FISA-XP: an agile-based integration of security activities with extreme programming

The steep rise in security threats has forced organizations to adopt sound security practices right from the development stage of any software project. With the rising popularity of lightweight, agile methodologies, this becomes more complicated. This paper proposes a framework, FISA-XP, which can be adopted for the development of a secure software system. The proposed framework integrates security activities with the core activities of Extreme Programming based on their degree of agility. In order to calculate agility degree, some agility features are selected using a threshold value. The compatibility of the agile activities with security activities is subsequently assessed by introducing an integration matrix that describes whether integration of an agile activity with each security activity is possible or not. This framework assists in integrating security activities with agile activities, keeping the combined agility degree within acceptable limits. Thus, our approach introduces an Acceptable Agility Reduction Factor, which gives a threshold value for an acceptable reduction in agility degree. If reduction in combined agility degree is below the threshold value then that security activity is not accepted for integration. TISA-XP, an automated tool, has been designed to enable developers to use FISA-XP practically. This tool has been used by a software-developing company on an experimental basis and the feedback reflects its practical feasibility.

[1]  Wouter Joosen,et al.  On the secure software development process: CLASP, SDL and Touchpoints compared , 2009, Inf. Softw. Technol..

[2]  Richard F. Paige,et al.  Extreme Programming Security Practices , 2007, XP.

[3]  Jeff Sutherland,et al.  Manifesto for Agile Software Development , 2013 .

[4]  S. L. Yang,et al.  Agility Evaluation of Mass Customization Product Manufacturing , 2002 .

[5]  Hema Banati,et al.  Fuzzy Logic Approach for Threat Prioritization in Agile Security Framework using DREAD Model , 2013, ArXiv.

[6]  Philippe Kruchten,et al.  Towards agile security assurance , 2004, NSPW '04.

[7]  Richard G. Epstein A Software Engineering Course with an Emphasis on Software Processes and Security , 2008, 2008 21st Conference on Software Engineering Education and Training.

[8]  Konstantin Beznosov,et al.  Extreme Security Engineering: On Employing XP Practices to Achieve , 2003 .

[9]  Saonee Sarker,et al.  Assessing the relative contribution of the facets of agility to distributed systems development success: an Analytic Hierarchy Process approach , 2009, Eur. J. Inf. Syst..

[10]  Waldemar Karwowski,et al.  A review of enterprise agility: Concepts, frameworks, and attributes , 2007 .

[11]  Sonia,et al.  Development of Agile Security Framework Using a Hybrid Technique for Requirements Elicitation , 2011 .

[12]  A. Singhal,et al.  Integration Analysis of Security Activities from the Perspective of Agility , 2012, 2012 Agile India.

[13]  Kent L. Beck,et al.  Embracing Change with Extreme Programming , 1999, Computer.

[14]  Gustav Boström,et al.  Security Engineering and eXtreme Programming: An Impossible Marriage? , 2004, XP/Agile Universe.

[15]  Richard Baskerville,et al.  Integrating Security into Agile Development Methods , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[16]  Philippe Kruchten,et al.  Extending XP practices to support security requirements engineering , 2006, SESS '06.

[17]  Seyed-Hassan Mirian-Hosseinabadi,et al.  Integrating software development security activities with agile methodologies , 2008, 2008 IEEE/ACS International Conference on Computer Systems and Applications.

[18]  Jun Ren,et al.  A PROTOTYPE OF MEASUREMENT SYSTEM FOR AGILE ENTERPRISE , 2000 .

[19]  Asif Gill,et al.  An evaluation of the degree of agility in six agile methods and its applicability for method engineering , 2008, Inf. Softw. Technol..

[20]  Bengt Carlsson,et al.  Agile development with security engineering activities , 2011, ICSSP '11.

[21]  Thomas L. Saaty,et al.  How to Make a Decision: The Analytic Hierarchy Process , 1990 .

[22]  Jun Ren,et al.  A decision-support framework for agile enterprise partnering , 2009 .

[23]  Walid Al-Ahmad Building Secure Software Using XP , 2011, Int. J. Secur. Softw. Eng..

[24]  Thomas L. Saaty,et al.  DECISION MAKING WITH THE ANALYTIC HIERARCHY PROCESS , 2008 .

[25]  Pankaj Jalote,et al.  An Integrated Approach to Software Engineering , 1997, Undergraduate Texts in Computer Science.