_C_Cpp_-_User_Guide.pdf. Accessed 20 Oct 2016"},{"key":"6_CR15","doi-asserted-by":"publisher","first-page":"18","DOI":"10.1016\/j.infsof.2015.08.002","volume":"68","author":"K Goseva-Popstojanova","year":"2015","unstructured":"Goseva-Popstojanova, K., Perhinschi, A.: On the capability of static code analysis to detect security vulnerabilities. Inf. Softw. Technol. 68, 18\u201333 (2015)","journal-title":"Inf. Softw. Technol."},{"key":"6_CR16","volume-title":"Introduction to Action Research: Social Research for Social Change","author":"DJ Greenwood","year":"2006","unstructured":"Greenwood, D.J., Levin, M.: Introduction to Action Research: Social Research for Social Change. SAGE Publications, Thousand Oaks (2006)"},{"key":"6_CR17","unstructured":"Hofer, T.: Evaluating static source code analysis tools. Technical report (2010)"},{"key":"6_CR18","doi-asserted-by":"crossref","unstructured":"Johnson, B., Song, Y., Murphy-Hill, E., Bowdidge, R.: Why don\u2019t software developers use static analysis tools to find bugs? In: 2013 35th International Conference on Software Engineering (ICSE), pp. 672\u2013681. IEEE (2013)","DOI":"10.1109\/ICSE.2013.6606613"},{"key":"6_CR19","doi-asserted-by":"crossref","unstructured":"Okun, V., Delaitre, A., Black, P.E.: NIST SAMATE: static analysis tool exposition (sate) iv, March 2012. https:\/\/samate.nist.gov\/SATE.html","DOI":"10.6028\/NIST.SP.500-297"},{"key":"6_CR20","doi-asserted-by":"crossref","unstructured":"Oyetoyan, T.D., Soares Cruzes, D., Jaatun, M.G.: An empirical study on the relationship between software security skills, usage and training needs in agile settings. In: 2016 11th International Conference on Availability, Reliability and Security (ARES), pp. 548\u2013555. IEEE (2016)","DOI":"10.1109\/ARES.2016.103"},{"key":"6_CR21","volume-title":"The IT Managers Guide to Continuous Delivery: Delivering Software in Days","author":"A Phillips","year":"2014","unstructured":"Phillips, A., Sens, M., de Jonge, A., van Holsteijn, M.: The IT Managers Guide to Continuous Delivery: Delivering Software in Days. BookBaby, Pennsauken (2014)"},{"key":"6_CR22","doi-asserted-by":"crossref","unstructured":"Rindell, K., Hyrynsalmi, S., Lepp\u00e4nen, V.: Case study of security development in an agile environment: building identity management for a government agency. In: 2016 11th International Conference on Availability, Reliability and Security (ARES), pp. 556\u2013563. IEEE (2016)","DOI":"10.1109\/ARES.2016.45"},{"key":"6_CR23","doi-asserted-by":"crossref","unstructured":"Smith, J., Johnson, B., Murphy-Hill, E., Chu, B., Lipford, H.R.: Questions developers ask while diagnosing potential security vulnerabilities with static analysis. In: Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering, pp. 248\u2013259. ACM (2015)","DOI":"10.1145\/2786805.2786812"},{"key":"6_CR24","doi-asserted-by":"crossref","unstructured":"Wagner, A., Sametinger, J.: Using the Juliet test suite to compare static security scanners. In: 2014 11th International Conference on Security and Cryptography (SECRYPT), pp. 1\u20139. IEEE (2014)","DOI":"10.5220\/0005032902440252"},{"key":"6_CR25","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"117","DOI":"10.1007\/978-3-540-27777-4_12","volume-title":"Extreme Programming and Agile Methods - XP\/Agile Universe 2004","author":"J W\u00e4yrynen","year":"2004","unstructured":"W\u00e4yrynen, J., Bod\u00e9n, M., Bostr\u00f6m, G.: Security engineering and extreme programming: an impossible marriage? In: Zannier, C., Erdogmus, H., Lindstrom, L. (eds.) XP\/Agile Universe 2004. LNCS, vol. 3134, pp. 117\u2013128. Springer, Heidelberg (2004). https:\/\/doi.org\/10.1007\/978-3-540-27777-4_12"},{"issue":"4","key":"6_CR26","doi-asserted-by":"publisher","first-page":"240","DOI":"10.1109\/TSE.2006.38","volume":"32","author":"J Zheng","year":"2006","unstructured":"Zheng, J., Williams, L., Nagappan, N., Snipes, W., Hudepohl, J.P., Vouk, M.A.: On the value of static analysis for fault detection in software. IEEE Trans. Softw. Eng. 32(4), 240\u2013253 (2006)","journal-title":"IEEE Trans. Softw. Eng."}],"container-title":["Lecture Notes in Business Information Processing","Agile Processes in Software Engineering and Extreme Programming"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-319-91602-6_6","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,3,13]],"date-time":"2024-03-13T18:46:24Z","timestamp":1710355584000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-319-91602-6_6"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018]]},"ISBN":["9783319916019","9783319916026"],"references-count":26,"URL":"https:\/\/doi.org\/10.1007\/978-3-319-91602-6_6","relation":{},"ISSN":["1865-1348","1865-1356"],"issn-type":[{"value":"1865-1348","type":"print"},{"value":"1865-1356","type":"electronic"}],"subject":[],"published":{"date-parts":[[2018]]},"assertion":[{"value":"17 May 2018","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"XP","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Agile Software Development","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Porto","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Portugal","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2018","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"21 May 2018","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"25 May 2018","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"19","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"xpu2018","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/www.agilealliance.org\/xp2018\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}