Solving Security and Privacy Threats in Agile Software Development

Secure software development represents a fundamental part of ‘security by design’ which in turn is a prerequisite for ‘privacy by design’ in the terminology of GDPR (General Data Protection Regulation). To follow and adhere to the principles of privacy by design and security by design during software development is a legal requirement throughout Europe with the introduction of GDPR in 2018. Secure software development is typically based on specific methods that software-design teams apply to discover and solve security threats and thereby to improve the security of systems in general. This paper describes Threat Poker as a team-based method to be exercised during agile software development for assessing both security risk and privacy risk, and for evaluating the effort needed to remove corresponding vulnerabilities in the developed software.