ABSTRACT
In this paper, we present an approach that we have used to address security when running projects according to agile principles. Misuse stories have been added to user stories to capture malicious use of the application. Furthermore, misuse stories have been implemented as automated tests (unit tests, acceptance tests) in order to perform security regression testing. Penetration testing, system hardening and securing deployment have been started in early iterations of the project.
- Agile Alliance, "Manifesto for Agile Software Development, 2001. http://www.agilemanifesto.org/Google Scholar
- Standish Group, The Chaos Report, West Yarmonth, MA: The Standish Group, 1995.Google Scholar
- Viega, J., McGraw, G., Building Secure Software. How to Avoid Security Problems the Right Way, Addison-Wesley, 2002. Google ScholarDigital Library
- Beck, K., Extreme Programming Explainted - Embracing Change, Addison-Wesley, 1999. Google ScholarDigital Library
- McGraw, G., Software Security - Building Security In, Addison-Wesley, 2006. Google ScholarDigital Library
- Sindre, G., Opdahl, A. Templates for Misuse Case Description, Seventh International Workshop on Requirements Engineering, Interlaken, Switzerland, 2001.Google Scholar
- Alexander, I., Initial Industrial Experience of Misuse Cases in Trade-Off Analysis, Proceedings of IEEE Joint International Requirements Engineering Conference, 9-13 September 2002, Essen, pp 61--68. Google ScholarDigital Library
- Firesmith, D., OPEN Process Framework, http://www.donald-firesmith.com/Google Scholar
- Open Web Application Project (OWASP), "OWASP Top Ten Project", http://www.owasp.org/index.php/Category:OWASP_Top_Ten_ProjectGoogle Scholar
- Swiderski, F., Snyder, W., Threat Modeling, Microsoft Press, 2004. Google ScholarDigital Library
- Amoroso, E., Fundamentals of Computer Security Technology, Prentice Hall, Englewood Cliffs, 1994 Google ScholarDigital Library
- Schwaber, K., Beedle, M., Agile Software Development with SCRUM, Prentice Hall, 2001 Google ScholarDigital Library
Index Terms
- Towards agile security in web applications
Recommendations
Towards agile security assurance
NSPW '04: Proceedings of the 2004 workshop on New security paradigmsAgile development methodologies are gaining acceptance in the software industry. If they are to be used for constructing security-critical solutions, what do we do about assurance? This paper examines how conventional security assurance suits agile ...
The Combination of Agile and Lean in Software Development: An Experience Report Analysis
AGILE '11: Proceedings of the 2011 Agile ConferenceThere has been a noticeable focus shift from agile methods such as extreme Programming (XP) and Scrum to lean software development in the last several years, which is indicated as â from agile to leanâ . However, the reality may not be as simple or ...
Becoming agile: a grounded theory of agile transitions in practice
ICSE '17: Proceedings of the 39th International Conference on Software EngineeringAgile adoption is typically understood as a one-off organizational process involving a staged selection of agile development practices. This view of agility fails to explain the differences in the pace and effectiveness of individual teams transitioning ...
Comments