ABSTRACT
A secure system is one that is protected against specific undesired outcomes.Delivering a secure system, and particularly a secure web application, is not easy.Integrating general-purpose information systems development methods withsecurity development activities could be a useful means to surmount thesedifficulties Agile processes, such as Extreme Programming, are of increasing interest insoftware development. Most significantly for web applications, agile processesencourage and embrace requirements change, which is a desirable characteristicfor web application development.In this paper, we present an agile process to deliver secure web applications.The contribution of the research is not the development of a new method or processthat addresses security concerns. Rather, we investigate general-purpose informationsystemdevelopment methods (e.g., Feature-Driven Development (FDD)) and mature security methods, namely risk analysis, and integrate them to address the development of secure web applications. The key features of our approach are(1) a process capable of dealing with the key challenges of web applicationsdevelopment, namely decreasing life-cycle times and frequently changing requirements; and (2) an iterative approach to risk analysis that integrates security design throughout the development process.
- Agile Manifesto. http://agilemanifesto.org.Google Scholar
- SSADM-CRAMM subject guide for SSADM version 3 and CRAMM version 2. Technical report, Central Computer and Telecommunications Agency, IT Security and Privacy Group., 1991.Google Scholar
- CRAMM. Technical Report http://www.cramm.com, Insight Consulting Limited, 2003.Google Scholar
- E. Aydal. Extreme programming and refactoring for building secure web-based applications and web services. MSc in Software Engineering Thesis, Computer Science Department, University of York, 2005.Google Scholar
- L. Baresi, F. Garzotto, and P. Paolini. Extending UML for modeling web applications. In Proceeding of 34th Annual Hawaii International Conference on System Sciences (HICSS-34)-Volume 3, Maui, Hawaii, USA, January 2001. IEEE. Google ScholarDigital Library
- R. Baskerville. Information systems security design methods: Implications for information systems development. ACM Computing Surveys, 25(4):375--414, 1993. Google ScholarDigital Library
- K. Beznosov. eXtreme Security Engineering. In Proceeding of First ACM BizSec Workshop, Fairfax VA, USA, October 2003.Google Scholar
- CERT Coordination Centre. Operationally critical threat, asset, and vulnerability evaluation (OCTAVE). Technical Report http://www.cert.org/octave/, Software Engineering Institute, CERT Coordination Centre, 2003.Google Scholar
- H. Chivers. Security and systems engineering. Technical Report YCS378, Department of Computer Science, University of York, June 1994.Google Scholar
- H. Chivers, R. Paige, and X. Ge. Agile security using an incremental security architecture. In Proceeding of the Sixth International Conference on eXtreme Programming and Agile Processes in Software Engineering (XP2005), Spring-Verlag LNCS 3556, pages 57--65, Sheffield, UK, 2005. Google ScholarDigital Library
- F. Garzotto, P. Paolini, and D. Schwabe. HDM --- model-based approach to hypertext application design. ACM Trans. Inf. Syst., 11(1):1--26, 1993. Google ScholarDigital Library
- M. Goodland and C. Slater. SSADM Version 4: A Practical Approach. McGRAW-HILL Book Company Europe, 1995.Google Scholar
- T. Grance, J. Hash, and M. Stevens. Security considerations in the information system development life cycle. Technical report, National Institute of Standards and Technology (NIST), Special Publication 800-64, October 2003. (revision 1 released June 2004).Google Scholar
- B. S. Institution. Information security mangement part 2: Specification for information security management systems. Technical report, BS 7799-2:1999, 1999.Google Scholar
- P. Kruchten. The Rational Unified Process: an Introduction. Addison-Wesley, 2003. Google ScholarDigital Library
- G. R. Lifia, H. Schmid, and F. Lyardet. Engineering business processes in web applications: Modeling and navigation issues. In Proceeding of 3ird International Workshop on Web-Oriented Software Technologies, IWWOST'03, July 2003.Google Scholar
- A. McDonald and R. Welland. Agile web engineering (AWE) process. Technical report, Department of Computer Science, University of Glasgow, UK, December 2001.Google Scholar
- R. Paige, J. Cakic, X. Ge, and H. Chivers. Towards agile reengineering of dependable grid applications. In Proceeding of 17th International Conference of Software and System Engineering and Their Applications (ICSSEA), CNAM, Paris, November 2004.Google Scholar
- S. R. Palmer and J. M. Felsing. A Practical Guide to Feature-Driven Development. Prentice Hall, 2002. Google ScholarDigital Library
- B. Schenier. Beyond Fear: Thinking Sensibly About Security in an Uncertain World. Copernicus Books, 2003. Google ScholarDigital Library
- G. Stoneburner, A. Goguen, and A. Feringa. Risk management guide for information technology systems. Technical report, National Institute of Standards and Technology (NIST), Special Publication 800-30, July 2002. Google ScholarDigital Library
Index Terms
- Agile development of secure web applications
Recommendations
Towards a Secure SCRUM Process for Agile Web Application Development
ARES '17: Proceedings of the 12th International Conference on Availability, Reliability and SecurityAgile development such as Scrum and Extreme Programming deliver software in short iterations for quick response to rapid business requirement and market changes. However, established secure software development methodologies are mostly based on linear ...
Agile trends in Chinese global software development industry: Fuzzy AHP based conceptual mapping
AbstractGlobal Software Development (GSD) has gained great attention during the past decade or so, and it is also being adopted by most of the software development organizations. The GSD approach is practiced by the software development ...
Highlights- Explore the factors that could positively impact the agile scaling process in Chinese global software development (GSD) industry.
Adopting to Agile Software Development
Abstract Agile software development can be made successful, but there is no well-defined way how to achieve this. The problem is that the successful adoption of agile methods and practices is a complex process and this process should be customizable for ...
Comments