Abstract
Agile methods, such as eXtreme Programming (XP), have been criticised for being inadequate for the development of secure software. In this paper, we analyse XP from a security engineering standpoint, to assess to what extent the method can be used for development of security critical software. This is done by analysing XP in the light of two security engineering standards; the Systems Security Engineering-Capability Maturity Model (SSE-CMM) and the Common Criteria (CC). The result is that XP is more aligned with security engineering than one might think at first. However, XP also needs to be tailored to better support and to more explicitly deal with security engineering issues. Tailoring XP for secure software development, without removing the agility that is the trademark of agile methods, may be a solution that would make XP more compatible with current security engineering practices.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Agile Alliance, Agile Alliance , www.agilealliance.com (accessed in February 2004)
Amey, P., Chapman, R.: Static Verification and Extreme Programming. In: Proceedings of the ACM SIGAda Annual International Conference (2003)
Beck, K.: Extreme Programming Explained: Embrace Change. Addison-Wesley, Reading (2000)
Bishop, M.: Computer Security: Art and Science. Addison-Wesley, Reading (2003)
Boehm, B.: Get Ready for Agile Methods, with Care. IEEE Computer 35(1) (2002)
Boehm, B., Turner, R.: Balancing Agility and Discipline. Addison-Wesley, Reading (2004)
CC, ISO 15408 Common Criteria for Information Technology Security Evaluation Version 2.1 (August 1999)
Charette, R.: The Decision is in: Agile versus Heavy Methodologies. Agile development and Project Management, Cutter Consortium 2(19) , www.cutter.com/freestuff/epmu0119.html (accessed in February 2004)
Crispin, L., House, T.: Testing Extreme Programming. Addison-Wesley, Reading (2002)
Evertsson, U., Örthberg, U., Yngström, L.: Integrating Security into Systems Development. In: Proceedings of IFIP TC11 Eighteenth International Conference on Information Security (2003)
Extreme Programming, Extreme Programming: A Gentle Introduction , www.extremeprogramming.org (accessed in January 2004)
Jeffries, R., Anderson, A., Hendrickson, C.: Extreme Programming Installed. Addison- Wesley, Reading (2001)
Lindvall, M., et al.: Empirical Findings in Agile Methods (2002) , http://www.cebase.org accessed in (March 2003)
McBreen, P.: Questioning eXtreme Programming. Addison-Wesley, Reading (2003)
McGraw, G.: On Bricks and Walls: Why Building Secure Software is Hard. Computers & Security 21(3), 229–238 (2002)
Murro, O., Deias, R., Mugheddo, G., Assessing, X.P.: at a European Internet Company. IEEE Software 20(3) (2003)
Paulk, M.: Extreme Programming from a CMM Perspective. IEEE Software 18(6) (2001)
Rasmussen, J., Introducing, X.P.: into Greenfield Projects. IEEE Software 20(3) (2003)
RFC 2828, Internet Security Glossary, www.ietf.org/rfc/rfc2828.txt?number=2828 (accessed in February 2004)
Shore, J.: Continuous Design. IEEE Software 21(1) (2004)
Siponen, M.: An Analysis of the Recent IS Security Development Approaches: Descriptive and Prescriptive Implications. Information Security Management – Global Challenges in the Next Millennium, Idea Group (2001)
SSE-CMM, Systems Security Engineering Capability Maturity Model, Model Description Document Version 3.0, www.sse-cmm.org/model/ssecmmv2final.pdf. (accessed in January 2004)
Theunissen Morkel, W.H., et al.: Standards and Agile Software Development. In: Proceedings of SAICSIT, pp. 178-188 (2003)
Turk, D., France, R., Rumpe, B.: Limitations of Agile Software Development. In: Third International Conference on eXtreme Programming and Agile Processes in Software Engineering (2002)
Viega, J., McGraw, G.: Building Secure Software: How to Avoid Security Problems the Right Way. Addison-Wesley, Reading (2002)
Yahoo Groups, Yahoo Groups/ExtremeProgramming , http://groups.yahoo.com/group/extremeprogramming/message/90285 (accessed in April 2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wäyrynen, J., Bodén, M., Boström, G. (2004). Security Engineering and eXtreme Programming: An Impossible Marriage?. In: Zannier, C., Erdogmus, H., Lindstrom, L. (eds) Extreme Programming and Agile Methods - XP/Agile Universe 2004. XP/Agile Universe 2004. Lecture Notes in Computer Science, vol 3134. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-27777-4_12
Download citation
DOI: https://doi.org/10.1007/978-3-540-27777-4_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-22839-4
Online ISBN: 978-3-540-27777-4
eBook Packages: Springer Book Archive