Académique Documents
Professionnel Documents
Culture Documents
Software Development
Methods
Tran Nguyen
Information System Analysis, Fall 2015
Dr. Sauter
Table of Contents
1. Introduction.................................................................................................................1
2. The importance of integrating security into agile methodologies...............................1
2.1. Overview about agile methodologies...................................................................1
2.2. Overview of Information Security (InfoSec):.........................................................1
2.3. Issues of integrating security into Agile Development Methodologies.................1
3. The suggested integration of security activities into Agile Methodologies.................1
3.1. Scrum....................................................................................................................1
3.1.1. Overview of Scrum.........................................................................................1
3.1.2. The Proposed Secure Methodology for Scrum (Secure Scrum):.....................1
3.1.3. Evaluation of Secure Scrum:..........................................................................1
3.2. Dynamic Systems Development Method..............................................................1
3.2.1. Overview of Dynamic Systems Development Method...................................1
3.2.2. The Proposed Secure Methodology for Dynamic Systems Development
Method (Incorporating SQUARE steps into a DSDM process and Secure Dynamic
System Development Method):...................................................................................1
3.2.3. Evaluation of Incorporating SQUARE steps into a DSDM process and
Secure Dynamic System Development Method:......................................................1
3.3. Extreme Programming..........................................................................................1
3.3.1. Overview of Extreme Programming...............................................................1
3.3.2. The Proposed Secure Methodology for Dynamic Systems Development
Method (Inbuilt Security and Role-based Extreme Programming)...............................1
3.3.3. Evaluation of Inbuilt Security and Role-based Extreme Programming).........1
4. Conclusion...................................................................................................................1
Table of Figures..................................................................................................................1
Bibliography.......................................................................................................................1
1. Introduction
In the 1990s, in reaction to the heavyweight software
development methods, many lightweight methods such as
Extreme Programming, Dynamic Systems Development Method,
Scrum and Crystal Clear were developed to be alternatives of the
traditional method. In 2001, representatives from these
lightweight methods unified and published the Agile Manifesto.
Since then, Software Development Methods under the umbrella of
Agile Manifesto have become popular. However, owing the fact
that Agile methods has developed ten years ago, several new IT
issues especially Information system security are not included in
the framework. To avoid threats associated with information
security, security needs to be integrated in Agile Software
Development Methodologies.
This paper will explore techniques to integrate into Agile Software
Development methods. In order to understand how the
techniques work, the paper will first introduce the overview of
agile methods, information security, scrum, dynamic systems
development method and Extreme Programming. This will be
followed by exploring the recent studies about integrating
security into three agile methods (Scrum, Dynamic Systems
Development Method and Extreme Programming). The paper will
conclude with the evaluation of different techniques for
integrating security into each agile method.
2. The importance of integrating security into agile
methodologies
2.1. Overview about agile methodologies
Agile Methodologies are software development methodologies
that follow Manifesto for Agile Software Development. Agile
Manifesto (Beck, et al., 2001) states that:
We are uncovering better ways of developing software by doing
it and helping others do it. Through this work we have come to
value:
Individuals and interactions over processes and tools
Working software over comprehensive documentation
Customer collaboration over contract negotiation
Responding to change over following a plan
That is, while there is value in the items on the right, we value
the items on the left more.
The main difference between Agile methods and traditional
waterfall method is the structure of the development. In the
waterfall method, all product features and requirements follow a
sequential design process. In the Agile development methods, the
project is divided into iterations. Each iteration will implement a
part of product requirements. The life cycle of the iteration will
start over after each iteration is finished until all product
requirements are satisfied.
Agile is a popular approach in Software Development. According
to the Spring 2014 DDJ State of the IT Union Survey (Scott Ambler
+Associates, 2014), compared to other development
methodologies like Ad hoc, Lean and Traditional. Agile
methodologies provide better results in return on investment,
quality, stakeholder satisfaction, team morale, and delivery time.
It is one of the three software development methodologies that
have highest success rates (Scott Ambler +Associates, 2013).
There are various methodologies that apply the values of the
Agile Manifesto. The popular agile methodologies are Scrum,
Extreme Programming, Rational Unified Process, Dynamic System
Development Method and Feature Driven Development. Each
method or techniques has its own strengths and weaknesses.
Depending on the characteristics of the system, the development
team will choose an appropriate method or they can combine
many methods.
https://www.youtube.com/watch?v=OJflDE6OaSc
2.2. Overview of Information Security (InfoSec):
Information Systems Security is "the protection of information
systems against unauthorized access to or modification of
information, whether in storage, processing, or transit, and
against the denial of service to authorized users, including those
measures necessary to detect, document, and counter such
threats" (Kissel, 2013).
To evaluate the information systems security, C.I.A. triangle is
introduced as the classic industry standard for computer security
since the development of the mainframe (Whitman & Mattord,
2014). the C.I.A triangle includes three attributes of information
security: confidentiality, integrity and availability.
Confidentiality: the information is protected from
unauthorized individuals or systems.
Integrity: the information remains whole, complete and
uncorrupted.
Availability: the information can be accessed by authorized
users in the right format without interference or obstruction.
4. Conclusion
As the number of software hit by cyber attacks are skyrocketing,
building security into the software development become an
essential part of software development processes. Agile approach
is one of the most popular software development approach and
methodologies using this approach needs to be modified to adapt
the increase threats and vulnerabilities of information system.
Many researchers around the world are developing secure agile
methodologies based on the existing Agile methodologies. This
paper introduced Secure Scrum, Secure Dynamic System
Development Method, SQUARE in Dynamic System Development
Method, Role-based Extreme Programming, and Inbuilt Security in
Extreme Programming. The Secure Scrum suggests security
marks and tags on user stories, backlogs and tags. The Secure
Dynamic System Development Method offers new phases and
sub-phases into Dynamic System Development Method Life Cycle.
SQUARE in Dynamic System Development Method proposes
SQUARE steps included in business study phase. Role-based
Extreme Programming recommends a new team member
security master. Inbuilt Security in Extreme Programming adds
security-relevant elements into Extreme Programming practices.
Although several issues of integrating security into agile
methodologies are solved, those methods have many limitations.
The combination of related methods can eliminate some
weaknesses and improve the existing methods.
Table of Figures
Figure 1 Components of Information Security (Whitman & Mattord,
2014)........................................................................................ 1
Figure 2: The Scrum Life Cycle (MM1, 2012).................................1
Figure 3 Integration of Secure Scrum components into standard
Scrum (Pohl & Hof, 2015).........................................................1
Figure 4 Usage of S-Tags to mark user stories in the Product
Backlog and to connect user stories to descriptions of security
related issues (Pohl & Hof, 2015)..............................................1
Figure 5 Dynamic Systems Development Method Team Model
(DSDM Consortium, 2014)........................................................1
Figure 6 The DSDM Life Cycle (Messenger, 2006).........................1
Figure 7 Secure Dynamic Development Method Life Cycle (Sani,
Shani, & Jeong, Secure Dynamic System Development Method
(SDSDM): Model for Secure Software Development, 2013).......1
Figure 8 The Extreme Programming Practices support each other
(Beck, Extreme Programming Explained: Embrace Change,
1999)........................................................................................ 1
Figure 9 Ten Extreme Programming Practices of a Security Master
(Ghani, Izzaty, & Firdaus, Role-based Extreme Programming
(XP) for Secure Software Development, 2013)..........................1
Bibliography
Bartsch, S. (2011). Practitioners Perspectives on Security in Agile
Development. 2011 Sixth International Conference on
Availability, Reliability and Security. IEEE.
Beck, K. (1999). Extreme Programming Explained: Embrace
Change (1st ed.). Addision-Wesley.
Beck, K., & Andres, C. (2004). Extreme Programming Explained:
Embrace Change (2nd ed.). Addition-Wesley.
Beck, K., Beedle, M., Bennekum, A. v., Cockburn, A., Cunningham,
W., Fowler, M., . . . Thomas, D. (2001). Retrieved from
AgileManifesto.Org: http://www.agilemanifesto.org/
DSDM Consortium. (2008). Overview of DSDM version 4.2.
Retrieved from DSDM Web site:
http://www.dsdm.org/version4/2/public/Overview_of_DSDM.a
sp
DSDM Consortium. (2014). The DSDM Agile Project Framework.
Retrieved from DSDM Web site: http://www.dsdm.org/dig-
deeper/book/7-roles-and-responsibilities
DSDM Consortium. (2015). What is DSDM? Retrieved from DSDM
web site: http://www.dsdm.org/content/what-dsdm
Ghani, I., & Yasin, I. (2013, April). Software Security Engineering in
Extreme Programming Methodology: A systematic Literature
Review. Science International, 25(2), 215.
Ghani, I., Izzaty, N., & Firdaus, A. (2013, January). Role-based
Extreme Programming (XP) for Secure Software
Development. Science International, 1071.
James, M. (2012). Scrum Reference Card. Retrieved from
CollabNet Web site:
http://www.collab.net/sites/default/files/uploads/CollabNet_sc
rumreferencecard.pdf
Keramati, H., & Mirian-Hosseinabadi, S.-H. (2008). Integrating
Software Development Security Activities with Agile
Methodologies. 2008 IEEE/ACS International Conference on
Computer Systems and Applications (pp. 749 - 754). IEEE.
Kissel, R. (2013, May). Glossary of Key Information Security
Terms. Retrieved from National Institude of Standards and
Technology:
http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf
Mead, N. R., Viswanathan, V., & Zhan, J. (2008). Incorporating
Security Requirements Engineering into Standard Lifecycle
Processes. International Journal of Security and its
Applications, 2(4), 67-79.
Messenger, S. (2006). Introduction to DSDM . Retrieved from
Slideshare: http://www.slideshare.net/nashjain/introduction-
to-dsdm
MM1. (2012, May 21). Scrum According to MM1. Retrieved
November 5, 2015, from MM1 Consulting and Management
Website: http://mm1.com/scrum-poster-for-easy-
implementation-of-scrum-published-by-mm1-consulting-
management/
Mougouei, D., Sani, N. F., & Almasi, M. M. (2013). S-Scrum: a
Secure Methodology for Agile Development of Web Services.
World of Computer Science and Information Technology
Journal (WCSIT), 3(1), 15-19.
Plaza, L. (2015, January 21). Difference between Product Backlog
and Sprint Backlog. Retrieved from Management Plaza
Company Web site: http://mplaza.pm/difference-between-
product-backlog-and-sprint-backlog/
Pohl, C., & Hof, H.-J. (2015). Secure Scrum: Development of
Secure Software with Scrum. arXiv preprint
arXiv:1507.02992.
S., B. M., Norwawi, N. M., Selamat, M. H., & Sharif, K. Y. (2011).
Improved Extreme Programming Methodology with Inbuilt
Security. 2011 IEEE Symposium on Computers & Informatics,
(pp. 674-679).
Sani, A., Firdaus, A., Jeong, S. R., & Ghani, I. (2013, May). A Review
on Software Development Security Engineering using
Dynamic System Method (DSDM). International Journal of
Computer Applications, 69(25).
Sani, A., Shani, I., & Jeong, S. R. (2013). Secure Dynamic System
Development Method (SDSDM): Model for Secure Software
Development. Journal of Science International Lahore,
Special Issue, 1059-1064.
Schwaber, K., & Sutherland, J. (2013, July). The Definitive Guide to
Scrum: The rules of the Game. Retrieved from The Scrum
Guide:
http://www.scrumguides.org/docs/scrumguide/v1/Scrum-
Guide-US.pdf#zoom=100
Scott Ambler +Associates. (2013). 2013 IT Project Success Rates
Survey Results. Retrieved November 13, 2015, from
Ambysoft:
http://www.ambysoft.com/surveys/success2013.html
Scott Ambler +Associates. (2014). Software Development at
Scale: Results from the Spring 2014 DDJ State of the IT
Union Survey. Retrieved November 13, 2015, from Ambysoft:
http://www.ambysoft.com/surveys/stateOfITUnion2014Q2.ht
ml#Results
Securosis. (2013, November 3). Secure Agile Development.
Retrieved November 12, 2015, from Securosis, L.L.C.:
https://securosis.com/assets/library/reports/SecureAgileDevel
opment_Nov2014_FINAL.pdf
Stapleton, J. (1997). DSDM, Dynamic Systems Development
Method: The Method in Practice. Addison-Wesley.
Veracode. (2010). Agile Security: Successful Application Security
Testing for Agile Development. Retrieved November 5, 2015,
from
https://www.veracode.com/sites/default/files/Resources/Whit
epapers/whitepaper-agilesecurity.pdf
Whitman, M., & Mattord, H. (2014). Principles of Information
Security (5th Edition ed.). Cengage Learning.