Handbook of The Secure Agile Software Development Life Cycle
Handbook of
The Secure Agile Software Development Life Cycle
1
This work was supported by TEKES as part of the Cloud Software Program of DIGILE (Finnish Strategic Centre for Science, Technology and Innovation in the
field of ICT and digital business).
Handbook of the Secure Agile Software Development Life Cycle Publisher: University of Oulu, 2014 Editors: Pekka Pietik?inen, Juha R?ning Authors: Jouko Ahola, Christian Fr?hwirth, Marko Helenius, Lea Kutvonen, Juho Myllylahti, Timo Nyberg, Ari Pietik?inen, Pekka Pietik?inen, Juha R?ning, Sini Ruohomaa, Camillo S?rs, Tuuli Siiskonen, Antti V?h?-Sipil?, Ville Ylimannela ISBN number: 978-952-62-0341-6 Layout: Paikallinen Mainostoimisto Juvenes Print Oulu, 2014
2
Contents
Foreword
6
Chapter contents
7
Generic Security User Stories
8
Executive summary
8
Concepts
8
Why Security User Stories?
9
Using Generic Security User Stories
10
Larger security themes
10
Story selection matrix
11
The Generic Security User Stories
14
Experiences of Using Security User Stories
14
References
15
Security in Agile Product Management
16
Executive summary
16
Introduction
16
Concepts
17
Driving security in agile product management
18
References
22
Security activities in scrum control points
23
Executive summary
23
Scrum control points
23
Security requirements and controls
24
Security activities within control points
25
References
29
Risk Management
30
Executive summary
30
Introduction
30
Existing frameworks for risk and security management in agile software development
34
Challenges and limitations of agile security
37
A suggested model for agile security
38
References
43
First Steps to Consider Privacy
45
Executive summary
45
Introduction
45
Concepts
45
How to avoid unacceptable risks and how to achieve needed privacy maturity level?
47
Experiences and discussion
47
References
48
Security Metrics
49
Executive summary
49
Introduction
49
Metrics Concepts overview
50
An iterative process to develop security metrics
51
A workshop method to align metrics with measurement objectives
52
References
57
3
Fuzzing
58
Executive summary
58
Concepts
58
Fuzzing, improving security and agile software development
61
Experiences and discussion
62
References
63
Dynamic Trust Management
64
Executive summary
64
Introduction
64
Concepts
65
Service ecosystem engineering for trust management
67
Experiences and discussion
69
Policy configuration
69
Input Data
71
References
72
Appendix: Generic Security User Stories
73
4
Foreword
"The Cloud Software program (2010-2013) aims to significantly improve the competitive position of Finnish software intensive industry in global markets. According to the 2009 survey most significant factors of competitiveness are:operational efficiency, user experience, web software, open systems, security engineering and sustainable development. Cloud software ties these factors together as software increasingly moves to the web. Cloud Software program especially aims to pioneer in building new cloud business models, lean software enterprise model and open cloud software infrastructure." - Janne J?rvinen, Focus Area Director
Software quality problems, wide impact vulnerabilities, phishing, botnets and criminal enterprise have proven that software and system security is not just an add-on despite past focus of the security industry.
Cloud computing introduces a whole ecosystem of clients, services and infrastructure, where trust boundaries are moved even further into components, where physical location or even ownership is unknown. Add-on security therefore becomes more futile than it ever was. There is no place where these add-on components would reside.
Security, trust, dependability and privacy are issues that have to be considered over the whole lifecycle of the system and software development from gathering requirements to deploying the system in practice. Doing this does not only make us safer and secure but improves overall system quality and development efficiency.
In the past few years, several initiatives have surfaced to address security in the software development lifecycle. These include prescriptive models from companies, such as Microsoft Security Development Lifecycle (SDL), descriptive activity surveys such as the Building Security In Maturity Model (BSIMM), and even standards, such as the ISO/IEC 27034. Building a mature software security initiative may be expensive. Smaller software vendors, specifically small and medium enterprises, may not afford to have dedicated resources for their own security initiatives. However, they still need to compete against the larger players.
Many of recent security initiatives have been relatively open and can be leveraged to help the Finnish Industry and to initiate new business. Finland has pioneered research in Security Metrics, Vulnerability, Managing Complexity, Security as a Quality Aspect and Software Robustness areas. This research can therefore be applied directly to be a part of new, improved SDLs.
There is a desire to improve software and system development life-cycle efficiency so those efforts can drive security and security can support them. Secure Development Lifecycles in Cloud Services require a change of mindset from individual devices or pieces of software, to complex systems, such as Cloud Services, consisting of numerous software components, as well as infrastructure, all of which are all developed with varying development life-cycles, and are procured from a variety of sources (e.g., subcontractors and open source for software and, e.g., Amazon EC2 and private clouds for infrastructure). These are then integrated and verified (internally, or using external auditors), and finally deployed.
Ecosystems should be recognized and supported since the secure software development lifecycle is not isolated to the conventional vendors but affects post deployment end-users, 3rd party developers and e.g. carrier partners.
5
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
- handbook of the secure agile software development life cycle
- software development lifecycle policy
- software development plan template acqnotes
- software development agreement isotope11
- the software development life cycle
- information technology policy
- opm system development life cycle policy and standards
- software management policy leicester uk
- 10 software development policy rev
- software development life cycle policy itp011
Related searches
- software development life cycle policy
- software development life cycle pdf
- software development life cycle documents
- agile software development schedule
- what is the software development life cycle
- agile software development tools
- agile software development with scrum
- agile software development pdf
- agile software development methodology pdf
- agile software development plan template
- agile software development approach
- agile software development definition