Agile Software Development: The Straight and Narrow Path to Secure Software?

In this article, the authors contrast the results of a series of interviews with agile software development organizations with a case study of a distributed agile development effort, focusing on how information security is taken care of in an agile context. The interviews indicate that small and medium-sized agile software development organizations do not use any particular methodology to achieve security goals, even when their software is web-facing and potential targets of attack. This case study confirms that even in cases where security is an articulated requirement, and where security design is fed as input to the implementation team, there is no guarantee that the end result meets the security objectives. The authors contend that security must be built as an intrinsic software property and emphasize the need for security awareness throughout the whole software development lifecycle. This paper suggests two extensions to agile methodologies that may contribute to ensuring focus on security during the complete lifecycle.

[1]  Steve Lipner,et al.  Security development lifecycle , 2010, Datenschutz und Datensicherheit - DuD.

[2]  Tejaswi Redkar,et al.  Windows Azure Platform , 2010 .

[3]  Seyed-Hassan Mirian-Hosseinabadi,et al.  Integrating software development security activities with agile methodologies , 2008, 2008 IEEE/ACS International Conference on Computer Systems and Applications.

[4]  Walter Peissl,et al.  ICT and Privacy in Europe. Experiences from technology assessment of ICT and Privacy in seven different European countries. Final report October 16, 2006, European Parliamentary Technology Assessment network (EPTA) , 2006 .

[5]  Philippe Kruchten,et al.  Extending XP practices to support security requirements engineering , 2006, SESS '06.

[6]  Richard Baskerville,et al.  Integrating Security into Agile Development Methods , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[7]  Steven B. Lipner,et al.  The trustworthy computing security development lifecycle , 2004, 20th Annual Computer Security Applications Conference.

[8]  Philippe Kruchten,et al.  Towards agile security assurance , 2004, NSPW '04.

[9]  Gustav Boström,et al.  Security Engineering and eXtreme Programming: An Impossible Marriage? , 2004, XP/Agile Universe.

[10]  Christos Ilioudis,et al.  A Framework for an Institutional High Level Security Policy for the Processing of Medical Data and their Transmission through the Internet , 2001, Journal of medical Internet research.

[11]  Marie Khair,et al.  Access Control based on Attribute Certificates for Medical Intranet Applications , 2001, Journal of medical Internet research.

[12]  G. Pangalos,et al.  Development of a High Level Security Policy (HLSP) for the processing of medical data and their transmission through the Internet , 2000 .

[13]  G. McGraw Software Security: Building Security In , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[14]  Barry Boehm,et al.  Top 10 list [software development] , 2001 .