The security aspect of IoT is one of the biggest concerns and challenges for IT professionals. The data that the devices store and share can be private and it should be secured against theft, tampering and protected during transfers. According to Assiri (2018), there are three primary layers in IoT architecture: Perception or sensor layer consists of the translation of the physical world into a digital form, collects data and transfer to the network.  This layer is exposed to physical attacks like replay or MITM (Man-in-the-middle) attacks. Network Layer, where all the data transfers to other connected devices happen. It has the risk of common network attacks such as DoS. Application Layer: is related to the software that manages the data coming from the devices and performs operations. It is fundamental to address these security risks in every layer during the development of the solution. Another challenge for IoT is the lack of common standards, there are no unified or any industry-wide acceptance of a standard. Moreover, performance and scalability issues that can impact service availability can be caused by the increasing number of connected devices that are sharing a considerable amount of data.

From an agile development perspective, these non-functional requirements or NFRs like security, performance, and scalability tend to be set aside as the main focus is to incrementally deliver the functionality that provides the most business value to the stakeholders. The solution to address these NFRs according to the SAFe or Scaled Agile Framework, is to add NFRs in the backlog and it is essential to define and implement them to ensure the usability of the system. NFRs are considered constraints to the development and architects are responsible for establishing them.

Figure 1. Shows how the NFRs are a constraint to the different backlog items. SAFe (2018).

Furthermore, the different NFRs are included as part of the DoD or definition of done of the user stories and features.

One great example taken from the case study done by Sachdeva and Chung (2017) is the project to develop VoIP phone devices. After six months of development the team delivered the minimum viable product, and before the launch, the security team that was doing compliance testing found significant issues resulting in rework that costs millions of dollars and many months. To overcome these security issues, they decided to add security as a feature so it could be prioritized in the backlog and perform security testing compliance at the end of each sprint.


Lee, I. and Lee, K., 2015. The Internet of Things (IoT): Applications, investments, and challenges for enterprises. Business Horizons, 58(4), pp.431-440

Singh, S. and Singh, N., 2015, October. Internet of Things (IoT): Security challenges, business opportunities & reference architecture for E-commerce. In 2015 International Conference on Green Computing and Internet of Things (ICGCIoT) (pp. 1577-1581). IEEE.

Assiri, A. and Almagwashi H. (2018) ‘IoT Security and Privacy Issues’, 2018 1st International Conference on Computer Applications & Information Security (ICCAIS), Riyadh, Saudi Arabia, 4-6 April 2018. Available at:

Scaled Agile Framework (2018) Nonfunctional requirements. Available at: (Last Accessed: March 2019)

Sachdeva, V. and Chung, L., 2017, January. Handling non-functional requirements for big data and IOT projects in scrum. In 2017 7th International Conference on Cloud Computing, Data Science & Engineering-Confluence (pp. 216-221). IEEE.

Leave a Reply

Your email address will not be published. Required fields are marked *