Journal of Internet Computing and Services (인터넷정보학회논문지)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

A Systematic Literature Review on Secure Software Development using Feature Driven Development (FDD) Agile Model

기능주도개발 Agile 방법을 사용할 때의 안전한 소프트웨어 개발에 관한 문헌연구

  • Arbain, Adila Firdaus (Faculty of Computing, Dept. of Software Engineering, Universiti Teknologi Malaysia) ;
  • Ghani, Imran (Faculty of Computing, Dept. of Software Engineering, Universiti Teknologi Malaysia) ;
  • Jeong, Seung Ryul (Graduate School of Business IT, Kookmin University)
  • Received : 2013.10.28
  • Accepted : 2013.12.18
  • Published : 2014.02.28
Download PDF
⟨ Previous Next ⟩

Abstract

Agile methodologies have gained recognition as efficient development processes through their quick delivery of software, even under time constraints. However, like other agile methods such as Scrum, Extreme Programming (XP) and The Dynamic Systems Development Method (DSDM), Feature Driven Development (FDD) has been criticized due to the unavailability of security elements in its twelve practices. In order to examine this matter more closely, we conducted a systematic literature review (SLR) and studied literature for the years 2001-2012. Our findings highlight that, in its current form, the FDD model partially supports the development of secure software. However, there is little research on this topic, as detailed information about the usage of secure software is rarely published. Thus, we have been able to conclude that the existing five phases of FDD have not been enough to develop secure software until recently. For this reason, security-based phase and practices in FDD need to be proposed.

Agile 방법론은 시간적 제약하에서도 효율적인 개발 프로세스로 빠르게 제품을 완성할 수 있는 방법으로 알려져 있다. 하지만 scrum, XP, DSDM 등과 같은 여타 Agile 방법들처럼 기능주도개발 (FDD) Agile 방법도 보안요소의 불가용성으로 인해 비판을 받고 있다. 이러한 이슈를 보다 자세히 살펴보기 위해 본 연구는 2001년부터 2012년사이에 나타난 연구들에 대한 체계적인 문헌연구를 수행하였다. 본 연구 결과, 현재 FDD 방법은 안전한 소프트웨어 개발을 부분적으로 지원하고 있는 것으로 나타났다. 하지만 안전한 소프트웨어 사용에 관한 상세한 정보가 문헌에 거의 나타나고 있지 않은 것으로 보아 이 분야에 대한 연구 노력은 거의 없어 보인다. 따라서 현재의 5단계 FDD 방법은 안전한 소프트웨어 개발에 충분하지 않음을 알 수 있고 결국, 본 연구는 FDD 방법에서 보안에 기반을 둔 새로운 수행 단계와 프랙티스가 제안될 필요가 있음을 보여준다.

Keywords

References

  1. Dyba, T., Dingsoyr, T., "Empirical studies of agile software development: A systematic review," Information and Software Technology , pg 833-859, 2008.
  2. Mchugh, O., Conboy, K., Lang, M., "Agile Practices: "The Impact on Trust in Software Project Teams, "Articles on Computer Sciences , 71-76, 2011.
  3. Slaten, K.M., Droujkova, M., Berenson, S.B., Williams, L., Layman, L., "Undergraduate Student Perceptions of Pair Programming and Agile Software Methodologies: Verifying a Model of Social Interaction," Proceedings of the Agile Development Conference, 2005.
  4. Azim, A.S., Amir, S.S., Shams, F., "Embedding Architectural Practices into Extreme Programming," 19th Australian Conference on Software Engineering , 310-319, 2008.
  5. Breivold, H.P., Sundmark, D., Wallin, P., Larsson, S., "What Does Research Say About Agile and Architecture," Fifth International Conference on Software Engineering Advances, 32-37, 2011
  6. Wayrynen, J., Boden, M., Bostrom, G., "Security Engineering and eXtreme Programming: An Impossible Marriage?," Forum on Stockholm University/Royal Institute of Technology, 117-128, 2004.
  7. Richard G. Epstein., "Getting Students to Think About How Agile Processes Can Be Made More Secure," 21st Conference on Software Engineering Education and Training, 2008.
  8. Azham, Z., Ghani, I., Ithnin, N., "Security Backlog in Scrum Security Practices," 5th MySEC (Malaysian Conference in Software Engineering), 2011.
  9. AAllen J. H., 2008] Allen J. H.,Software Security Engineering: A Guide for Project Manager, In Addison Wesley Professional, 2008.
  10. Sedek K. A., Sulaiman S., and Omar M. A., A systematic literature review of interoperable architecture for e-government portals, Malaysian Conference in Software Engineering, pp. 82-87, 2011.
  11. [Agile!=Security, 2012] Agile!=Security, 2012, http://www.rakkhis.com/2011/06/agile-security.html
  12. Spruit M. E. M. and Looijen M., IT security in Dutch practice, Computers and Security, vol. 15, No. 2, pp. 157-170, 1996. https://doi.org/10.1016/0167-4048(96)00001-6
  13. Bala Musa.S, Norita Md Norwawi, Mohd Hassan Selamat, Khaironi Yetim Sharif Improved Extreme Programming, IEEE Symposium on Computers & Informatics, 2011.
  14. Ryan Riley, Xuxian Jiang, Dongyan Xu., An Architectural Approach to Preventing Code Injection Attacks, IEEE Transactions On Dependable And Secure Computing, Vol. 7, No. 4, 2010.
  15. Jie Ren, Richard Taylor, Paul Dourish, David Redmiles., Towards An Architectural Treatment of Software Security: A Connector-Centric Approach. Software Engineering for Secure Systems - Building Trustworthy Applications , 2005.
  16. A Jones., A framework for the management of information security risks, BT Technology ,2007.
  17. Mohamed El-Attar.,A framework for improving quality in misuse case models, Business Process Management Journal Vol. 18 No. 2, 2012.
  18. Vibhu Saujanya Sharma, Kishor S. Trivedi.,Quantifying software performance, reliability and security:An architecture-based approach, The Journal of Systems and Software 80, p. 493-509, 2007. https://doi.org/10.1016/j.jss.2006.07.021
  19. Dieste O., and Juristo N., Systematic review and aggregation of empirical studies on elicitation techniques., IEEE Transactions on Software Engineering, vol. 37, no. 2, pp. 283-304, 2011. https://doi.org/10.1109/TSE.2010.33
  20. Salleh N., Mendes E., and Grundy J.,Empirical Studies of Pair Programming for CS/SE Teaching in Higher Education: A Systematic Literature Review, IEEE Transactions on Software Engineering, vol. 37, no. 4, pp. 509-525, 2011. https://doi.org/10.1109/TSE.2010.59
  21. Kitchenham B., Pearl O. B., Budgen D., Turner M., Bailey J., and Linkman S.,Systematic literature reviews in software engineering - A systematic literature review, Information and Software Technology, vol. 51, no. 1, pp. 7-15, 2009 https://doi.org/10.1016/j.infsof.2008.09.009
  22. B. A. Kitchenham et al..,Preliminary guidelines for empirical research in software engineering, IEEE Transactions on Software Engineering, vol. 28, no. 8, pp. 721-734, 2002. https://doi.org/10.1109/TSE.2002.1027796
  23. Jim Q. Chen, Dien Phan, B. Wang, Douglas R. Vogel., Light-Weight Development Method: a Case Study, IEEE,2007.
  24. Richard G. Epstein., Getting Students to Think About How Agile Processes Can Be Made More Secure,21st Conference on Software Engineering Education and Training, 2008.
  25. Ali Inan, Murat Kantarcioglu, Gabriel Ghinita, and Elisa Bertino.,A Hybrid Approach to Private Record Matching, IEEE Transactions On Dependable And Secure Computing, Vol. 9, No. 5, 2012.
  26. Bernhard Hammerli., Financial Services Industry. Critical Information Infrastructure Protection, LNCS 7130, pp. 301-329, 2012.
  27. Amir Mohd Talib,Rodziah Atan, Rusli Abdullah, Masraf Azrifah Azmi Murad., Multi agent system architecture oriented Prometheus methodology design to facilitate security of cloud data storage, Journal of Software Engineering , vol. 5, no. 3, pp. 78-90, 2011. https://doi.org/10.3923/jse.2011.78.90
  28. Lian Yu1, Shi-Zhong Wu, Tao Guo, Guo-Wei Dong,Cheng-Cheng Wan1, and Yin-Hang Jing., Ontology Model-Based Static Analysis of Security Vulnerabilities, LNCS 7043, pp. 330-344, 2011.
  29. Sam Weber Paul A. Karger Amit Paradkar., A Software Flaw Taxonomy: Aiming Tools At Security.Software Engineering for Secure Systems, Building Trustworthy Applications, 2005.
  30. GOETZ GRAEFE.,Query Evaluation Techniques for Large Databases, ACM Computing Surveys, Vol. 25, No. 2, 1993.
  31. Ross Hytnen and Mario Garcia., AN ANALYSIS OF WIRELESS SECURITY, Consortium for Computing Sciences in Colleges, 2006.
  32. Michael Kainerstorfer et al., 2011] Michael Kainerstorfer, Johannes Sametinger, Andreas Wiesauer., Software Security for Small Development Teams - A Case Study, WAS2011, 2011.
  33. Donald G. Firesmith, 2010] Donald G. Firesmith., Engineering Safety- and Security-Related Requirements for Software-Intensive Systems: Tutorial Summary, ICSE, 2010.
  34. Terrence August and Tunay I. Tuncay, 2011] Terrence August, Tunay I. Tuncay., Who Should be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments, Management Science Vol. 57, Issue. 5, INFORMS, pp. 934-959, 2011. https://doi.org/10.1287/mnsc.1100.1304
  35. Zhendong Ma, Christian Wagner, Thomas Bleier., Model-driven security for Web services in e-Government system: ideal and real, IEEE, 2011.
  36. Zahid Anwar and Roy Campbell., Automated Assessment Of Compliance With Security Best Practices, IFIP International Federation for Information Processing, Volume 290; Critical Infrastructure Protection II, eds. Papa, M., Shenoi, S., Boston, Springer, pp. 173-187, 2008.
  37. Nicolaysen T., Sassoon R., Line M. B, Jaatun M. G., Agile Software Development: The Straight and Narrow Path to Secure Software?, International Journal of Secure Software Engineering, Vol. 1, Issue 3, pp.71-85, 2010. https://doi.org/10.4018/jsse.2010070105
  38. Lane A.,Agile Development, Security Fail, RSA Conference Europe, 2011.
  39. Siponen M., Baskerville R. and Kuivalainen T., Integrating Security into Agile Development Methods, Proceedings IEEE 38th Hawaii International Conference on System Sciences, pp. 7695-2268, 2005.
  40. Dejan Baca, Bengt Carlsson.,Agile development with security engineering activities, Proceeding, ICSSP'11 Proceedings of International Conference on Software and Systems Process, 2011.
  41. Gencer Erdogan, Per Hakon Meland, and Derek Mathieson., Security Testing in Agile Web Application Development - A Case Study Using the East Methodology. XP, LNBIP , Springer-Verlag Berlin Heidelberg ,48, pp. 14-27, 2010.
  42. Neugent W.,Teaching Computer Securitv: A Course Outline, Computers and Security, vol. 1, pp. 152-163, 1982. https://doi.org/10.1016/0167-4048(82)90008-6
  43. Mikko Siponena, Richard Baskervilleb and Tapio Kuivalainena., Integrating Security into Agile Development Methods, Proceedings of the 38th Hawaii International Conference on System Sciences , 2005.
  44. Hossein Keramati, Seyed-Hassan Mirian-Hosseinabadi., Integrating Software Development Security Activities with Agile Methodologies, IEEE, 2008.
  45. Min, Liu Qiong-mei, Wang Cheng., Practices of Agile Manufacturing Enterprise Data Security and Software Protection, 2nd International Conference on Industrial Mechatronics and Automation, 2010.
  46. Rick Dove., Pattern Qualifications And Examples Of Next-Generation Agile System-Security Strategies, IEEE, 2010.
  47. Steffen Bartsch., Practitioners' Perspectives on Security in Agile Development, Sixth International Conference on Availability, Reliability and Security, 2011.
  48. Highsmith J.,What Is Agile Software Development?, Boston, Crosswalk, 2002
  49. Shore J. andWarden S. 2007.," The Art Of Agile Development", USA O'Reilly, 2007.
  50. Gregorio D., How the Business Analyst Supports and Encourages Collaboration on Agile Projects, Massachusetts, 2012.
  51. Post g. v. and Karen-Ann K. "Accessibility vs.Security: A Look at the Demand for Computer Security," Computers and Security, vol.10,pp.331-344, 2007.
  52. John Steven.,"Security Testing of Internal Tools," Basic Training, 2007.
  53. Qiu-Hong Wang, Wei T. Yue, Kai-Lung Hui,"Do Hacker Forums Contribute to Security Attacks?," WEB, 2011.
  54. Spruit M. E. M. and Looijen M., "IT security in Dutch practice," Computers and Security, vol. 15, No. 2, pp. 157-170, 1996. https://doi.org/10.1016/0167-4048(96)00001-6
  55. Brian Chess, Brad Arkin.,Software Security in Practice, Build in Security, 2011.
  56. Richard Stanley., "Information Security. Cybercrimes: A Multidisciplinary Analysis," Berlin, Heidelberg: Springer Berlin Heidelberg, pp. 95-126, 2010.
  57. Siponen M., Baskerville R. and Kuivalainen T.:Integrating Security into Agile Development Methods, Proceedings IEEE 38th Hawaii International Conference on System Sciences, pp. 7695-2268, 2005.
  58. Valcke P. and Dumortier J., 2012] Valcke P. and Dumortier J.:Trust in the information society - In search of trust generating. Computer law and security review, vol. 28, pp. 504-512, 2012. https://doi.org/10.1016/j.clsr.2012.07.008
  59. Brian Chess, Brad Arkin.: Software Security in Practice, Build in Security, 2011.
  60. Gary McGraw," Software Security, Building Security In," Addison-Wesley Professional, 2006.
  61. Vibhu Saujanya Sharma, Kishor S. Trivedi," Architecture Based Analysis of Performance, Reliability and Security of Software Systems," WOSP , 2005.
  62. Michael Dalton, Hari Kannan, Christos Kozyrakis," Raksha: A Flexible Information Flow Architecture for Software Security," ISCA, 2007.
  63. Spyros T. Halkidis, Nikolaos Tsantalis, Alexander Chatzigeorgiou,George Stephanides," Architectural Risk Analysis of Software Systems Based on Security Patterns." IEEE Transactions On Dependable And Secure Computing, Vol. 5, No. 3, 2008.
  64. Jay-Evan J. Tevis, John A. Hamilton, Jr,"A Security-centric Ring-based Software Architecture." SpringSim , Vol. 2, 2007
  65. Pratyusa K. Manadhata, Jeannette M. Wing,"An Attack Surface Metric." IEEE Transactions On Software Engineering, Vol. 37, No. 3, 2011.
  66. Rhoden E., "People and processes - The Key Elements to Information Security,"Computer Fraud and Security, Volume,Issue: 6, pp. 14-15, 2002.
  67. Ashraf Ferdouse Chowdhury, Mohammad Nazmul Huda, "Comparison between Adaptive Software Development andFeature Driven Development" International Conference on Computer Science and Network Technology, 2011.
  68. Stephen.R.Palm,"Feature-Driven Development-Practices," A Practical Guide to Feature-Driven Development, Chap.3, pp. 35-54, 2002
  69. Konstantin Beznosov,Brian Chess,"An Industry Perspective on the Secure-Software Challenge, " Security for the Rest of Us,2008.
  70. Davide Balzarotti, Greg Banks, Marco Cova, Viktoria Felmetsger, Richard A. Kemmerer, William Robertson ,Fredrik Valeur, and Giovanni Vigna," An Experience in Testing the Security of Real-World Electronic Voting Systems," IEEE Transactions On Software Engineering, vol. 36, no. 4, pp. 453-473, 2010. https://doi.org/10.1109/TSE.2009.53
  71. Scott Knight , Scott Buffett, Patrick C. K. Hung," The International Journal of Information Security Special Issue on privacy, security and trust technologies and E-business services," International Journal of Information Security, vol. 6, no. 5, pp. 285-286, Jul. 2007. https://doi.org/10.1007/s10207-007-0036-8
  72. Carlos Becker Westphall, Peter Mueller,"Management of Security and Security for Management Systems, " Guest Editorial, 2010.
  73. Yves Le Roux,"Information Security Governance for Executive Management, "Securing Electronic Business Processes, 2007.
  74. Frank Innerhofer-Oberperfler ,Markus Mitterer, Michael Hafner and Ruth Breu,"A methodical Approach and case study," 2010.
  75. Scott Knight, Scott Buffett,Patrick C. K. Hung," The International Journal of Information Security Special Issue on privacy, security and trust technologies and E-business services, " Guest Editors'Introduction,2007.
  76. Dejan Baca, Bengt Carlsson, Kai Petersen and Lars Lundberg," Improving software security with static automated code analysis in an industry setting, " Software Practice And Experience, 2012.
  77. Leach J," TBSE and engineering approach to the design of accurate and reliable security systems, " Computers and Security, vol. 23, pp. 22-28, 2004. https://doi.org/10.1016/S0167-4048(04)00069-0
  78. John B. Dickson,"Software Security: Is OK Good Enough?, " CODASPY,2011.
  79. Ann E.K. Sobel, Gary McGraw," Interview:Software Security In The Real World, " Software Assurance, 2010.
  80. W. AI-Salihy, Jannet Ann, R. Sures," Effectivess of Information Systems Security in IT Organizations" in Malaysia, IEEE,2003
  81. Sanjay Bahl, O P Wali, Ponnurangam Kumaraguru," Information Security Practices Followed in the Indian Software Services Industry: An Exploratory Study, " EWI, 2011.
  82. C. Banerjee1, S. K. Pandey," Research on Software Security Awareness: Problems and Prospects, " ACM SIGSOFT Software Engineering Notes, 2010.
  83. Karadsheh L. :Applying security policies and service level agreement to IaaS service model to enhance security and transition, Computers And Security," vol. 31, pp. 315-326, 2012. https://doi.org/10.1016/j.cose.2012.01.003
  84. Stephen.R.Palm,"Feature-Driven Development-Practices, "A Practical Guide to Feature-Driven Development, Chap.3, pp. 35-54, 2002
  85. John Steven,"Security Testing of Internal Tools, " Basic Training, 2007
  86. Kruys J. P. " Security of Open Systems. Computers and Security", vol. 8, pp. 139-147, 1989 https://doi.org/10.1016/0167-4048(89)90069-2
  87. Kyung Cheol Choi and Gun Ho Lee," Automatic Test Approach of Web Application for Security, " ICCSA, pp. 659-668, 2006.
  88. Haralambos Mouratidis and Paolo Giorgini," Secure Tropos: a Security-Oriented Extension of the Tropos Methodology, " International Journal of Software Engineering and Knowledge Engineering , Vol. 17, pp.285-309, 2007 https://doi.org/10.1142/S0218194007003240
  89. Aaron Marback, Hyunsook Do, Ke He, Samuel Kondamarri and Dianxiang Xu," A threat model-based approach to security testing, " Software Practice Expert, JohnWiley & Sons, Ltd. ,2012
  90. Venter H.S. and Eloff J.H.P. "A taxonomy for information security technologies, " Computers and Security, Vol. 22, Issue: 4, Pages: 299-307, 2003 https://doi.org/10.1016/S0167-4048(03)00406-1
  91. Purser S. A. "Improving the ROI of the security management process, " Computers and Security, vol. 23, pp. 542-546, 2004. https://doi.org/10.1016/j.cose.2004.09.004
  92. Hone K. and Eloff J.H.P. "Information security policy - what do international information security standards say?, "Computers and Security, pp. 402-409, 2002
  93. S. Rehman & K. Mustafa," Research on Software Design Level Security Vulnerabilities, "ACM SIGSOFT Software Engineering Notes, Vol. 34, Number 6, 2009.
  94. Dlaminia M. T., Eloffa J. H. P., Eloffb M. M. "Information security: The moving target, " Computers & Security, vol. 28, pp. 189-198,2004.
  95. Daniel Mellado, Eduardo Fernandez-Medina, Mario Piattini," A Comparison of Software Design Security Metrics, " ECSA,2010.
  96. Abdullahi SaniAdila FirdausSeung Ryul JeongImran Ghani, A Review on Software Development Security Engineering using Dynamic System Method (DSDM), International Journal of Computer Applications, Volume 69 - Number 25, 2013.
  97. Imran Ghani, Izzaty Yasin, Software Security Engineering in eXtreme Programming Methodology: a Systematic Literature Review,S ci.Int. (Lahore), 25(2), 215-221,2013.
  98. Coad, P., Lefebvre, E. & De Luca, J. Java Modeling In Color With UML: Enterprise Components and Process. Prentice Hall International. (ISBN 0-13-011510-X), 1999.
  99. Palmer, S.R., & Felsing, J.M. A Practical Guide to Feature-Driven Development. Prentice Hall. (ISBN 0-13-067615-2), 2002.
  100. http://www.skillresource.com, accessed on 03, December 2013.

Cited by

  1. A Survey-based Analysis of Agile Adoption on Performances of IT Organizations vol.16, pp.5, 2015, https://doi.org/10.7472/jksii.2015.16.5.87
  2. The practice of secure software development in SDLC: an investigation through existing model and a case study vol.9, pp.18, 2016, https://doi.org/10.1002/sec.1700
  3. Challenges and Solutions for Addressing Software Security in Agile Software Development : A Literature Review and Rigor and Relevance Assessment vol.9, pp.1, 2014, https://doi.org/10.4018/ijsssp.2018010101