Abstract
Agile software development is receiving the attention of software developers and researchers thanks to its fast software delivery and flexible development plan capabilities. The fast release and simplified documentation thus leads to the preference of the agile development model over several other traditional models. This, however, also raises critical concerns about the security issues. In this research work, we propose a framework for secure agile development. The selection of development methodology among agile versus plan driven approaches and the particular agile development method among Extreme Programming (XP), Crystal Clear, Scrum, Lean Development, Dynamic Software Development Method and Feature-Driven Development is made on the basis of the specific requirements of the project using empirical methods like AHP and PROMETHEE. Systematic Literature Review (SLR) and survey study are used to obtain the authentic industrial feedback, followed by the application of non-parametric statistical tests to identify and select the most suitable and beneficial security activities from well known security engineering processes like CLASP, Common Criteria, Cigital Touchpoints and Microsoft’s SDL. A lightweight method is also introduced for integrating these security activities identified from SLR and survey study, using a dynamic integration algorithm without compromising the agility of the process. The proposed framework for integration of these security activities is implemented in java to automate the entire process and provides maximum benefit at a low integration cost.
Similar content being viewed by others
References
Beck K et al (2001) Manifesto for agile software development. Accessed 10 June 2019
Beznosov K, Kruchten P (2004) Towards agile security assurance. In: Proceedings of the 2004 workshop on new security paradigms, pp 47–54. ACM 1-59593-076-0/05/05
Bartsch S (2011) Practitioners’ perspectives on security in agile development. In: Sixth international conference on availability, reliability and security (ARES), pp 479–484. https://doi.org/10.1109/ares.2011.82
Wayrynen J, Boden M, Bostrom G (2004) Security engineering and eXtreme Programming: an impossible marriage? Extreme programming and agile methods, Calgary, Canada, August 15–18. https://doi.org/10.1007/978-3-540-27777-4_12
Bostrom G, Wayrynen J, Boden M, Beznosov K, Kruchten P (2006) Extending XP practices to support security requirements engineering. In: ACM SESS 06, Shanghai, China, May 20–21, pp 11–17. https://doi.org/10.1145/1137627.1137631
Beznosov K, Kruchten P (2004) Towards agile security assurance. In: Proceedings of the workshop on new security paradigms, September
Siponen M, Baskerville R, Kuivalainen T (2005) Integrating security into agile development methods. In: Proceedings of the 38th Hawaii international conference on system science. https://doi.org/10.1109/hicss.2005.329
Keramati H, Hassan S, Hosseinabadi M (2008) Integrating software development security activities with agile methodologies. In: IEEE/ACS international conference on computer systems and applications, AICCSA, pp 749–754
Baca D, Carlsson B (2011) Agile development with security engineering activities. In: Proceeding of the 2nd workshop on software engineering for sensor network applications, pp 149–158. https://doi.org/10.1145/1987875.1987900
Baca D (2012) Developing secure software in an agile process. Computer Science Department, Blekinge Institute of Technology Sweden, Karlskrona, pp 129–149
Carlsson B, Ayalew T, Kidane T (2013) Identification and evaluation of security activities in agile projects. In: 18th Nordic conference. https://doi.org/10.1007/978-3-642-41488-6_10
Bartsch S (2011) Practitioners’ perspectives on security in agile development. In: Sixth international conference on availability, reliability and security (ARES), pp 479–484. https://doi.org/10.1109/ares.2011.82
Shackleford D (2011) Integrating security into development, no pain required. A SANS whitepaper
Savola R, Frühwirth C, Pietikäinen A (2012) Risk-driven security metrics in agile software development—an industrial pilot study. J Univers Comput Sci 18:1679–1702. https://doi.org/10.3217/jucs-018-12-1679
Wolff S (2012) Scrum goes formal: agile methods for safety-critical systems. In: IEEE formal methods in software engineering: rigorous and agile approaches (FormSERA), pp 23–29
GAO (2012) Effective practices and federal challenges in applying agile methods. Report to the Subcommittee on Federal Financial Management, Government Information, Federal Services, and International Security, Committee on Homeland Security and Governmental Affairs United States Senate. www.gao.gov/assets/600/593091.pdf. Accessed May 2017
Munetoh S, Yoshioka N (2013) RAILROADMAP: an agile security testing framework for web-application development. In: IEEE sixth international conference on software testing, verification and validation (ICST), pp 491–492. https://doi.org/10.1109/icst.2013.80
Rindell K, Hyrynsalmi S, Leppänen V (2017) Busting a myth: review of agile security engineering methods. ACM. https://doi.org/10.1145/3098954.3103170
Harrison S et al (2016) A security evaluation framework for U.K. E-government services agile software development. Int J Netw Secur Appl (IJNSA) 8(2):51–69. https://doi.org/10.5121/ijnsa.2016.8204
Rindell K, Hyrynsalmi S, Leppänen V (2019) Challenges in agile security engineering: a case study. In: Felderer M, Scandariato R (eds) Exploring security in software architecture and design. IGI Global, Hershey, PA, pp 287–312. https://doi.org/10.4018/978-1-5225-6313-6.ch012
Howard M, Lipner S (2006) The security development lifecycle. Microsoft Press, Redmond. https://doi.org/10.1016/S0925-7535(03)00047
Sullivan B (2008) Streamline security practices for agile development. MSDN Mag. https://doi.org/10.4018/jsse.2010070105
Keblawi F, Sullivan D (2006) Applying the common criteria in systems engineering. IEEE Secur Priv 4(2):50–55. https://doi.org/10.1109/msp.2006.35
McGraw G (2006) Software security: building security in. Addison-Wesley, Boston. https://doi.org/10.1109/msecp.2004.1281254
‘Category:CLASPActivity-OWASP’. https://www.owasp.org/index.php/CLASP_Concepts. Accessed 11 Feb 2019
Kitchenham B, Charters S (2007) Guidelines for performing systematic literature reviews in software engineering. Keele University, UK EBSE-2007-1. https://www.elsevier.com/__data/promis_misc/525444systematicreviewsguide.pdf
Wohlin C (2000) Experimentation in software engineering: an introduction, vol 6. Springer, Berlin
Fay MP, Proschan MA (2010) Wilcoxon–Mann–Whitney or t-test? On assumptions for hypothesis tests and multiple interpretations of decision rules. Stat Surv 4:1–39. https://doi.org/10.1214/09-SS051
Kruskal W (1952) Use of ranks in one-criterion variance analysis. J Am Stat Assoc 47(260):583–621. https://doi.org/10.2307/2280779
Dalgaard P (2008) Introductory statistics with R. Springer, Berlin, pp 99–100. https://doi.org/10.1007/978-0-387-75936-4
Author information
Authors and Affiliations
Corresponding author
Electronic supplementary material
Below is the link to the electronic supplementary material.
Rights and permissions
About this article
Cite this article
Sharma, A., Bawa, R.K. Identification and integration of security activities for secure agile development. Int. j. inf. tecnol. 14, 1117–1130 (2022). https://doi.org/10.1007/s41870-020-00446-4
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s41870-020-00446-4