Skip to main content
SpringerLink
Log in

Identification and integration of security activities for secure agile development

  • Original Research
  • Published:
International Journal of Information Technology Aims and scope Submit manuscript

Abstract

Agile software development is receiving the attention of software developers and researchers thanks to its fast software delivery and flexible development plan capabilities. The fast release and simplified documentation thus leads to the preference of the agile development model over several other traditional models. This, however, also raises critical concerns about the security issues. In this research work, we propose a framework for secure agile development. The selection of development methodology among agile versus plan driven approaches and the particular agile development method among Extreme Programming (XP), Crystal Clear, Scrum, Lean Development, Dynamic Software Development Method and Feature-Driven Development is made on the basis of the specific requirements of the project using empirical methods like AHP and PROMETHEE. Systematic Literature Review (SLR) and survey study are used to obtain the authentic industrial feedback, followed by the application of non-parametric statistical tests to identify and select the most suitable and beneficial security activities from well known security engineering processes like CLASP, Common Criteria, Cigital Touchpoints and Microsoft’s SDL. A lightweight method is also introduced for integrating these security activities identified from SLR and survey study, using a dynamic integration algorithm without compromising the agility of the process. The proposed framework for integration of these security activities is implemented in java to automate the entire process and provides maximum benefit at a low integration cost.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7

Similar content being viewed by others

References

  1. Beck K et al (2001) Manifesto for agile software development. Accessed 10 June 2019

  2. Beznosov K, Kruchten P (2004) Towards agile security assurance. In: Proceedings of the 2004 workshop on new security paradigms, pp 47–54. ACM 1-59593-076-0/05/05

  3. Bartsch S (2011) Practitioners’ perspectives on security in agile development. In: Sixth international conference on availability, reliability and security (ARES), pp 479–484. https://doi.org/10.1109/ares.2011.82

  4. Wayrynen J, Boden M, Bostrom G (2004) Security engineering and eXtreme Programming: an impossible marriage? Extreme programming and agile methods, Calgary, Canada, August 15–18. https://doi.org/10.1007/978-3-540-27777-4_12

  5. Bostrom G, Wayrynen J, Boden M, Beznosov K, Kruchten P (2006) Extending XP practices to support security requirements engineering. In: ACM SESS 06, Shanghai, China, May 20–21, pp 11–17. https://doi.org/10.1145/1137627.1137631

  6. Beznosov K, Kruchten P (2004) Towards agile security assurance. In: Proceedings of the workshop on new security paradigms, September

  7. Siponen M, Baskerville R, Kuivalainen T (2005) Integrating security into agile development methods. In: Proceedings of the 38th Hawaii international conference on system science. https://doi.org/10.1109/hicss.2005.329

  8. Keramati H, Hassan S, Hosseinabadi M (2008) Integrating software development security activities with agile methodologies. In: IEEE/ACS international conference on computer systems and applications, AICCSA, pp 749–754

  9. Baca D, Carlsson B (2011) Agile development with security engineering activities. In: Proceeding of the 2nd workshop on software engineering for sensor network applications, pp 149–158. https://doi.org/10.1145/1987875.1987900

  10. Baca D (2012) Developing secure software in an agile process. Computer Science Department, Blekinge Institute of Technology Sweden, Karlskrona, pp 129–149

    Google Scholar 

  11. Carlsson B, Ayalew T, Kidane T (2013) Identification and evaluation of security activities in agile projects. In: 18th Nordic conference. https://doi.org/10.1007/978-3-642-41488-6_10

  12. Bartsch S (2011) Practitioners’ perspectives on security in agile development. In: Sixth international conference on availability, reliability and security (ARES), pp 479–484. https://doi.org/10.1109/ares.2011.82

  13. Shackleford D (2011) Integrating security into development, no pain required. A SANS whitepaper

  14. Savola R, Frühwirth C, Pietikäinen A (2012) Risk-driven security metrics in agile software development—an industrial pilot study. J Univers Comput Sci 18:1679–1702. https://doi.org/10.3217/jucs-018-12-1679

    Article  Google Scholar 

  15. Wolff S (2012) Scrum goes formal: agile methods for safety-critical systems. In: IEEE formal methods in software engineering: rigorous and agile approaches (FormSERA), pp 23–29

  16. GAO (2012) Effective practices and federal challenges in applying agile methods. Report to the Subcommittee on Federal Financial Management, Government Information, Federal Services, and International Security, Committee on Homeland Security and Governmental Affairs United States Senate. www.gao.gov/assets/600/593091.pdf. Accessed May 2017

  17. Munetoh S, Yoshioka N (2013) RAILROADMAP: an agile security testing framework for web-application development. In: IEEE sixth international conference on software testing, verification and validation (ICST), pp 491–492. https://doi.org/10.1109/icst.2013.80

  18. Rindell K, Hyrynsalmi S, Leppänen V (2017) Busting a myth: review of agile security engineering methods. ACM. https://doi.org/10.1145/3098954.3103170

  19. Harrison S et al (2016) A security evaluation framework for U.K. E-government services agile software development. Int J Netw Secur Appl (IJNSA) 8(2):51–69. https://doi.org/10.5121/ijnsa.2016.8204

    Article  Google Scholar 

  20. Rindell K, Hyrynsalmi S, Leppänen V (2019) Challenges in agile security engineering: a case study. In: Felderer M, Scandariato R (eds) Exploring security in software architecture and design. IGI Global, Hershey, PA, pp 287–312. https://doi.org/10.4018/978-1-5225-6313-6.ch012

    Chapter  Google Scholar 

  21. Howard M, Lipner S (2006) The security development lifecycle. Microsoft Press, Redmond. https://doi.org/10.1016/S0925-7535(03)00047

    Book  Google Scholar 

  22. Sullivan B (2008) Streamline security practices for agile development. MSDN Mag. https://doi.org/10.4018/jsse.2010070105

    Article  Google Scholar 

  23. Keblawi F, Sullivan D (2006) Applying the common criteria in systems engineering. IEEE Secur Priv 4(2):50–55. https://doi.org/10.1109/msp.2006.35

    Article  Google Scholar 

  24. McGraw G (2006) Software security: building security in. Addison-Wesley, Boston. https://doi.org/10.1109/msecp.2004.1281254

    Book  Google Scholar 

  25. ‘Category:CLASPActivity-OWASP’. https://www.owasp.org/index.php/CLASP_Concepts. Accessed 11 Feb 2019

  26. Kitchenham B, Charters S (2007) Guidelines for performing systematic literature reviews in software engineering. Keele University, UK EBSE-2007-1. https://www.elsevier.com/__data/promis_misc/525444systematicreviewsguide.pdf

  27. Wohlin C (2000) Experimentation in software engineering: an introduction, vol 6. Springer, Berlin

    Book  Google Scholar 

  28. Fay MP, Proschan MA (2010) Wilcoxon–Mann–Whitney or t-test? On assumptions for hypothesis tests and multiple interpretations of decision rules. Stat Surv 4:1–39. https://doi.org/10.1214/09-SS051

    Article  MathSciNet  MATH  Google Scholar 

  29. Kruskal W (1952) Use of ranks in one-criterion variance analysis. J Am Stat Assoc 47(260):583–621. https://doi.org/10.2307/2280779

    Article  MATH  Google Scholar 

  30. Dalgaard P (2008) Introductory statistics with R. Springer, Berlin, pp 99–100. https://doi.org/10.1007/978-0-387-75936-4

    Book  MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Punjabi University, Patiala, Punjab, India

    Amit Sharma & R. K. Bawa

Authors
  1. Amit Sharma
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. R. K. Bawa
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Amit Sharma.

Electronic supplementary material

Below is the link to the electronic supplementary material.

Supplementary material 1 (PDF 866 kb)

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Sharma, A., Bawa, R.K. Identification and integration of security activities for secure agile development. Int. j. inf. tecnol. 14, 1117–1130 (2022). https://doi.org/10.1007/s41870-020-00446-4

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s41870-020-00446-4

Keywords

Search

Navigation