Towards Effective Security Assurance for Incremental Software Development the Case of Zen Cart Application

Incremental software development methods, such as Scrum embrace code changes to meet changing customer requirements. However, changing the code of a given software invalidates the security assurance of the software. Thus, each new version of a given software requires a new full security assessment. This paper investigates the impact of incremental development of software on their security assurances using the e-commerce software Zen Cart as a case study. It also describes a prototype we are developing to design security assurance cases and trace the impact of code changes on the security assurance of the given software. A security assurance case shows how a claim, such as "The system is acceptably secure" is supported by objective evidence.

[1]  Robert S. Arnold,et al.  Software Change Impact Analysis , 1996 .

[2]  Imran Ghani,et al.  Evaluation of the Challenges of Developing Secure Software Using the Agile Approach , 2016, Int. J. Secur. Softw. Eng..

[3]  Frank Budinsky,et al.  Eclipse modeling framework : a developer's guide , 2004 .

[4]  Bharat K. Bhargava,et al.  Using Assurance Cases to Develop Iteratively Security Features Using Scrum , 2014, 2014 Ninth International Conference on Availability, Reliability and Security.

[5]  Shawn A. Bohner,et al.  Extending software change impact analysis into COTS components , 2002, 27th Annual NASA Goddard/IEEE Software Engineering Workshop, 2002. Proceedings..

[6]  Jeannette M. Wing,et al.  An Attack Surface Metric , 2011, IEEE Transactions on Software Engineering.

[7]  Jan Jürjens,et al.  Incremental Security Verification for Evolving UMLsec models , 2011, ECMFA.

[8]  Javier López,et al.  A methodology for security assurance-driven system development , 2011, Requirements Engineering.

[9]  John Goodenough,et al.  Arguing Security – Creating Security Assurance Cases , 2014 .

[10]  Frank Tip,et al.  Chianti: a tool for change impact analysis of java programs , 2004, OOPSLA.

[11]  Steffen Lehnert,et al.  A taxonomy for software change impact analysis , 2011, IWPSE-EVOL '11.

[12]  Christian Steger,et al.  Supporting evolving security models for an agile security evaluation , 2014, 2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE).

[13]  Bharat K. Bhargava,et al.  Extending the Agile Development Process to Develop Acceptably Secure Software , 2014, IEEE Transactions on Dependable and Secure Computing.

[14]  Charles B. Weinstock,et al.  Evidence of Assurance: Laying the Foundation for a Credible Security Case , 2014 .

[15]  Tim Kelly,et al.  The Goal Structuring Notation – A Safety Argument Notation , 2004 .