A Systematic Literature Review on Secure Software Development using Feature Driven Development (FDD) Agile Model

Agile 방법론은 시간적 제약하에서도 효율적인 개발 프로세스로 빠르게 제품을 완성할 수 있는 방법으로 알려져 있다. 하지만 scrum, XP, DSDM 등과 같은 여타 Agile 방법들처럼 기능주도개발 (FDD) Agile 방법도 보안요소의 불가용성으로 인해 비판을 받고 있다. 이러한 이슈를 보다 자세히 살펴보기 위해 본 연구는 2001년부터 2012년사이에 나타난 연구들에 대한 체계적인 문헌연구를 수행하였다. 본 연구 결과, 현재 FDD 방법은 안전한 소프트웨어 개발을 부분적으로 지원하고 있는 것으로 나타났다. 하지만 안전한 소프트웨어 사용에 관한 상세한 정보가 문헌에 거의 나타나고 있지 않은 것으로 보아 이 분야에 대한 연구 노력은 거의 없어 보인다. 따라서 현재의 5단계 FDD 방법은 안전한 소프트웨어 개발에 충분하지 않음을 알 수 있고 결국, 본 연구는 FDD 방법에서 보안에 기반을 둔 새로운 수행 단계와 프랙티스가 제안될 필요가 있음을 보여준다.

[1]  Richard G. Epstein Getting Students to Think About How Agile Processes can be Made More Secure , 2008, 2008 21st Conference on Software Engineering Education and Training.

[2]  Brian Chess,et al.  Software Security in Practice , 2011, IEEE Security & Privacy.

[3]  Errol Rhoden People and processes — The Key Elements to Information Security , 2002 .

[4]  Imran Ghani,et al.  A Review on Software Development Security Engineering using Dynamic System Method (DSDM) , 2013 .

[5]  Martin Gilje Jaatun,et al.  Agile Software Development: The Straight and Narrow Path to Secure Software? , 2010, Int. J. Secur. Softw. Eng..

[6]  William Neugent Teaching computer security: A course outline , 1982, Comput. Secur..

[7]  Fereidoon Shams,et al.  Embedding Architectural Practices into Extreme Programming , 2008 .

[8]  Shahida Sulaiman,et al.  A systematic literature review of interoperable architecture for e-government portals , 2011, 2011 Malaysian Conference in Software Engineering.

[9]  Emilia Mendes,et al.  Empirical Studies of Pair Programming for CS/SE Teaching in Higher Education: A Systematic Literature Review , 2011, IEEE Transactions on Software Engineering.

[10]  Steve R. Palmer,et al.  A Practical Guide to Feature-Driven Development , 2002 .

[11]  Imran Ghani,et al.  Security backlog in Scrum security practices , 2011, 2011 Malaysian Conference in Software Engineering.

[12]  Jan H. P. Eloff,et al.  Information security: The moving target , 2009, Comput. Secur..

[13]  Gustav Boström,et al.  Security Engineering and eXtreme Programming: An Impossible Marriage? , 2004, XP/Agile Universe.

[14]  Jan H. P. Eloff,et al.  A taxonomy for information security technologies , 2003, Comput. Secur..

[15]  Richard Baskerville,et al.  Integrating Security into Agile Development Methods , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[16]  Lars Lundberg,et al.  Improving software security with static automated code analysis in an industry setting , 2013, Softw. Pract. Exp..

[17]  홍성찬,et al.  기업의 빅데이터 적용방안 연구 , 2014 .

[18]  Shari Lawrence Pfleeger,et al.  Preliminary Guidelines for Empirical Research in Software Engineering , 2002, IEEE Trans. Software Eng..

[19]  Rick Dove,et al.  Pattern qualifications and examples of next-generation agile system-security strategies , 2010, 44th Annual 2010 IEEE International Carnahan Conference on Security Technology.

[20]  John Leach TBSE - an engineering approach to the design of accurate and reliable security systems , 2004, Comput. Secur..

[21]  Alexander Chatzigeorgiou,et al.  Architectural Risk Analysis of Software Systems Based on Security Patterns , 2008, IEEE Transactions on Dependable and Secure Computing.

[22]  Louay Karadsheh,et al.  Applying security policies and service level agreement to IaaS service model to enhance security and transition , 2012, Comput. Secur..

[23]  Per Håkon Meland,et al.  Security Testing in Agile Web Application Development - A Case Study Using the EAST Methodology , 2010, XP.

[24]  Giovanni Vigna,et al.  An Experience in Testing the Security of Real-World Electronic Voting Systems , 2010, IEEE Transactions on Software Engineering.

[25]  Marcel E. M. Spruit,et al.  IT security in Dutch practice , 1996, Comput. Secur..

[26]  Nancy R. Mead,et al.  Software Security Engineering: A Guide for Project Managers , 2004 .

[27]  S. K. Pandey,et al.  Research on software security awareness: problems and prospects , 2010, SOEN.

[28]  Rusli Abdullah,et al.  Multi Agent System Architecture Oriented Prometheus Methodology Design to Facilitate Security of Cloud Data Storage , 2011 .

[29]  Gary McGraw,et al.  Software Security: Building Security In , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[30]  Wang Cheng,et al.  Practices of agile manufacturing enterprise data security and software protection , 2010, 2010 The 2nd International Conference on Industrial Mechatronics and Automation.

[31]  Kishor S. Trivedi,et al.  Architecture based analysis of performance, reliability and security of software systems , 2005, WOSP '05.

[32]  Jan P. Kruys Security of open systems , 1989, Comput. Secur..

[33]  Kishor S. Trivedi,et al.  Quantifying software performance, reliability and security: An architecture-based approach , 2007, J. Syst. Softw..

[34]  Christian Wagner,et al.  Model-driven security for Web services in e-Government system: Ideal and real , 2011, 2011 7th International Conference on Next Generation Web Services Practices.

[35]  Steffen Bartsch,et al.  Practitioners' Perspectives on Security in Agile Development , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[36]  Terrence August,et al.  Who Should be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments , 2011, WEIS.

[37]  Daniel Sundmark,et al.  What Does Research Say about Agile and Architecture? , 2010, 2010 Fifth International Conference on Software Engineering Advances.

[38]  Peggy Valcke,et al.  Computer, Law & Security Review - special issue Trust in the Information Society - ICRI 20th anniversary conference - "Trust in the information society - In search of trust generating mechanisms for the network society" , 2012, Comput. Law Secur. Rev..

[39]  Jan H. P. Eloff,et al.  Information Security Policy - What do International Information Security Standards say? , 2002, ISSA.

[40]  Imran Ghani,et al.  Software security engineering in extreme programming methodology: a systematic literature review , 2013 .

[41]  Lucas Layman,et al.  Undergraduate student perceptions of pair programming and agile software methodologies: verifying a model of social interaction , 2005, Agile Development Conference (ADC'05).

[42]  Ponnurangam Kumaraguru,et al.  Information security practices followed in the Indian software services industry: An exploratory study , 2011, 2011 Second Worldwide Cybersecurity Summit (WCS).

[43]  Patrick C. K. Hung,et al.  The International Journal of Information Security Special Issue on privacy, security and trust technologies and E-business services , 2007, International Journal of Information Security.

[44]  Shane Warden,et al.  The art of agile development , 2007 .

[45]  Tore Dybå,et al.  Empirical studies of agile software development: A systematic review , 2008, Inf. Softw. Technol..

[46]  Bernhard M. Hämmerli,et al.  Financial Services Industry , 2012, Critical Infrastructure Protection.

[47]  Haralambos Mouratidis,et al.  Secure Tropos: a Security-Oriented Extension of the Tropos Methodology , 2007, Int. J. Softw. Eng. Knowl. Eng..

[48]  Gary McGraw,et al.  Interview: Software Security in the Real World , 2010, Computer.

[49]  Christoforos E. Kozyrakis,et al.  Raksha: a flexible information flow architecture for software security , 2007, ISCA '07.

[50]  Gerald V. Post,et al.  Accessibility vs. security: A look at the demand for computer security , 1991, Comput. Secur..

[51]  Pearl Brereton,et al.  Systematic literature reviews in software engineering - A systematic literature review , 2009, Inf. Softw. Technol..

[52]  Steve Purser Improving the ROI of the security management process , 2004, Comput. Secur..

[53]  Kyung Cheol Choi,et al.  Automatic Test Approach of Web Application for Security (AutoInspect) , 2006, ICCSA.

[54]  Xuxian Jiang,et al.  An Architectural Approach to Preventing Code Injection Attacks , 2010, IEEE Trans. Dependable Secur. Comput..