The Current State of Security Governance and Compliance in Large-Scale Agile Development - A Systematic Literature Review and Interview Study

Agile methodologies have gained popularity in software and information systems engineering due to their ability to enable rapid adaption to changing requirements and ensure business value creation in fast-paced environments. However, scaling agile to multiple teams presents challenges related to security governance and compliance. Traditional security activities struggle to keep pace with iterative agile methods. The tension between security and agility intensifies in scaled environments as governance and compliance procedures conflict with the desired autonomy of agile teams. With the increase in the number and complexity of security risks, it is imperative to better understand the current challenges and solution approaches for security governance in large-scale agile development (LSAD). To this end, we conducted a systematic literature review and an interview study involving nine industry experts. We identified 15 relevant challenges and analyzed existing LSAD frameworks concerning their solution approaches for achieving security governance and compliance. In addition, we contribute an overview of alternative solution approaches and propose five factors to balance control and autonomy to mitigate security challenges in LSAD. Our findings provide a foundation for developing well-grounded solution artifacts that address the identified challenges.