Context: Software security engineering provides the means to define, implement and verify security in software products. Software security engineering is performed by following a software security development life cycle model or a security capability maturity model. However, agile software development methods and processes, dominant in the software industry, are viewed to be in conflict with these security practices and the security requirements.

Objective: Empirically verify the use and impact of software security engineering activities in the context of agile software development, as practiced by software developer professionals.

Method: A survey ($N=61$) was performed among software practitioners in Finland regarding their use of 40 common security engineering practices and their perceived security impact, in conjunction with the use of 16 agile software development items and activities.

Results: The use of agile items and activities had a measurable effect on the selection of security engineering practices. Perceived impact of the security practices was lower than the rate of use would imply: This was taken to indicate a selection bias, caused by e.g. developers’ awareness of only certain security engineering practices, or by difficulties in applying the security engineering practices into an iterative software development workflow. Security practices deemed to have most impact were proactive and took place in the early phases of software development.

Conclusion: Systematic use of agile practices conformed, and was observed to take place in conjunction with the use of security practices. Security activities were most common in the requirement and implementation phases. In general, the activities taking place early in the life cycle were also considered most impactful. A discrepancy between the level of use and the perceived security impact of many security activities was observed. This prompts research and methodological development for better integration of security engineering activities into software development processes, methods, and tools.

背景信息：软件安全工程提供了定义，实施和验证软件产品中安全性的方法。通过遵循软件安全开发生命周期模型或安全能力成熟度模型来执行软件安全工程。但是，在软件行业中占主导地位的敏捷软件开发方法和过程被视为与这些安全实践和安全要求相冲突。

目标：按照软件开发人员的专业经验，在敏捷软件开发的背景下，通过经验验证软件安全工程活动的使用和影响。

方法：调查（$ñ=61$）是在芬兰的软件从业人员中进行的，涉及他们对40种常见安全工程实践的使用及其对安全性的感知以及16种敏捷软件开发项目和活动的使用。

结果：敏捷项目和活动的使用对安全工程实践的选择产生了可观的影响。安全实践的感知影响低于使用率所暗示的：这是为了表明选择偏见，例如，由于开发人员仅对某些安全工程实践的了解，或由于难以将安全工程实践应用于迭代而导致软件开发工作流程。被认为影响最大的安全措施是积极主动的，并发生在软件开发的早期阶段。

结论：敏捷实践的系统使用是一致的，并且被观察为与安全实践的结合一起发生。安全活动在需求和实施阶段最为常见。通常，生命周期早期发生的活动也被认为是最有影响力的。观察到使用水平与许多安全活动的感知安全影响之间存在差异。这促进了研究和方法论的发展，以便将安全工程活动更好地集成到软件开发过程，方法和工具中。