DOI QR코드

DOI QR Code

Integrating Software Security into Agile-Scrum Method

  • Received : 2013.11.23
  • Accepted : 2014.01.21
  • Published : 2014.02.27

Abstract

Scrum is one of the most popular and efficient agile development methods. However, like other agile methods such as Extreme Programming (XP), Feature Driven Development (FDD), and the Dynamic Systems Development Method (DSDM), Scrum has been criticized because of lack of support to develop secure software. Thus, in 2011, we published research proposing the idea of a security backlog (SB). This paper represents the continuation of our previous research, with a focus on the evaluation in industry-based case study. Our findings highlight an improved agility in Scrum after the integration of SB. Furthermore, secure software can be developed quickly, even in situations involving requirement changes of software. Based on our experimental findings, we noticed that, when integrating SB, it is quite feasible to develop secure software using an agile Scrum model.

Keywords

References

  1. Dyba, T. and Dingsoyr, T., "Empirical studies of agile software development: A systematic review," Information and Software Technology, Vol.50, pp.833-859, 2008. https://doi.org/10.1016/j.infsof.2008.01.006
  2. Mchugh, O. and Conboy, k. and Lang, M., "Agile practices: The Impact on Trust in Software Project Teams," IEEE Software, Vol.29, pp.71-76, 2012. https://doi.org/10.1109/MS.2011.118
  3. Slaten, k., Droujkova, M., Berenson, S. B., Williams, L. and Layman, L., "Understanding Student Perceptions of Pair Programming and Agile Software Development Methodologies: Verifying a Model of Social Interaction," IEEE Agile Conference, pp.323-330, 2005.
  4. Amir S. S., Amir A. S. and Fereidoon S., "Toward Empowering Extreme Programming from an Architectural Viewpoint," in Proc. of 9th International Conference XP 2008, Vol.9, pp.222-223, 2008.
  5. Breivold, H. P., Sundmark, D., Wallin, P.and Larsson, S., "What Does Research Say about Agile and Architecture?," IEEE Software Engineering Advances, pp.32-37, 2010.
  6. Wayrynen, J., Bodén, M. and Boström, G., "Security engineering and eXtreme programming: an impossible marriage?," in Proc. of 4th Conference on Extreme Programming and Agile Methods, Vol.3134, pp.117-128, 2004.
  7. Xiaocheng G., Richard F. P. and Fiona P., "Extreme Programming Security Practices", in Proc. of 8th International Conference XP 2007, Vol.4536, pp.226-230, 2007.
  8. Sani, A., Firdaus, A., Jeong, S. R. and Ghani, I., "A Review on Software Development Security Engineering using Dynamic System Method(DSDM)," International Journal of Computer Applications, Vol.69, No.25, pp.33-44, 2013.
  9. Ghani, I., Yasin, N. I. B., "Software Security Engineering in Extreme Programming Methodology: A Systematic Literature Review," Journal Science International Lahore, Vol.25, No.2, pp.215-221, 2013.
  10. Firdaus, A., Ghani, I., Yasin, N. I. M., "Developing Websites using Feature Driven Development: A Case Study," Journal of Clean Energy Technologies, Vol.1, No.4, pp.322-326, 2013.
  11. Sani, A., Ghani, I., Jeong, S. R., "Secure Dynamic System Development Method (Sdsdm) Model For Secure Software Development," Journal, Science International Lahore, Special Issue, 1059-64, 2013.
  12. Sutherland, J. and Schwaber, K., "The Scrum Papers: Nut, Bolts, and Origin of an Agile Framework," Scrum Inc, 2011.
  13. Julia, H. A., Sean, B., Robert, J., Ellison., Gary Mcgraw. And Nancy R.,"Software Security Engineering: A Guide for Project Manager," Addison-Wesley Professional, 2008.
  14. Keramati, H. and Mirian-Hosseinabadi, S. H., "Integrating Software Development Security Activities with Agile Methodologies," in Proc. of IEEE/ACS International Conference on Computer Systems and Applications, pp.749-754, 2008.
  15. Qumer, A. and Henderson-Sellers, B., "An evaluation of the degree of agility in six agile methods and it applicability for method engineering," Information and Software Technology, Vol.50, pp.280-295, 2008. https://doi.org/10.1016/j.infsof.2007.02.002
  16. Walker, R., "Improving Software Economics: Top 10 Principles of Achieving Agility At Scale," Improving Software Economics white paper, 2009.
  17. Lowell, L., Carmen, Z. and Erdogmus, H., "Extreme Programming and Agile Methods - XP/Agile Universe 2004," in Proc. of 4th Conference on Extreme Programming and Agile Methods, pp.121, 2004.
  18. Erdogan, G., Meland, P. H. and Mathieson, D., "Security Testing in Agile Web Application Development - A Case Study Using the East Methodology," in Proc. of 11th International Conference XP2010, Vol.48, pp.14-27, 2010.
  19. Brady, K., "AGILE/SCRUM Fails to get to grips with Human Psychology," at http://www.claretyconsulting.com/it/comments/agile-scrum-fails-to-get-to-grips-with-human-psychology.html, 2006.
  20. Mikko, S., Richard, B. and Tapio, k., "Integrating Security into Agile Development Methods," in Proc. of Proceedings of the 38th Hawaii International Conference on System Sciences, 2005.
  21. Anti, V, S., et al., "Secure software development and agile methods - notes," at http://confluence.agilefinland.com/display/af/Secure+software+development+and+agile+methods+-+notes, 2010.
  22. Adrian, L., "FireStarter: Agile Development and Security," at https://securosis.com/blog/agile-development-and-security, 2010.
  23. Zulkarnain Azham., Imran Ghani. and Norafida Ithnin., "Security Backlog in Scrum Security Practicesm," in Proc. of 5th Malaysian Software Engineering Conference, 2011.
  24. McGraw, G., "Software Security: Building Security In," Addison-wesley software security series, 2006.
  25. Checkland, P., "Soft Systems Methodology in Action," Toronto, Ontario, Canada: John Wiley & Sons, 1990.
  26. QFD Institute, "Frequently Asked Questions About QFD," at http://www.qfdi.org/what_is_qfd/faqs_about_qfd.html, 2005.
  27. Christel, M. and Kang, K., "Issues in Requirements Elicitation," Software Engineering Institute, 1992.
  28. Kunz, Werner. and Rittel, Horst., "Issues as Elements of Information Systems," at http://www.cc.gatech.edu/-ellendo/rittel/rittel-issues.pdf, 1970.
  29. Wood, J. and Silver, D., "Joint Application Design: How to Design Quality Systems in 40% Less Time," New York: John Wiley & Sons, 1989.
  30. Schiffrin, D., "Approaches to Discourse," Oxford, UK: Blackwell, 1994.
  31. Hubbard, R., Mead, N. and Schroeder, C., "An Assessment of the Relative Efficiency of a Facilitator-Driven Requirements Collection Process with Respect to the Conventional Interview Method," in Proc. of 4th International Conference on Requirements Engineering, pp.178-186, 2000.
  32. Sullivan., "Security Development Lifecycle for Agile Development," Mirosoft, at http://www.blackhat.com/presentations/bh-dc-10/Sullivan_Bryan/BlackHat-DC-2010-Sullivan-SDL-Agile-wp.pdf, 2009.
  33. Gencer, E., "Security Testing of Web Based Applications," Master Thesis Norwegian University of Science and Technology Department of Computer and Information Science, 2009.
  34. Sindre., G, and Opdahl. A., "Capturing security requirements through misuse cases," in Proc. of Proceedings of the 14th Norwegian informatics conference, 2001.
  35. Mullery., G, "CORE: A method for controlled requirements expression," in Proc. of Proceedings of 4th International Conference on Software Engineering. (ICSE-4), pp.126 -135, 1979.
  36. Kang, C., Cohen, G., Hess, A., Novak, E., and Peterson, A., "Feature-oriented domain analysis (FODA) feasibility study," Technical report CMU/SEI-90-TR-21, Software Engineering Institute, Carnegie Mellon University, 1990.
  37. Alnatheer, M., Nelson, K.: A proposed framework for understanding information security culture and practices in the Saudi context. In: Proceedings of the 7th Australian Information Security Management Conference, pp. 6-17. SECAU - Edith Cowan University, Australia, Perth, Australia , 2009.
  38. Vaha-Sipila, A., "Software security in agile product management," http://www.fokkusu.fi/agile-security/Software%20security%20in%20agile%20product%20management.pdf (2011) accessed on May 2013.

Cited by

  1. A Survey-based Analysis of Agile Adoption on Performances of IT Organizations vol.16, pp.5, 2014, https://doi.org/10.7472/jksii.2015.16.5.87
  2. Using Scrum and unified modelling language to analyze and design an automatic course scheduling system vol.42, pp.6, 2014, https://doi.org/10.1080/02533839.2019.1613930