Abstract
The steep rise in security threats has forced organizations to adopt sound security practices right from the development stage of any software project. With the rising popularity of lightweight, agile methodologies, this becomes more complicated. This paper proposes a framework, FISA-XP, which can be adopted for the development of a secure software system. The proposed framework integrates security activities with the core activities of Extreme Programming based on their degree of agility. In order to calculate agility degree, some agility features are selected using a threshold value. The compatibility of the agile activities with security activities is subsequently assessed by introducing an integration matrix that describes whether integration of an agile activity with each security activity is possible or not. This framework assists in integrating security activities with agile activities, keeping the combined agility degree within acceptable limits. Thus, our approach introduces an Acceptable Agility Reduction Factor, which gives a threshold value for an acceptable reduction in agility degree. If reduction in combined agility degree is below the threshold value then that security activity is not accepted for integration. TISA-XP, an automated tool, has been designed to enable developers to use FISA-XP practically. This tool has been used by a software-developing company on an experimental basis and the feedback reflects its practical feasibility.
- Sonia, A. Singhal, Integration Analysis of Security Activities from the perspective of agility. In International Conference on Agile and Lean software methods (AI 2012), FEBRUARY 17-19, Bengaluru, India. Google ScholarDigital Library
- Sonia, A. Singhal, H. Banati , Measuring Relative Importance of Agility Features Contributing Towards Agility of a Software Process. In Fifth International Conference on Advances in Recent Technologies in Communication and Computing, ARTCom 2013, Bangalore, India, Elsevier.Google Scholar
- W. Al-Ahmad, Building Secure Software using XP. International Journal of Secure Software Engineering (IJSSE) Volume 2, Issue 3, 2011. 14 pages. Google ScholarDigital Library
- K. Beznosov, Extreme Security Engineering: On Employing XP Practices to Achieve 'Good Enough Security' without Defining It. First ACM Workshop on Business Driven Security Engineering (BizSec), Fairfax, VA, 31 October, 2003.Google Scholar
- K. Beck, Embracing Change with Extreme Programming. IEEE Computer, vol. 32 no. 10. October 1999, pp. 70--77. Google ScholarDigital Library
- A. Qumer, B. Henderson-Sellers, An evaluation of the degree of agility in six agile methods and its applicability for method engineering. Information and Software Technology 50 (2008), Elsevier PP. 280--295 Google ScholarDigital Library
- H. Keramati, S. Hassan, M. Hosseinabadi, Integrating software development security activities with agile methodologies. IEEE/ACS International Conference on Computer Systems and Applications, AICCSA 2008. Google ScholarDigital Library
- J. Wäyrynen, M. Bodén, G. Boström, Security Engineering and eXtreme Programming: An Impossible Marriage? In Proceedings of the 4th Conference on Extreme Programming and Agile Methods. 2004, Springer-Verlag, Lecture Notes in Computer Science. p. 117.Google Scholar
- X. Ge, R.F. Paige, F. Polack, P. Brooke, Extreme Programming Security Practices. Concas, G. et al. (eds.) XP 2007, LNCS 4536, pp. 226--230. Springer, Heidelberg, 2007. Google ScholarDigital Library
- M. Siponen, R. Baskerville, T. Kuivalainen, Integrating security into agile development methods. In Proceedings of the 38th Annual Hawaii International Conference on System Sciences, 2005. Google ScholarDigital Library
- Sonia, A. Singhal, Development of Agile Security Framework using a Hybrid Technique for Requirements Elicitation. In International Conference on Advances in Computing, Communication and Control (ICAC3) 2011, Mumbai, India, Vol. 125, Part1, pp. 178--188.Google ScholarCross Ref
- Sonia, A. Singhal, H. Banati, Fuzzy Logic Approach for Threat Prioritization in Agile Security Framework using DREAD model. In IJCSI International Journal of Computer Science Issues, Vol. 8, Issue 4, No. 1, July 2011, Mauritius.Google Scholar
- Extreme Programming: a gentle introduction http://www.extremeprogramming.org/Google Scholar
- Saaty, Thomas L., "How to Make a Decision: The Analytical Hierarchy Process" Interfaces 24: 6, pp19--43, November-December 1994.Google ScholarDigital Library
- Saaty, Thomas L., "Decision making with the analytic hierarchy process", In International Journal of Services Sciences, Vol. 1, No. 1,2008.Google ScholarCross Ref
- Sarker, S., Munson, C.L., Sarker, S., and Chakraborty, S., "Assessing relative contribution of facets of agility to distributed systems development success: An analytic hierarchy process approach." European Journal of Information Systems, 18(4), 285--299, 2009.Google ScholarCross Ref
- Yang, S.L., Li, T.F., "Agility evaluation of mass customization product manufacturing" Journal of Materials Processing Technology 129 (1-3) 2002, 640--644.Google ScholarCross Ref
- K. Beznosov, P. Kruchten, Towards Agile Security Assurance. In Proceedings of The New Security Paradigms Workshop ,White Point Beach Resort, Nova Scotia, Canada, 20--23 September 2004. Google ScholarDigital Library
- G. Boström, J. Wäyrynen, M. Bodén, K. Beznosov, Extending XP Practices to Support Security Requirements Engineering.SESS'06, May 20-21, 2006, Shanghai, China. Google ScholarDigital Library
- Ren, J., Yusuf, Y.Y., Burns, N.D., "A prototype of measurement system for agile enterprise. In: International Conference on Quality, Reliability, and Maintenance". Oxford, UK, pp. 247--252, 2000.Google Scholar
- Ren, J., Yusuf, Y.Y., Burns, N.D., "A decision-support framework for agile enterprise partnering". In The International Journal of Advanced Manufacturing Technology, March 2009, Volume 41, Issue 1-2, pp 180--192.Google Scholar
- B. Sherehiy, W. Karwowski, J. K. Layer, A review of enterprise agility: Concepts, frameworks, and attributes. International Journal of industrial ergonomics 37 (2007), Elsevier PP. 445--460.Google Scholar
- K. Beck, Manifesto for Agile Software Development, February 2001.Google Scholar
- The Agile Alliance Home Page, http://www.agilealliance.org/home.Google Scholar
- Safe Code Review, A guide to most effective secure development practice in use today, 2008. http://www.safecode.org/publications/SAFECode_Dev_Practices1008.pdfGoogle Scholar
- White Paper Review, Application Security by Designweb.securityinnovation.com/whitepaper-library/Google Scholar
- B. D. Win, R. Scandariato, K. Buyens, J. Grégoire, W. Joosen, On the secure software development process: CLASP, SDL and touchpoints compared. Information and Software Technology. Volume 51, Issue 7, July 2009, Pages 1152--1171. Elsevier. Google ScholarDigital Library
- R.G. Epstein, A software engineering course with an emphasis on software processes and security. Software Engineering Education and Training, 2008. CSEET '08 pp. 67--73. IEEE April 2008 Google ScholarDigital Library
- Jalote, P.: An Integrated Approach To Software Engineering, Narosa Publishing House, Second Edition. Pg. 199 Google ScholarDigital Library
- OWASP,https://www.owasp.org/index.php/Category:OWASP_CLASP_ProjectGoogle Scholar
- Build Security In, https://buildsecurityin.uscert.gov/bsi/articles/bestpractices/requirements/548BSI.htmlGoogle Scholar
- D. Baca, B. Carlsson, Agile development with security engineering activities. Proceedings of the 2011 International Conference on Software and Systems Process ICSSP 2011:149--158, ACM New York, USA. Google ScholarDigital Library
Index Terms
- FISA-XP: an agile-based integration of security activities with extreme programming
Recommendations
Integration Analysis of Security Activities from the Perspective of Agility
AGILEINDIA '12: Proceedings of the 2012 Agile IndiaTo combat the increasing trends of security breaches reported nowadays, there is a need to deploy strict security activities with various development methodologies. In the present work we are focusing on an extremely popular agile development ...
Agile Practices: The Impact on Trust in Software Project Teams
Agile software development involves self-managing teams that are empowered and responsible for meeting project goals in whatever way they deem suitable. Managers must place more trust in such teams than they do in teams following more traditional ...
From RUP to Scrum in Global Software Development: A Case Study
ICGSE '12: Proceedings of the 2012 IEEE Seventh International Conference on Global Software EngineeringIn this paper we present the results of a case study at two offshore projects that recently adopted the agile way of working. We analyze their multi-site governance activities adopted and adjusted based on the Scrum methodology. Furthermore, we identify ...
Comments