Article

Agile development of secure web applications

Authors:
Xiaocheng Ge

University of York, York, UK

University of York, York, UK
View Profile

,
Richard F. Paige

University of York, York, UK

University of York, York, UK
View Profile

,
Fiona A.C. Polack

University of York, York, UK

University of York, York, UK
View Profile

,
Howard Chivers

Cranfield University, Swindon, UK

Cranfield University, Swindon, UK
View Profile

,
Phillip J. Brooke

University of Teesside, Middlesbrough: UK

University of Teesside, Middlesbrough: UK
View Profile

ICWE '06: Proceedings of the 6th international conference on Web engineeringJuly 2006Pages 305–312https://doi.org/10.1145/1145581.1145641

Published:11 July 2006Publication History

ICWE '06: Proceedings of the 6th international conference on Web engineering

Pages 305–312

ABSTRACT

A secure system is one that is protected against specific undesired outcomes.Delivering a secure system, and particularly a secure web application, is not easy.Integrating general-purpose information systems development methods withsecurity development activities could be a useful means to surmount thesedifficulties Agile processes, such as Extreme Programming, are of increasing interest insoftware development. Most significantly for web applications, agile processesencourage and embrace requirements change, which is a desirable characteristicfor web application development.In this paper, we present an agile process to deliver secure web applications.The contribution of the research is not the development of a new method or processthat addresses security concerns. Rather, we investigate general-purpose informationsystemdevelopment methods (e.g., Feature-Driven Development (FDD)) and mature security methods, namely risk analysis, and integrate them to address the development of secure web applications. The key features of our approach are(1) a process capable of dealing with the key challenges of web applicationsdevelopment, namely decreasing life-cycle times and frequently changing requirements; and (2) an iterative approach to risk analysis that integrates security design throughout the development process.

References

Agile Manifesto. http://agilemanifesto.org.Google Scholar
SSADM-CRAMM subject guide for SSADM version 3 and CRAMM version 2. Technical report, Central Computer and Telecommunications Agency, IT Security and Privacy Group., 1991.Google Scholar
CRAMM. Technical Report http://www.cramm.com, Insight Consulting Limited, 2003.Google Scholar
E. Aydal. Extreme programming and refactoring for building secure web-based applications and web services. MSc in Software Engineering Thesis, Computer Science Department, University of York, 2005.Google Scholar
L. Baresi, F. Garzotto, and P. Paolini. Extending UML for modeling web applications. In Proceeding of 34th Annual Hawaii International Conference on System Sciences (HICSS-34)-Volume 3, Maui, Hawaii, USA, January 2001. IEEE. Google ScholarDigital Library
R. Baskerville. Information systems security design methods: Implications for information systems development. ACM Computing Surveys, 25(4):375--414, 1993. Google ScholarDigital Library
K. Beznosov. eXtreme Security Engineering. In Proceeding of First ACM BizSec Workshop, Fairfax VA, USA, October 2003.Google Scholar
CERT Coordination Centre. Operationally critical threat, asset, and vulnerability evaluation (OCTAVE). Technical Report http://www.cert.org/octave/, Software Engineering Institute, CERT Coordination Centre, 2003.Google Scholar
H. Chivers. Security and systems engineering. Technical Report YCS378, Department of Computer Science, University of York, June 1994.Google Scholar
H. Chivers, R. Paige, and X. Ge. Agile security using an incremental security architecture. In Proceeding of the Sixth International Conference on eXtreme Programming and Agile Processes in Software Engineering (XP2005), Spring-Verlag LNCS 3556, pages 57--65, Sheffield, UK, 2005. Google ScholarDigital Library
F. Garzotto, P. Paolini, and D. Schwabe. HDM --- model-based approach to hypertext application design. ACM Trans. Inf. Syst., 11(1):1--26, 1993. Google ScholarDigital Library
M. Goodland and C. Slater. SSADM Version 4: A Practical Approach. McGRAW-HILL Book Company Europe, 1995.Google Scholar
T. Grance, J. Hash, and M. Stevens. Security considerations in the information system development life cycle. Technical report, National Institute of Standards and Technology (NIST), Special Publication 800-64, October 2003. (revision 1 released June 2004).Google Scholar
B. S. Institution. Information security mangement part 2: Specification for information security management systems. Technical report, BS 7799-2:1999, 1999.Google Scholar
P. Kruchten. The Rational Unified Process: an Introduction. Addison-Wesley, 2003. Google ScholarDigital Library
G. R. Lifia, H. Schmid, and F. Lyardet. Engineering business processes in web applications: Modeling and navigation issues. In Proceeding of 3ird International Workshop on Web-Oriented Software Technologies, IWWOST'03, July 2003.Google Scholar
A. McDonald and R. Welland. Agile web engineering (AWE) process. Technical report, Department of Computer Science, University of Glasgow, UK, December 2001.Google Scholar
R. Paige, J. Cakic, X. Ge, and H. Chivers. Towards agile reengineering of dependable grid applications. In Proceeding of 17th International Conference of Software and System Engineering and Their Applications (ICSSEA), CNAM, Paris, November 2004.Google Scholar
S. R. Palmer and J. M. Felsing. A Practical Guide to Feature-Driven Development. Prentice Hall, 2002. Google ScholarDigital Library
B. Schenier. Beyond Fear: Thinking Sensibly About Security in an Uncertain World. Copernicus Books, 2003. Google ScholarDigital Library
G. Stoneburner, A. Goguen, and A. Feringa. Risk management guide for information technology systems. Technical report, National Institute of Standards and Technology (NIST), Special Publication 800-30, July 2002. Google ScholarDigital Library

Index Terms

Agile development of secure web applications

Recommendations

Towards a Secure SCRUM Process for Agile Web Application Development
ARES '17: Proceedings of the 12th International Conference on Availability, Reliability and Security

Agile development such as Scrum and Extreme Programming deliver software in short iterations for quick response to rapid business requirement and market changes. However, established secure software development methodologies are mostly based on linear ...
Read More
Agile trends in Chinese global software development industry: Fuzzy AHP based conceptual mapping
Abstract
Global Software Development (GSD) has gained great attention during the past decade or so, and it is also being adopted by most of the software development organizations. The GSD approach is practiced by the software development ...
Highlights
- Explore the factors that could positively impact the agile scaling process in Chinese global software development (GSD) industry.
Read More
Adopting to Agile Software Development

Abstract Agile software development can be made successful, but there is no well-defined way how to achieve this. The problem is that the successful adoption of agile methods and practices is a complex process and this process should be customizable for ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ICWE '06: Proceedings of the 6th international conference on Web engineering
July 2006
384 pages
ISBN:1595933522
DOI:10.1145/1145581
General Chairs:
Dave Wolber
University of San Francisco, USA
,
Neil Calder
SLAC, USA
,
Program Chairs:
Chris Brooks
University of San Francisco, USA
,
Athula Ginige
University of Western Sydney, Australia
Copyright © 2006 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 11 July 2006
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
feature driven development
security risk assessment
web applications
Qualifiers
- Article
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 33
  Total Citations
  View Citations
- 2,974
  Total Downloads
- Downloads (Last 12 months)48
- Downloads (Last 6 weeks)8
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Agile development of secure web applications

ICWE '06: Proceedings of the 6th international conference on Web engineering

ABSTRACT

References

Cited By

Index Terms

Recommendations

Towards a Secure SCRUM Process for Agile Web Application Development

Agile trends in Chinese global software development industry: Fuzzy AHP based conceptual mapping

Adopting to Agile Software Development