A process for mastering security evolution in the development lifecycle

Continuous system evolution makes it challenging to keep software systems permanently secure as changes either in the system itself or its environment may cause new threats and vulnerabilities. Therefore, suitable activities aligned with the software development process are required to master security evolution. This introduction to the special section on eternal security evolution presents a process for handling security evolution throughout the software development lifecycle and uses this process to position the individual contributions. We first present the underlying security development process comprising the phases initialization, security analysis, security design, security implementation, security testing, and security deployment. On this basis, we define the security evolution process comprising the activities security requirements review, adaptation of design models, code fixing and patch development, regression testing as well as re-deployment. Finally, the defined security evolution activities are discussed in context of the four articles on eternal security evolution presented in this special section of the International Journal on Software Tools for Technology Transfer.

[1]  Noopur Davis Secure Software Development Life Cycle Processes: A Technology Scouting Report , 2005 .

[2]  Michael Felderer,et al.  A systematic classification of security regression testing approaches , 2015, International Journal on Software Tools for Technology Transfer.

[3]  Ruth Breu,et al.  A Classification for Model-Based Security Testing , 2011 .

[4]  Meir M. Lehman,et al.  Software's future: managing evolution , 1998, IEEE Software.

[5]  Ketil Stølen,et al.  Security risk analysis of system changes exemplified within the oil and gas domain , 2014, International Journal on Software Tools for Technology Transfer.

[6]  S.T. Redwine,et al.  Processes for producing secure software , 2004, IEEE Security & Privacy Magazine.

[7]  Jens Bürger,et al.  Restoring security of evolving software models using graph transformation , 2014, International Journal on Software Tools for Technology Transfer.

[8]  Richard Kissel,et al.  SP 800-64 Rev. 2. Security Considerations in the System Development Life Cycle , 2008 .

[9]  Gary McGraw,et al.  Software Security: Building Security In , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[10]  Michael Howard,et al.  The security development lifecycle : SDL, a process for developing demonstrably more secure software , 2006 .

[11]  Steve Lipner,et al.  Security development lifecycle , 2010, Datenschutz und Datensicherheit - DuD.

[12]  Wouter Joosen,et al.  On the Secure Software Development Process: CLASP and SDL Compared , 2007, Third International Workshop on Software Engineering for Secure Systems (SESS'07: ICSE Workshops 2007).

[13]  Hossein Saiedian,et al.  Secure Software Engineering: Learning from the Past to Address Future Challenges , 2009, Inf. Secur. J. A Glob. Perspect..

[14]  Standard Glossary of Software Engineering Terminology , 1990 .

[15]  Richard Kissel,et al.  Security Considerations in the System Development Life Cycle , 2008 .

[16]  Ruth Breu,et al.  Evolution of Security Engineering Artifacts: A State of the Art Survey , 2014, Int. J. Secur. Softw. Eng..

[17]  Ketil Stølen,et al.  Model-Driven Risk Analysis - The CORAS Approach , 2010 .

[18]  Meir M. Lehman,et al.  On understanding laws, evolution, and conservation in the large-program life cycle , 1984, J. Syst. Softw..

[19]  Nahid Shahmehri,et al.  Design of a Process for Software Security , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[20]  Frank Piessens,et al.  Policy ignorant caller-side inline reference monitoring , 2014, International Journal on Software Tools for Technology Transfer.

[21]  Michael Howard,et al.  Building More Secure Software with Improved Development Processes , 2004, IEEE Secur. Priv..

[22]  Wouter Joosen,et al.  On the secure software development process: CLASP, SDL and Touchpoints compared , 2009, Inf. Softw. Technol..

[23]  Bernhard Steffen,et al.  Active continuous quality control , 2013, CBSE '13.

[24]  John Viega Building security requirements with CLASP , 2005, SOEN.

[25]  Gary Mcgraw Software security , 2004, IEEE Security & Privacy Magazine.