Software security engineering in extreme programming methodology: a systematic literature review

Agile methodology such as Extreme Programming (XP) has gained enough recognition as efficient development process by delivering software fast even under the time constrains. However, like other agile methods including Scrum, Feature Driven Development (FDD), DSDM and, XP has also been criticized because of unavailability of security element in its twelve practices. In order to have a deeper look into the matter and discover more about the reality, we conducted a systematic literature review (SLR) and studied the literature and software solutions between 2000 to 2012. Our findings highlight that the in its current form the XP model partially support integrating Software Security with its twelve practices. Although, there are a few researches on this topics but the detailed information about their usage and outcome is not yet published. Thus we conclude that the existing twelve practices of XP are not enough hence security based practices in XP need to be proposed.

[1]  Tore Dybå,et al.  Empirical studies of agile software development: A systematic review , 2008, Inf. Softw. Technol..

[2]  Richard F. Paige,et al.  Extreme Programming Security Practices , 2007, XP.

[3]  B. Watson,et al.  Standards and agile software development , 2003 .

[4]  Gary McGraw,et al.  Interview: Software Security in the Real World , 2010, Computer.

[5]  Lucas Layman,et al.  Undergraduate student perceptions of pair programming and agile software methodologies: verifying a model of social interaction , 2005, Agile Development Conference (ADC'05).

[6]  Norbert Oster,et al.  White and grey-box verification and validation approaches for safety- and security-critical software systems , 2008, Inf. Secur. Tech. Rep..

[7]  Yvonne Dittrich,et al.  How agile are industrial software development practices? , 2006, J. Syst. Softw..

[8]  Jeffery Payne,et al.  Integrating Application Security into Software Development , 2010, IT Prof..

[9]  Christoforos E. Kozyrakis,et al.  Raksha: a flexible information flow architecture for software security , 2007, ISCA '07.

[10]  J.A. Livermore,et al.  What Elements of XP are being Adopted by Industry Practitioners? , 2006, Proceedings of the IEEE SoutheastCon 2006.

[11]  John Hunt,et al.  Agile software construction , 2005 .

[12]  M. Petticrew,et al.  Systematic Reviews in the Social Sciences: A Practical Guide , 2005 .

[13]  Mark C. Paulk,et al.  Extreme Programming from a CMM Perspective , 2001, IEEE Softw..

[14]  Tore Dybå,et al.  What Do We Know about Agile Software Development? , 2009, IEEE Software.

[15]  Pearl Brereton,et al.  Lessons from applying the systematic literature review process within the software engineering domain , 2007, J. Syst. Softw..

[16]  Steffen Bartsch,et al.  Practitioners' Perspectives on Security in Agile Development , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[17]  Asif Gill,et al.  An evaluation of the degree of agility in six agile methods and its applicability for method engineering , 2008, Inf. Softw. Technol..

[18]  Claes Wohlin,et al.  Agile Practices in Global Software Engineering - A Systematic Map , 2010, 2010 5th IEEE International Conference on Global Software Engineering.

[19]  Tore Dybå,et al.  Evaluating Pair Programming with Respect to System Complexity and Programmer Expertise , 2007, IEEE Transactions on Software Engineering.

[20]  Richard G. Epstein Getting Students to Think About How Agile Processes can be Made More Secure , 2008, 2008 21st Conference on Software Engineering Education and Training.

[21]  Hye-Young Paik,et al.  Using Scrum in Global Software Development: A Systematic Literature Review , 2009, 2009 Fourth IEEE International Conference on Global Software Engineering.

[22]  B. Endicott-Popovsky,et al.  Adopting eXtreme programming on a graduate student project , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[23]  Seyed-Hassan Mirian-Hosseinabadi,et al.  Integrating software development security activities with agile methodologies , 2008, 2008 IEEE/ACS International Conference on Computer Systems and Applications.

[24]  Alexander Chatzigeorgiou,et al.  Architectural Risk Analysis of Software Systems Based on Security Patterns , 2008, IEEE Transactions on Dependable and Secure Computing.

[25]  BudgenDavid,et al.  Lessons from applying the systematic literature review process within the software engineering domain , 2007 .

[26]  Fereidoon Shams Aliee,et al.  Embedding Architectural Practices into Extreme Programming , 2008, 19th Australian Conference on Software Engineering (aswec 2008).

[27]  G. B. Wills,et al.  Emergence of Agile Methods: Perceptions from Software Practitioners in Malaysia , 2012, 2012 Agile India.

[28]  Matthias M. Müller,et al.  A preliminary study on the impact of a pair design phase on pair programming and solo programming , 2006, Inf. Softw. Technol..

[29]  Daniel Sundmark,et al.  What Does Research Say about Agile and Architecture? , 2010, 2010 Fifth International Conference on Software Engineering Advances.

[30]  Raul Sidnei Wazlawick,et al.  The influence of organizational culture on the adoption of extreme programming , 2008, J. Syst. Softw..

[31]  Norita Md Norwawi,et al.  Improved extreme programming methodology with inbuilt security , 2011, 2011 IEEE Symposium on Computers & Informatics.

[32]  Mano Paul Software Security : Being Secure in an Insecure World , .

[33]  Mohammad Alshayeb,et al.  An empirical study of relationships among extreme programming engineering activities , 2006, Inf. Softw. Technol..

[34]  Mohd Hasan Selamat,et al.  Secure e-commerce web development framework , 2011 .

[35]  Per Håkon Meland,et al.  Security Testing in Agile Web Application Development - A Case Study Using the EAST Methodology , 2010, XP.

[36]  Gustav Boström,et al.  Security Engineering and eXtreme Programming: An Impossible Marriage? , 2004, XP/Agile Universe.

[37]  Peng Xu,et al.  How extreme does extreme programming have to be? Adapting XP practices to large-scale projects , 2004, 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the.

[38]  Nancy R. Mead,et al.  Software Security Engineering: A Guide for Project Managers , 2004 .

[39]  Xu Bin,et al.  Extreme programming in reducing the rework of requirement change , 2004, Canadian Conference on Electrical and Computer Engineering 2004 (IEEE Cat. No.04CH37513).

[40]  Ioannis Stamelos,et al.  Software engineering research for computer games: A systematic review , 2010, Inf. Softw. Technol..

[41]  Stephen de Vries,et al.  Security Testing Web Applications throughout Automated Software Tests , 2006 .

[42]  Ken Frazer,et al.  Building secure software: how to avoid security problems the right way , 2002, SOEN.

[43]  Brian Chess,et al.  Software Security in Practice , 2011, IEEE Security & Privacy.

[44]  Kieran Conboy,et al.  Agile Practices: The Impact on Trust in Software Project Teams , 2012, IEEE Software.

[45]  Johannes Sametinger,et al.  Software security for small development teams: a case study , 2011, iiWAS '11.

[46]  Haralambos Mouratidis,et al.  Security Attack Testing (SAT) - testing the security of information systems at design time , 2007, Inf. Syst..

[47]  Pekka Abrahamsson,et al.  Agile methods in European embedded software development organisations: a survey on the actual use and usefulness of Extreme Programming and Scrum , 2008, IET Softw..

[48]  Shahida Sulaiman,et al.  A systematic literature review of interoperable architecture for e-government portals , 2011, 2011 Malaysian Conference in Software Engineering.

[49]  DittrichYvonne,et al.  How agile are industrial software development practices , 2006 .

[50]  Kent L. Beck,et al.  Extreme programming explained - embrace change , 1990 .