Towards agile security assurance

Agile development methodologies are gaining acceptance in the software industry. If they are to be used for constructing security-critical solutions, what do we do about assurance? This paper examines how conventional security assurance suits agile methodologies for developing software-intensive systems. It classifies security assurance methods and techniques with regards to their clash with agile development. Suggestions are made for alleviating mismatches between these two methods.

[1]  Laurie A. Williams,et al.  Strengthening the Case for Pair Programming , 2000, IEEE Softw..

[2]  Peter Amey,et al.  Static verification and extreme programming , 2004 .

[3]  James A. Highsmith,et al.  Adaptive Software Development: A Collaborative Approach to Managing Complex Systems , 1999 .

[4]  Alistair Cockburn,et al.  Agile Software Development , 2001 .

[5]  Marshall D. Abrams Security engineering in an evolutionary acquisition environment , 1998, NSPW '98.

[6]  Konstantin Beznosov,et al.  Extreme Security Engineering: On Employing XP Practices to Achieve , 2003 .

[7]  Christian Jahl The information technology security evaluation criteria , 1991, [1991 Proceedings] 13th International Conference on Software Engineering.

[8]  E. Spafford Testimony before the House Armed Services Committee Subcommittee on Terrorism , Unconventional Threats and Capabilities " Cyber Terrorism : The New Asymmetric Threat " 24 July 2003 Statement of , 2006 .

[9]  Ken Frazer,et al.  Building secure software: how to avoid security problems the right way , 2002, SOEN.

[10]  Gustav Boström,et al.  Security Engineering and eXtreme Programming: An Impossible Marriage? , 2004, XP/Agile Universe.

[11]  Gary McGraw,et al.  Software fault injection: inoculating programs against errors , 1997 .

[12]  Jan Jürjens,et al.  Specification-Based Test Generation for Security-Critical Systems Using Mutations , 2002, ICFEM.

[13]  Gary McGraw,et al.  Exploiting Software: How to Break Code , 2004 .

[14]  Agile Manifesto,et al.  Manifesto for Agile Software Development , 2001 .

[15]  David Evans,et al.  Improving Security Using Extensible Lightweight Static Analysis , 2002, IEEE Softw..

[16]  Gary McGraw,et al.  Securing Java: getting down to business with mobile code , 1999 .

[17]  Ronald Jensen A pair programming experience , 2003 .

[18]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[19]  Matt Bishop,et al.  Computer Security: Art and Science , 2002 .

[20]  Gary McGraw,et al.  Statically Scanning Java Code: Finding Security Vulnerabilities , 2000, IEEE Software.

[21]  Gary McGraw,et al.  Java security: hostile applets, holes&antidotes , 1997 .

[22]  Gary McGraw,et al.  ITS4: a static vulnerability scanner for C and C++ code , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[23]  Ruth Breu,et al.  Key Issues of a Formally Based Process Model for Security Engineer-ing , 2003 .

[24]  Lawrence Robinson,et al.  Software development and proofs of multi-level security , 1976, ICSE '76.

[25]  B Boehm A spiral model of software development and enhancement , 1986, SOEN.

[26]  Matt Bishop,et al.  Property-based testing: a new approach to testing for assurance , 1997, SOEN.

[27]  Joshua Kerievsky,et al.  Refactoring to Patterns , 2004, XP/Agile Universe.

[28]  Kent L. Beck,et al.  Embracing Change with Extreme Programming , 1999, Computer.