Security-Focused Prototyping: A Natural Precursor to Secure Development

Secure development is a proactive approach to cyber security. Rather than building a 1 technological solution and then securing it in retrospect, secure development strives to embed good 2 security practices throughout the development process and thereby reduces risk. Unfortunately, 3 evidence suggests secure development is complex, costly, and limited in practice. This article therefore 4 introduces security-focused prototyping as a natural precursor to secure development that embeds 5 security at the beginning of the development process, can be used to discover domain specific security 6 requirements, and can help organisations navigate the complexity of secure development such that 7 the resources and commitment it requires are better understood. Two case studies–one considering 8 the creation of a bespoke web platform and the other considering the application layer of an Internet 9 of Things system–verify the potential of the approach and its ability to discover domain specific 10 security requirements in particular. Future work could build on this work by conducting case studies 11 to further verify the potential of security-focused prototyping and even investigate its capacity to be 12 used as a tool capable of reducing a broader, socio-technical, kind of risk. 13

[1]  Martin Gilje Jaatun,et al.  Security Requirements for the Rest of Us: A Survey , 2008, IEEE Software.

[2]  Wan Haslina Hassan,et al.  Current research on Internet of Things (IoT) security: A survey , 2019, Comput. Networks.

[3]  Ja'far Alqatawna,et al.  Secure software engineering: Evaluation of emerging trends , 2017, 2017 8th International Conference on Information Technology (ICIT).

[4]  Agile Manifesto,et al.  Manifesto for Agile Software Development , 2001 .

[5]  Barry W. Boehm,et al.  A spiral model of software development and enhancement , 1986, Computer.

[6]  Sonia Chiasson,et al.  'Think secure from the beginning': A Survey with Software Developers , 2019, CHI.

[7]  Sonia Chiasson,et al.  Security in the Software Development Lifecycle , 2018, SOUPS @ USENIX Security Symposium.

[8]  Heinz Züllighoven,et al.  What is prototyping , 1990 .

[9]  Wouter Joosen,et al.  On the secure software development process: CLASP, SDL and Touchpoints compared , 2009, Inf. Softw. Technol..

[10]  David Bishop,et al.  AGILE AND SECURE SOFTWARE DEVELOPMENT: AN UNFINISHED STORY , 2019, Issues In Information Systems.

[11]  Gail-Joon Ahn,et al.  Security and Privacy Challenges in Cloud Computing Environments , 2010, IEEE Security & Privacy.

[12]  Juan Antonio Sicilia Montalvo,et al.  The Application of a New Secure Software Development Life Cycle (S-SDLC) with Agile Methodologies , 2019, Electronics.

[13]  Imran Ghani,et al.  Security backlog in Scrum security practices , 2011, 2011 Malaysian Conference in Software Engineering.

[14]  Hela Oueslati,et al.  Literature Review of the Challenges of Developing Secure Software Using the Agile Approach , 2015, 2015 10th International Conference on Availability, Reliability and Security.

[15]  David Geer,et al.  Are Companies Actually Using Secure Development Life Cycles? , 2010, Computer.

[16]  Emma Osborn,et al.  Business versus Technology: Sources of the Perceived Lack of Cyber Security in SMEs , 2015 .

[17]  Sophie Peillon,et al.  Barriers to digital servitization in French manufacturing SMEs , 2019, Procedia CIRP.

[18]  Hans-Joachim Hof,et al.  Secure Scrum: Development of Secure Software with Scrum , 2015, ArXiv.

[19]  Laurie A. Williams,et al.  Engineering Security Vulnerability Prevention, Detection, and Response , 2018, IEEE Software.

[20]  John C. Grundy,et al.  The Rise and Evolution of Agile Software Development , 2018, IEEE Software.

[21]  Roy T. Fielding,et al.  Principled design of the modern Web architecture , 2000, Proceedings of the 2000 International Conference on Software Engineering. ICSE 2000 the New Millennium.

[22]  Martin Gilje Jaatun,et al.  An Empirical Study on the Relationship between Software Security Skills, Usage and Training Needs in Agile Settings , 2016, 2016 11th International Conference on Availability, Reliability and Security (ARES).

[23]  Laurie A. Williams,et al.  Surveying Security Practice Adherence in Software Development , 2017, HotSoS.

[24]  Peng Liu,et al.  The Effect of IoT New Features on Security and Privacy: New Threats, Existing Solutions, and Challenges Yet to Be Solved , 2018, IEEE Internet of Things Journal.

[25]  Barry Boehm,et al.  Spiral Development: Experience, Principles, and Refinements , 2000 .

[26]  Salah Kabanda,et al.  Exploring SME cybersecurity practices in developing countries , 2018, J. Organ. Comput. Electron. Commer..

[27]  Johannes Sametinger,et al.  Software Security , 2013, 2013 20th IEEE International Conference and Workshops on Engineering of Computer Based Systems (ECBS).