Kalle Rindell
ABSTRACT
Agile methods increase the speed and reduce the cost of software projects; however, they have been criticized for lack of documentation, traditional quality control, and, most importantly, lack of security assurance - mostly due to their informal and self-organizing approach to software development. This paper clarifies the requirements for security assurance by using an evaluation framework to analyze the compatibility of established agile security development methods: XP, Scrum and Kanban, combined with Microsoft SDL security framework, against Finland's established national security regulation (Vahti). We also analyze the selected methods based on their role definitions, and provide some avenues for future research.
- Practical security stories and security tasks for agile development environments. http://www.safecode.org/publication/SAFECode_Agile_Dev_Security0712.pdf. Referenced 9th March, 2015.Google Scholar
- Vahti instructions, 2001--2014. https://www.vahtiohje.fi/web/guest/home.Google Scholar
- Microsoft security development lifecycle (SDL) process guidance - version 5.2, 2012. Referenced 17th March 2015.Google Scholar
- P. Abrahamsson, J. Warsta, M. T. Siponen, and J. Ronkainen. New directions on agile methods: A comparative analysis. In Proceedings of the 25th International Conference on Software Engineering, ICSE '03, pages 244--254, Washington, DC, USA, 2003. IEEE Computer Society. Google ScholarDigital Library
- A. Alnatheer, A. Gravell, and D. Argles. Agile security issues: A research study. In Proceedings of the 5th International Doctoral Symposium on Empirical Software Engineering (IDoESE), 2010. Google ScholarDigital Library
- D. Baca and B. Carlsson. Agile development with security engineering activities. In Proceedings of the 2011 International Conference on Software and Systems Process, ICSSP '11, pages 149--158, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
- K. Beck. Embracing change with extreme programming. IEEE Computer, 32, 1999. Google ScholarDigital Library
- K. Beck, M. Beedle, A. Van Bennekum, A. Cockburn, W. Cunningham, M. Fowler, J. Grenning, J. Highsmith, A. Hunt, R. Jeffries, J. Kern, B. Marick, R. C. Martin, S. Merllor, K. Schwaber, J. Sutherland, and D. Thomas. Manifesto for agile software development, 2001.Google Scholar
- K. Beznosov and P. Kruchten. Towards agile security assurance. In NSPW '04 Proceedings of the 2004 workshop on New security paradigms, pages 47--54, 2004. Google ScholarDigital Library
- G. Boström, J. Wäyrynen, M. Bodén, K. Beznosov, and P. Kruchten. Extending XP practices to support security requirements engineering. In Proceedings of the 2006 International Workshop on Software Engineering for Secure Systems, SESS '06, 2006. Google ScholarDigital Library
- B. Fitzgerald and K.-J. Stol. Continuous software engineering and beyond: Trends and challenges. In Proceedings of the 1st International Workshop on Rapid Continuous Software Engineering, RCoSE 2014, pages 1--9, New York, NY, USA, 2014. ACM. Google ScholarDigital Library
- B. Fitzgerald, K.-J. Stol, R. O'Sullivan, and D. O'Brien. Scaling agile methods to regulated environments: An industry case study. In Proceedings of the 2013 International Conference on Software Engineering, ICSE '13, pages 863--872, 2013. Google ScholarDigital Library
- FMoF. Sovelluskehityksen tietoturvaohje, 2013. Ref. 17th March 2015.Google Scholar
- X. Ge, R. Paige, F. Polack, and P. Brooke. Extreme programming security practices. In G. Concas, E. Damiani, M. Scotto, and G. Succi, editors, Agile Processes in Software Engineering and Extreme Programming, volume 4536 of Lecture Notes in Computer Science, pages 226--230. Springer Berlin Heidelberg, 2007. Google ScholarDigital Library
- ISO/IEC. information technology - security techniques - systems security engineering - capability maturity model (SSE-CMM) iso/IEC 21817:2008.Google Scholar
- ISO/IEC. Information technology - security techniques - code of practice for information security controls iso/IEC 27002:2013, 2013.Google Scholar
- B. Kitchenham, S. Linkman, and D. Law. Desmet: a methodology for evaluating software engineering methods and tools. Computing & Control Engineering Journal.Google Scholar
- A. J. Ko, R. DeLine, and G. Venolia. Information needs in collocated software development teams. In Proceedings of the 29th International Conference on Software Engineering, ICSE '07. IEEE Computer Society, 2007. Google ScholarDigital Library
- T. D. LaToza, G. Venolia, and R. DeLine. Maintaining mental models: A study of developer work habits. In Proceedings of the 28th International Conference on Software Engineering, ICSE '06, pages 492--501, New York, NY, USA, 2006. ACM. Google ScholarDigital Library
- N. Nikitina, M. Kajko-Mattsson, and M. Stråle. From Scrum to Scrumban: A case study of a process transition. In Proceedings of the International Conference on Software and System Process, ICSSP '12, pages 140--149. IEEE Press, 2012. Google ScholarDigital Library
- VersionOne. 8th annual state of agile survey, 2013. http://www.versionone.com/pdf/2013-state-of-agile-survey.pdf, Referenced 17th March 2015.Google Scholar
Recommendations
Empirical Study of Agile Software Development Methodologies: A Comparative Analysis
In today's software industry, technological prowess and ever-evolving customer requirements have led to more complex software demands. Agile based software development is increasingly being adopted by the software practitioners as it assures early ...
The Combination of Agile and Lean in Software Development: An Experience Report Analysis
AGILE '11: Proceedings of the 2011 Agile ConferenceThere has been a noticeable focus shift from agile methods such as extreme Programming (XP) and Scrum to lean software development in the last several years, which is indicated as â from agile to leanâ . However, the reality may not be as simple or ...
Stakeholder Involvement in Agile Software Development
NordiCHI '16: Proceedings of the 9th Nordic Conference on Human-Computer InteractionAgile software development processes (Agile), such as Scrum, DSDM, XP and Kanban, have become de facto standards for software development practice. Scrum, the most commonly used process, focuses on delivering functioning software early and continuously, ...
Comments