Browse > Article
http://dx.doi.org/10.7472/jksii.2014.15.1.13

A Systematic Literature Review on Secure Software Development using Feature Driven Development (FDD) Agile Model  

Arbain, Adila Firdaus (Faculty of Computing, Dept. of Software Engineering, Universiti Teknologi Malaysia)
Ghani, Imran (Faculty of Computing, Dept. of Software Engineering, Universiti Teknologi Malaysia)
Jeong, Seung Ryul (Graduate School of Business IT, Kookmin University)
Publication Information
Journal of Internet Computing and Services / v.15, no.1, 2014 , pp. 13-27 More about this Journal
Abstract
Agile methodologies have gained recognition as efficient development processes through their quick delivery of software, even under time constraints. However, like other agile methods such as Scrum, Extreme Programming (XP) and The Dynamic Systems Development Method (DSDM), Feature Driven Development (FDD) has been criticized due to the unavailability of security elements in its twelve practices. In order to examine this matter more closely, we conducted a systematic literature review (SLR) and studied literature for the years 2001-2012. Our findings highlight that, in its current form, the FDD model partially supports the development of secure software. However, there is little research on this topic, as detailed information about the usage of secure software is rarely published. Thus, we have been able to conclude that the existing five phases of FDD have not been enough to develop secure software until recently. For this reason, security-based phase and practices in FDD need to be proposed.
Keywords
Agile Methodology; Security; Software Engineering; Feature Driven Development;
Citations & Related Records
연도 인용수 순위
  • Reference
1 [Agile!=Security, 2012] Agile!=Security, 2012, http://www.rakkhis.com/2011/06/agile-security.html
2 Azham, Z., Ghani, I., Ithnin, N., "Security Backlog in Scrum Security Practices," 5th MySEC (Malaysian Conference in Software Engineering), 2011.
3 AAllen J. H., 2008] Allen J. H.,Software Security Engineering: A Guide for Project Manager, In Addison Wesley Professional, 2008.
4 Sedek K. A., Sulaiman S., and Omar M. A., A systematic literature review of interoperable architecture for e-government portals, Malaysian Conference in Software Engineering, pp. 82-87, 2011.
5 Spruit M. E. M. and Looijen M., IT security in Dutch practice, Computers and Security, vol. 15, No. 2, pp. 157-170, 1996.   DOI
6 A Jones., A framework for the management of information security risks, BT Technology ,2007.
7 Bala Musa.S, Norita Md Norwawi, Mohd Hassan Selamat, Khaironi Yetim Sharif Improved Extreme Programming, IEEE Symposium on Computers & Informatics, 2011.
8 Ryan Riley, Xuxian Jiang, Dongyan Xu., An Architectural Approach to Preventing Code Injection Attacks, IEEE Transactions On Dependable And Secure Computing, Vol. 7, No. 4, 2010.
9 Jie Ren, Richard Taylor, Paul Dourish, David Redmiles., Towards An Architectural Treatment of Software Security: A Connector-Centric Approach. Software Engineering for Secure Systems - Building Trustworthy Applications , 2005.
10 Mohamed El-Attar.,A framework for improving quality in misuse case models, Business Process Management Journal Vol. 18 No. 2, 2012.
11 Vibhu Saujanya Sharma, Kishor S. Trivedi.,Quantifying software performance, reliability and security:An architecture-based approach, The Journal of Systems and Software 80, p. 493-509, 2007.   DOI
12 Dieste O., and Juristo N., Systematic review and aggregation of empirical studies on elicitation techniques., IEEE Transactions on Software Engineering, vol. 37, no. 2, pp. 283-304, 2011.   DOI
13 Azim, A.S., Amir, S.S., Shams, F., "Embedding Architectural Practices into Extreme Programming," 19th Australian Conference on Software Engineering , 310-319, 2008.
14 Dyba, T., Dingsoyr, T., "Empirical studies of agile software development: A systematic review," Information and Software Technology , pg 833-859, 2008.
15 Mchugh, O., Conboy, K., Lang, M., "Agile Practices: "The Impact on Trust in Software Project Teams, "Articles on Computer Sciences , 71-76, 2011.
16 Slaten, K.M., Droujkova, M., Berenson, S.B., Williams, L., Layman, L., "Undergraduate Student Perceptions of Pair Programming and Agile Software Methodologies: Verifying a Model of Social Interaction," Proceedings of the Agile Development Conference, 2005.
17 Breivold, H.P., Sundmark, D., Wallin, P., Larsson, S., "What Does Research Say About Agile and Architecture," Fifth International Conference on Software Engineering Advances, 32-37, 2011
18 Salleh N., Mendes E., and Grundy J.,Empirical Studies of Pair Programming for CS/SE Teaching in Higher Education: A Systematic Literature Review, IEEE Transactions on Software Engineering, vol. 37, no. 4, pp. 509-525, 2011.   DOI
19 Wayrynen, J., Boden, M., Bostrom, G., "Security Engineering and eXtreme Programming: An Impossible Marriage?," Forum on Stockholm University/Royal Institute of Technology, 117-128, 2004.
20 Richard G. Epstein., "Getting Students to Think About How Agile Processes Can Be Made More Secure," 21st Conference on Software Engineering Education and Training, 2008.
21 Richard G. Epstein., Getting Students to Think About How Agile Processes Can Be Made More Secure,21st Conference on Software Engineering Education and Training, 2008.
22 Kitchenham B., Pearl O. B., Budgen D., Turner M., Bailey J., and Linkman S.,Systematic literature reviews in software engineering - A systematic literature review, Information and Software Technology, vol. 51, no. 1, pp. 7-15, 2009   DOI
23 B. A. Kitchenham et al..,Preliminary guidelines for empirical research in software engineering, IEEE Transactions on Software Engineering, vol. 28, no. 8, pp. 721-734, 2002.   DOI
24 Jim Q. Chen, Dien Phan, B. Wang, Douglas R. Vogel., Light-Weight Development Method: a Case Study, IEEE,2007.
25 Ali Inan, Murat Kantarcioglu, Gabriel Ghinita, and Elisa Bertino.,A Hybrid Approach to Private Record Matching, IEEE Transactions On Dependable And Secure Computing, Vol. 9, No. 5, 2012.
26 Bernhard Hammerli., Financial Services Industry. Critical Information Infrastructure Protection, LNCS 7130, pp. 301-329, 2012.
27 Donald G. Firesmith, 2010] Donald G. Firesmith., Engineering Safety- and Security-Related Requirements for Software-Intensive Systems: Tutorial Summary, ICSE, 2010.
28 Amir Mohd Talib,Rodziah Atan, Rusli Abdullah, Masraf Azrifah Azmi Murad., Multi agent system architecture oriented Prometheus methodology design to facilitate security of cloud data storage, Journal of Software Engineering , vol. 5, no. 3, pp. 78-90, 2011.   DOI
29 Lian Yu1, Shi-Zhong Wu, Tao Guo, Guo-Wei Dong,Cheng-Cheng Wan1, and Yin-Hang Jing., Ontology Model-Based Static Analysis of Security Vulnerabilities, LNCS 7043, pp. 330-344, 2011.
30 Sam Weber Paul A. Karger Amit Paradkar., A Software Flaw Taxonomy: Aiming Tools At Security.Software Engineering for Secure Systems, Building Trustworthy Applications, 2005.
31 GOETZ GRAEFE.,Query Evaluation Techniques for Large Databases, ACM Computing Surveys, Vol. 25, No. 2, 1993.
32 Ross Hytnen and Mario Garcia., AN ANALYSIS OF WIRELESS SECURITY, Consortium for Computing Sciences in Colleges, 2006.
33 Michael Kainerstorfer et al., 2011] Michael Kainerstorfer, Johannes Sametinger, Andreas Wiesauer., Software Security for Small Development Teams - A Case Study, WAS2011, 2011.
34 Terrence August and Tunay I. Tuncay, 2011] Terrence August, Tunay I. Tuncay., Who Should be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments, Management Science Vol. 57, Issue. 5, INFORMS, pp. 934-959, 2011.   DOI
35 Zhendong Ma, Christian Wagner, Thomas Bleier., Model-driven security for Web services in e-Government system: ideal and real, IEEE, 2011.
36 Mikko Siponena, Richard Baskervilleb and Tapio Kuivalainena., Integrating Security into Agile Development Methods, Proceedings of the 38th Hawaii International Conference on System Sciences , 2005.
37 Zahid Anwar and Roy Campbell., Automated Assessment Of Compliance With Security Best Practices, IFIP International Federation for Information Processing, Volume 290; Critical Infrastructure Protection II, eds. Papa, M., Shenoi, S., Boston, Springer, pp. 173-187, 2008.
38 Lane A.,Agile Development, Security Fail, RSA Conference Europe, 2011.
39 Siponen M., Baskerville R. and Kuivalainen T., Integrating Security into Agile Development Methods, Proceedings IEEE 38th Hawaii International Conference on System Sciences, pp. 7695-2268, 2005.
40 Dejan Baca, Bengt Carlsson.,Agile development with security engineering activities, Proceeding, ICSSP'11 Proceedings of International Conference on Software and Systems Process, 2011.
41 Gencer Erdogan, Per Hakon Meland, and Derek Mathieson., Security Testing in Agile Web Application Development - A Case Study Using the East Methodology. XP, LNBIP , Springer-Verlag Berlin Heidelberg ,48, pp. 14-27, 2010.
42 Neugent W.,Teaching Computer Securitv: A Course Outline, Computers and Security, vol. 1, pp. 152-163, 1982.   DOI
43 Hossein Keramati, Seyed-Hassan Mirian-Hosseinabadi., Integrating Software Development Security Activities with Agile Methodologies, IEEE, 2008.
44 Min, Liu Qiong-mei, Wang Cheng., Practices of Agile Manufacturing Enterprise Data Security and Software Protection, 2nd International Conference on Industrial Mechatronics and Automation, 2010.
45 Shore J. andWarden S. 2007.," The Art Of Agile Development", USA O'Reilly, 2007.
46 Rick Dove., Pattern Qualifications And Examples Of Next-Generation Agile System-Security Strategies, IEEE, 2010.
47 Steffen Bartsch., Practitioners' Perspectives on Security in Agile Development, Sixth International Conference on Availability, Reliability and Security, 2011.
48 Highsmith J.,What Is Agile Software Development?, Boston, Crosswalk, 2002
49 Gregorio D., How the Business Analyst Supports and Encourages Collaboration on Agile Projects, Massachusetts, 2012.
50 Spruit M. E. M. and Looijen M., "IT security in Dutch practice," Computers and Security, vol. 15, No. 2, pp. 157-170, 1996.   DOI
51 Post g. v. and Karen-Ann K. "Accessibility vs.Security: A Look at the Demand for Computer Security," Computers and Security, vol.10,pp.331-344, 2007.
52 John Steven.,"Security Testing of Internal Tools," Basic Training, 2007.
53 Qiu-Hong Wang, Wei T. Yue, Kai-Lung Hui,"Do Hacker Forums Contribute to Security Attacks?," WEB, 2011.
54 Brian Chess, Brad Arkin.,Software Security in Practice, Build in Security, 2011.
55 Richard Stanley., "Information Security. Cybercrimes: A Multidisciplinary Analysis," Berlin, Heidelberg: Springer Berlin Heidelberg, pp. 95-126, 2010.
56 Siponen M., Baskerville R. and Kuivalainen T.:Integrating Security into Agile Development Methods, Proceedings IEEE 38th Hawaii International Conference on System Sciences, pp. 7695-2268, 2005.
57 Vibhu Saujanya Sharma, Kishor S. Trivedi," Architecture Based Analysis of Performance, Reliability and Security of Software Systems," WOSP , 2005.
58 Valcke P. and Dumortier J., 2012] Valcke P. and Dumortier J.:Trust in the information society - In search of trust generating. Computer law and security review, vol. 28, pp. 504-512, 2012.   DOI
59 Brian Chess, Brad Arkin.: Software Security in Practice, Build in Security, 2011.
60 Gary McGraw," Software Security, Building Security In," Addison-Wesley Professional, 2006.
61 Michael Dalton, Hari Kannan, Christos Kozyrakis," Raksha: A Flexible Information Flow Architecture for Software Security," ISCA, 2007.
62 Rhoden E., "People and processes - The Key Elements to Information Security,"Computer Fraud and Security, Volume,Issue: 6, pp. 14-15, 2002.
63 Spyros T. Halkidis, Nikolaos Tsantalis, Alexander Chatzigeorgiou,George Stephanides," Architectural Risk Analysis of Software Systems Based on Security Patterns." IEEE Transactions On Dependable And Secure Computing, Vol. 5, No. 3, 2008.
64 Jay-Evan J. Tevis, John A. Hamilton, Jr,"A Security-centric Ring-based Software Architecture." SpringSim , Vol. 2, 2007
65 Pratyusa K. Manadhata, Jeannette M. Wing,"An Attack Surface Metric." IEEE Transactions On Software Engineering, Vol. 37, No. 3, 2011.
66 Ashraf Ferdouse Chowdhury, Mohammad Nazmul Huda, "Comparison between Adaptive Software Development andFeature Driven Development" International Conference on Computer Science and Network Technology, 2011.
67 Stephen.R.Palm,"Feature-Driven Development-Practices," A Practical Guide to Feature-Driven Development, Chap.3, pp. 35-54, 2002
68 Scott Knight , Scott Buffett, Patrick C. K. Hung," The International Journal of Information Security Special Issue on privacy, security and trust technologies and E-business services," International Journal of Information Security, vol. 6, no. 5, pp. 285-286, Jul. 2007.   DOI
69 Konstantin Beznosov,Brian Chess,"An Industry Perspective on the Secure-Software Challenge, " Security for the Rest of Us,2008.
70 Davide Balzarotti, Greg Banks, Marco Cova, Viktoria Felmetsger, Richard A. Kemmerer, William Robertson ,Fredrik Valeur, and Giovanni Vigna," An Experience in Testing the Security of Real-World Electronic Voting Systems," IEEE Transactions On Software Engineering, vol. 36, no. 4, pp. 453-473, 2010.   DOI
71 Scott Knight, Scott Buffett,Patrick C. K. Hung," The International Journal of Information Security Special Issue on privacy, security and trust technologies and E-business services, " Guest Editors'Introduction,2007.
72 Carlos Becker Westphall, Peter Mueller,"Management of Security and Security for Management Systems, " Guest Editorial, 2010.
73 Yves Le Roux,"Information Security Governance for Executive Management, "Securing Electronic Business Processes, 2007.
74 Frank Innerhofer-Oberperfler ,Markus Mitterer, Michael Hafner and Ruth Breu,"A methodical Approach and case study," 2010.
75 Dejan Baca, Bengt Carlsson, Kai Petersen and Lars Lundberg," Improving software security with static automated code analysis in an industry setting, " Software Practice And Experience, 2012.
76 Leach J," TBSE and engineering approach to the design of accurate and reliable security systems, " Computers and Security, vol. 23, pp. 22-28, 2004.   DOI
77 Sanjay Bahl, O P Wali, Ponnurangam Kumaraguru," Information Security Practices Followed in the Indian Software Services Industry: An Exploratory Study, " EWI, 2011.
78 John B. Dickson,"Software Security: Is OK Good Enough?, " CODASPY,2011.
79 Ann E.K. Sobel, Gary McGraw," Interview:Software Security In The Real World, " Software Assurance, 2010.
80 W. AI-Salihy, Jannet Ann, R. Sures," Effectivess of Information Systems Security in IT Organizations" in Malaysia, IEEE,2003
81 C. Banerjee1, S. K. Pandey," Research on Software Security Awareness: Problems and Prospects, " ACM SIGSOFT Software Engineering Notes, 2010.
82 Kruys J. P. " Security of Open Systems. Computers and Security", vol. 8, pp. 139-147, 1989   DOI
83 Karadsheh L. :Applying security policies and service level agreement to IaaS service model to enhance security and transition, Computers And Security," vol. 31, pp. 315-326, 2012.   DOI
84 Stephen.R.Palm,"Feature-Driven Development-Practices, "A Practical Guide to Feature-Driven Development, Chap.3, pp. 35-54, 2002
85 John Steven,"Security Testing of Internal Tools, " Basic Training, 2007
86 Kyung Cheol Choi and Gun Ho Lee," Automatic Test Approach of Web Application for Security, " ICCSA, pp. 659-668, 2006.
87 Haralambos Mouratidis and Paolo Giorgini," Secure Tropos: a Security-Oriented Extension of the Tropos Methodology, " International Journal of Software Engineering and Knowledge Engineering , Vol. 17, pp.285-309, 2007   DOI
88 Purser S. A. "Improving the ROI of the security management process, " Computers and Security, vol. 23, pp. 542-546, 2004.   DOI
89 Aaron Marback, Hyunsook Do, Ke He, Samuel Kondamarri and Dianxiang Xu," A threat model-based approach to security testing, " Software Practice Expert, JohnWiley & Sons, Ltd. ,2012
90 Venter H.S. and Eloff J.H.P. "A taxonomy for information security technologies, " Computers and Security, Vol. 22, Issue: 4, Pages: 299-307, 2003   DOI   ScienceOn
91 Hone K. and Eloff J.H.P. "Information security policy - what do international information security standards say?, "Computers and Security, pp. 402-409, 2002
92 S. Rehman & K. Mustafa," Research on Software Design Level Security Vulnerabilities, "ACM SIGSOFT Software Engineering Notes, Vol. 34, Number 6, 2009.
93 Imran Ghani, Izzaty Yasin, Software Security Engineering in eXtreme Programming Methodology: a Systematic Literature Review,S ci.Int. (Lahore), 25(2), 215-221,2013.
94 Daniel Mellado, Eduardo Fernandez-Medina, Mario Piattini," A Comparison of Software Design Security Metrics, " ECSA,2010.
95 Abdullahi SaniAdila FirdausSeung Ryul JeongImran Ghani, A Review on Software Development Security Engineering using Dynamic System Method (DSDM), International Journal of Computer Applications, Volume 69 - Number 25, 2013.
96 Coad, P., Lefebvre, E. & De Luca, J. Java Modeling In Color With UML: Enterprise Components and Process. Prentice Hall International. (ISBN 0-13-011510-X), 1999.
97 Palmer, S.R., & Felsing, J.M. A Practical Guide to Feature-Driven Development. Prentice Hall. (ISBN 0-13-067615-2), 2002.
98 Nicolaysen T., Sassoon R., Line M. B, Jaatun M. G., Agile Software Development: The Straight and Narrow Path to Secure Software?, International Journal of Secure Software Engineering, Vol. 1, Issue 3, pp.71-85, 2010.   DOI
99 http://www.skillresource.com, accessed on 03, December 2013.
100 Dlaminia M. T., Eloffa J. H. P., Eloffb M. M. "Information security: The moving target, " Computers & Security, vol. 28, pp. 189-198,2004.