Fitting Security into Agile Software Development

Success of the software development process depends on its ability to transform its objectives into requirements, and implementing these into features and functionality. Security objectives in software development are increasingly converging with the business objectives, as requirements for privacy and the cost of security incidents call for more dependable software products. Development of secure software is accomplished by augmenting the software development process with specific security engineering activities. Security engineering, in contrast to the iterative and incremental software development processes, is characterized by sequential life cycle models: the security objectives are thus to be achieved by an approach in apparent conflict with the unaugmented software development processes. In this study, to identify the incompatibilities between the approaches, the security engineering activities from Microsoft SDL, the ISO Common Criteria and OWASP SAMM security engineering models are mapped into common agile software development processes, practices and artifacts. The mapping is done primarily from the point of view of achieving the security objectives set for the software engineering process: setting security requirements for design, the implementation of the security architecture and design, and the required security verification before releasing secure software through efficient software security development process towards secure software maintenance.

[1]  Steve Lipner,et al.  Security development lifecycle , 2010, Datenschutz und Datensicherheit - DuD.

[2]  Robert L. Nord,et al.  How to Agilely Architect an Agile Architecture , 2014 .

[3]  Martin Gilje Jaatun,et al.  An Empirical Study on the Relationship between Software Security Skills, Usage and Training Needs in Agile Settings , 2016, 2016 11th International Conference on Availability, Reliability and Security (ARES).

[4]  Barry W. Boehm,et al.  Management challenges to implementing agile processes in traditional development organizations , 2005, IEEE Software.

[5]  Barry W. Boehm,et al.  Using Risk to Balance Agile and Plan-Driven Methods , 2003, Computer.

[6]  Martin Gilje Jaatun,et al.  Security Requirements for the Rest of Us: A Survey , 2008, IEEE Software.

[7]  Gary McGraw,et al.  The Building Security in Maturity Model ({BSIMM}) , 2009 .

[8]  Kent L. Beck,et al.  Extreme programming explained - embrace change , 1990 .

[9]  Ville Leppänen,et al.  Busting a Myth: Review of Agile Security Engineering Methods , 2017, ARES.

[10]  V. Kavitha,et al.  A survey on security issues in service delivery models of cloud computing , 2011, J. Netw. Comput. Appl..

[11]  Ville Leppänen,et al.  Adoption and Suitability of Software Development Methods and Practices , 2021, 2016 23rd Asia-Pacific Software Engineering Conference (APSEC).

[12]  Mark C. Paulk,et al.  Extreme Programming from a CMM Perspective , 2001, IEEE Softw..

[13]  Pertti Järvinen,et al.  Research Questions Guiding Selection of an Appropriate Research Method , 2000, ECIS.

[14]  Jouni Markkula,et al.  Survey on agile and lean usage in finnish software industry , 2012, Proceedings of the 2012 ACM-IEEE International Symposium on Empirical Software Engineering and Measurement.

[15]  Robert L. Glass,et al.  Loyal Opposition - Frequently Forgotten Fundamental Facts about Software Engineering , 2001, IEEE Softw..

[16]  Ville Leppänen,et al.  Technical debt and agile software development practices and processes: An industry practitioner survey , 2017, Inf. Softw. Technol..

[17]  Reijo Savola,et al.  Risk-Driven Security Metrics in Agile Software Development - An Industrial Pilot Study , 2012, J. Univers. Comput. Sci..

[18]  Richard Baskerville,et al.  Agile requirements engineering practices and challenges: an empirical study , 2007, Inf. Syst. J..

[19]  Laurie Williams,et al.  The costs and benefits of pair programming , 2001 .

[20]  Ken Frazer,et al.  Building secure software: how to avoid security problems the right way , 2002, SOEN.

[21]  Pekka Abrahamsson,et al.  Agile Software Development Methods: Review and Analysis , 2017, ArXiv.

[22]  Philippe Kruchten,et al.  Towards agile security assurance , 2004, NSPW '04.

[23]  Scott W. Ambler,et al.  Disciplined Agile Delivery: A Practitioner's Guide to Agile Software Delivery in the Enterprise , 2012 .

[24]  Jan Pries-Heje,et al.  Agility in Fours: IT Diffusion, IT Infrastructures, IT Development, and Business , 2005, Business Agility and Information Technology Diffusion.

[25]  Guy Tremblay,et al.  Agile Principles as Software Engineering Principles: An Analysis , 2012, XP.

[26]  Jeffrey R. Yost The Origin and Early History of the Computer Security Software Products Industry , 2015, IEEE Annals of the History of Computing.

[27]  Tom Caddy,et al.  Common Criteria , 2005, Encyclopedia of Cryptography and Security.

[28]  Sven Türpe,et al.  Managing Security Work in Scrum: Tensions and Challenges , 2017, SecSE@ESORICS.

[29]  Ken Schwaber,et al.  SCRUM Development Process , 1997 .

[30]  Bengt Carlsson,et al.  Agile development with security engineering activities , 2011, ICSSP '11.

[31]  Juan Garbajosa,et al.  Mapping CMMI Level 2 to Scrum Practices: An Experience Report , 2009, EuroSPI.

[32]  Pertti Järvinen,et al.  On a variety of research output types , 2004 .

[33]  Barry W. Boehm,et al.  Some future trends and implications for systems and software engineering processes , 2006, Syst. Eng..

[34]  Henrich Christopher Pöhls,et al.  CryptSDLC: Embedding Cryptographic Engineering into Secure Software Development Lifecycle , 2018, ARES.

[35]  Brian Fitzgerald,et al.  Continuous software engineering and beyond: trends and challenges , 2014, RCoSE 2014.

[36]  Bengt Carlsson,et al.  Identification and Evaluation of Security Activities in Agile Projects , 2013, NordSec.