This document outlines a research proposal to enhance agile software development approaches to integrate security when developing digital services. The researcher aims to identify security challenges and benefits related to changes in software. They will use agent-oriented modeling techniques to link security attributes to goals and principles. A case study of university software projects in Afghanistan will be used to analyze how challenges can be isolated from XP practices and benefits incorporated. The relationship between software changes, agile practices, and security will be examined. This will help answer how to holistically integrate security into XP practices for developing secure digital services.
Towards Secure Agile Agent-Oriented Digital Services
1. Towards Secure Agile Agent-Oriented System Design
4, Mar. 2015
1
Towards Secure Agile Agent-Oriented System Design
Hassan Adelyar, PhD Student, Tallinn University
Supervisor: Alexander Norta PhD., Senior Researcher of Tallinn University of
Technology
March 2015
2. Towards Secure Agile Agent-Oriented System Design
4, Mar. 2015
2
Aim of this Research
To enhance agile software development approaches for
developing secure digital services using agent-oriented
modelling techniques.
Our main objectives are:
To identifying security challenges / benefits of agile
during changes to software.
To isolate security challenges from agile practices.
To integrate security benefits into agile practices.
(See agile practices in appendix A)
3. Towards Secure Agile Agent-Oriented System Design
4, Mar. 2015
3
Agenda
Introduction
Agile Software Development Approach
Software Security
Advancements of the State of the Art
Analysis of the Literature
Our Proposed Approach
Relationship between changes-to-software, agile and security
Methodology
Conclusion
Bibliography
Appendices
5. Towards Secure Agile Agent-Oriented System Design
4, Mar. 2015
5
Agile Software Development Approach
Software Development Approaches:
Plan-driven (Waterfall)
Incremental (Agile)
Agile is a common software development approach.
Focus on delivering working software to customers.
Incremental development method, each increment
contain new functionality.
Adaptive to support continuous changes at any stage of
software development.
6. Towards Secure Agile Agent-Oriented System Design
4, Mar. 2015
6
Agile Manifesto
Individuals and interactions over processes and
tools
Working software over comprehensive
documentation
Customer collaboration over contract
negotiation
Responding to change over following a plan
7. Towards Secure Agile Agent-Oriented System Design
4, Mar. 2015
7
Software Security
Describes techniques that control who may use,
modify or access the software.
Secure system is able to prevent all unauthorized
use, modification and access of software.
8. Towards Secure Agile Agent-Oriented System Design
4, Mar. 2015
8
Security Attributes [1]:
• Un-exposure of software execution to unauthorized.
• Un-exposure of code to unauthorized.
Confidentiality
• Software work accordance to its designer desire
• Adversaries should not be able to tamper with a
program and cause sub-sequent execution to produce
incorrect output.
Integrity
• Be available when needed
• Execute in a predictable way
• Deliver results in a predictable time frame
Availability
9. Towards Secure Agile Agent-Oriented System Design
4, Mar. 2015
9
Importance of Security
Software is a critical component for all systems.
Cloud based systems.
Agile is suitable for cloud based systems.
The Internet of Things (IoT) is also governed by cloud
based systems [15].
Sociotechnical systems and service oriented computing
mostly depend on secure digital services.
Absence of security in these systems can be
catastrophic.
10. Towards Secure Agile Agent-Oriented System Design
4, Mar. 2015
10
On the other hand, agility in the digital services
development process does not embrace security practices
[2].
Security is difficult to achieve in a software system
because of a wide range of security properties and
continuous changes of security threats.
Regardless, it is possible to enhance the agile software
development process for secure software production.
11. Towards Secure Agile Agent-Oriented System Design
4, Mar. 2015
11
Advancements for the State of the Art
12. Towards Secure Agile Agent-Oriented System Design
4, Mar. 2015
12
Many researchers contribute in various ways to
secure agile software development processes.
Their studies and methods differ with respect to
where and how to integrate security into agile
software development approaches.
13. Towards Secure Agile Agent-Oriented System Design
4, Mar. 2015
13
Analysis of the Previous Researches
Categories (From 21 articles):
Studying / Examining / Analyzing / Explaining XP
(Extreme Programming) for security (9 articles) [3], [20],
[13], [4], [21], [26], [12], [24],[25].
Integrating Security into a Specific Practice of XP (4
articles) [7], [14], [19], [9].
Integrating Security in all Lifecycle of Software
Development (2 articles) [23], [6].
Framework and Model for Security Guidelines (4
articles) [11], 17], [8], [10].
Other Agile Method (2 article) [27], [28].
14. Towards Secure Agile Agent-Oriented System Design
4, Mar. 2015
14
The relevant papers lack a holistic review of security challenges
and benefits in XP’s practices.
Since security is an emergent system property [30] which means
properties of the system as a whole, depend on both the system
components and the relationships between them and can only be
evaluated once the system has been assembled.
Therefore it is not a good idea to apply security mechanisms only at
some practices.
The Microsoft SDL from agile viewpoint is heavyweight because it
was design to secure very large product such as Windows and
Office with long development cycles.
15. Towards Secure Agile Agent-Oriented System Design
4, Mar. 2015
15
Our Proposed Approach
16. Towards Secure Agile Agent-Oriented System Design
4, Mar. 2015
16
The aim of our PhD research is to:
To Enhance agile software development
approaches for secure digital services using
agent-oriented modelling techniques.
The enhancement we study through the adaptation
of extreme programming (XP) practices for the
development of secure digital services.
17. Towards Secure Agile Agent-Oriented System Design
4, Mar. 2015
17
The angle of our research is the analysis of the
relationship between:
Software and changes
Need to changes
Agile and changes
Security attributes and changes ?
Security principles and changes?
Agile practices and changes ?
18. Towards Secure Agile Agent-Oriented System Design
4, Mar. 2015
18
Agent-oriented models allow to attach quality goals to
goal model and constraints to role model.
For our research we use goal model, knowledge model,
role model and behavior scenario of agent-oriented
modelling technique.
We link security attributes to goal model and security
principles to knowledge model. We also benefit from role
model and behavior scenarios to identify challenges and
benefits and then properly relate them to XP practices.
19. Towards Secure Agile Agent-Oriented System Design
4, Mar. 2015
19
Relationship
Changes
Need for
Changes
Software
Agile
Security
Attributes
Security
Principles
XP
Practices
21. Towards Secure Agile Agent-Oriented System Design
4, Mar. 2015
21
Research Question
The main objective of our research is to enhance agile
software development approaches for digital services
security.
We identify the security challenges and benefits of XP-
practices that relate to the “embrace-changes” principle of
agile. Then the challenges can be isolated from XP
practices and benefits can be integrated into XP
practices.
Our objective is refined into the following main research
question:
22. Towards Secure Agile Agent-Oriented System Design
4, Mar. 2015
22
“How to enhance / improve XP practices for holistically
integrating the security of digital services”.
The main research question is divided into the following
sub-questions:
Q1) How to identify security challenges / benefits
during the changes to software?
Q2) How to isolate / avoid security challenges from XP
practices?
Q3) How to incorporate security benefits into XP
practices?
23. Towards Secure Agile Agent-Oriented System Design
4, Mar. 2015
23
q.1: What are security challenges for the response-to-
changes?
q.2: What are security benefits for response-to-changes?
q.3: Which security attributes are affected by these
challenges and benefits?
24. Towards Secure Agile Agent-Oriented System Design
4, Mar. 2015
24
For answering these question we conduct a case-study
research approach [10].
During the case study we intend to evaluate, and analyze
the relative roles of the following aspects in an agile
software-development process:
Software security attributes
General security principles
Agile “embrace-changes” challenges
Agile “embrace-changes” benefits
XP practices
25. Towards Secure Agile Agent-Oriented System Design
4, Mar. 2015
25
Data Collection
Our case studies focus on practical software projects for
universities in Afghanistan.
Assets for our case study are student data, passwords and
software code that need to be secure.
During the case study, we conduct qualitative interviews
and brainstorming sessions for identifying and discussing
intangible assets with the management.
26. Towards Secure Agile Agent-Oriented System Design
4, Mar. 2015
26
The main steps in our case study:
1) We study the negative and positive effects of
changes on the security-attributes based on the
security principles.
From the observation of the “changes-to-
software”, we deduce hypotheses for security
challenges and benefits. When a hypothesis is
confirmed either as a security-challenge or
security-benefits, we categorize it based on the
security attributes.
27. Towards Secure Agile Agent-Oriented System Design
4, Mar. 2015
27
The result of this step is two separate sets of
challenges and benefits in the form of theories.
At the same time these two opposite sets of
theories support theory triangulation that is
necessary for qualitative case study research.
28. Towards Secure Agile Agent-Oriented System Design
4, Mar. 2015
28
2) The confirmed challenges are new hypotheses
and through the observation process they are
related to a specific XP practice(s). At this point,
we are able to isolate these challenges from XP
practices.
3) The confirmed benefits are also treated as new
hypotheses and through the observation process
they are related to a specific XP practice(s). At
this point, we are able to incorporate them into
XP practices.
29. Towards Secure Agile Agent-Oriented System Design
4, Mar. 2015
29
Data Analysis
Since we conduct qualitative case studies, therefore, a
qualitative data analysis method is used for all the above
three cases.
We categorize the challenges and benefits based on the
security attributes and our decision is based on security
principles.
During the analysis we try to derive conclusions based on
the chains of evidence.
30. Towards Secure Agile Agent-Oriented System Design
4, Mar. 2015
30
The cases for our study:
Identifying security challenges and benefits,
Isolation of challenges from XP practices,
Incorporation of benefits into XP practices.
Unit of analysis:
Confidentiality
Integrity
Availability
31. Towards Secure Agile Agent-Oriented System Design
4, Mar. 2015
31
We employ Nvivo as tool support for the analysis.
(Detail in case study protocol)
32. Towards Secure Agile Agent-Oriented System Design
4, Mar. 2015
32
Conclusion
Agile is a very flexible software development approach and
we seek to use agile for satisfying security as a quality
goal.
By identifying security challenges and benefits of XP’s
practices, in the real-world context, we believe that agile
security improve the development of secure digital
services.
Our initial findings show that changes to software are an
important factor for both security challenges- and
benefits. Identifying security challenges and benefits for
the “embrace-changes” can explore new security insights
in the context of XP’s practices.
33. Towards Secure Agile Agent-Oriented System Design
4, Mar. 2015
33
We do have a contribution of understanding in that we can
integrate security features into the novel agile agent-
oriented modelling (AAOM) technique and then use this
method for security-aware change management in XP
practices [14].
34. Towards Secure Agile Agent-Oriented System Design
4, Mar. 2015
34
REFERENCES
1. Algirdas A., Jean-Claude Laprie, Brian Randell, and Carl Landwehr, (2004). Basic
Concepts and Taxonomy of Dependable and Secure Computing. IEEE Transaction
on Dependable and Secure Computing.
2. Bejan Baca. (2011). Agile Development with Security Engineering Activities.
ACM, USA.
3. Beznosov K., (2003). Extreme Security Engineering: On Employing XP Practices
to Achieve “Good Enough Security” without defining it, ACM Press.
4. Chandrabose A. and Alagarsamy K., (2011). Security Requirements Engineering –
A Strategic Approach. International Journal of Computer Applications, Madurai,
India.
5. Charette R., the Decision is in: Agile versus Heavy Methodologies. Agile
development and Project Management, Cutter Consortium, Vol. 2 (19), February
2004.
p
35. Towards Secure Agile Agent-Oriented System Design
4, Mar. 2015
35
6. Daniel Owens, Integrating Software Security into the Software Development
Lifecycle System Securities. San Diego, CA 92123, USA.
7. Emine G. Aydal, and Richard F., (2006). Security Planning and Refactoring in
Extreme Programming. Department of Computer Science, University of York, UK.
8. Eystein Mathisen, and Terje Fallmyr, Using business process modelling to reduce
the effects of requirements changes in software projects.
9. Gustav Boström, and Beznosov K., Extending XP Practices to Support Security
Requirements Engineering. University of British Columbia, Canada.
10. Haley C. B., Laney R., (2008). Security Requirements Engineering: A Framework
for Representation and Analysis.
11. Imran Daud. (2010). Secure Software Development Model: A Guide for Secure
Software Life Cycle. Proceeding of the International MultiConference of Engineers
and Computer Scientists, IMECS Hong Kong.
p
36. Towards Secure Agile Agent-Oriented System Design
4, Mar. 2015
36
12. Imran Ghani and Adila Firdaus, (2013). Role-based Extreme Programming (XP)
for Secure Software Development. University Teknologi Malaysia, Skudai,
Malaysia.
13. Imran Ghani and Izzaty Yasin, (2013). Software Security Engineering in Extreme
Programming Methodology: A Systematic Literature Review. Universiti Teknologi
Malaysia, Skudai, Johor, Malaysia.
14. Johan Peeters, Agile Security Requirements Engineering.
15. Ovidiu Vermesan & Peter Friess Internet of Things – From Research and
Innovation to Market Deployment, River Publishers, Chicago, USA, 2014.
16. Per Runeson, Martin Host, and Austen Rainer, (2012), Case Study Research in
Software Engineering. John Wiley & Sons, Inc., Hoboken, New Jersey, USA.
17. Salini P. and Kanmani S., (2010). A Model Based Security Requirements
Engineering Framework. International Journal of Computer Engineering and
Technology (IJCET). Volume 1, Number 1
p
37. Towards Secure Agile Agent-Oriented System Design
4, Mar. 2015
37
18. Saltzer, Jerome H. & Schroeder, (1975). The Protection of Information in
Computer Systems. 1278-1308. in Proceedings of the IEEE.
19. Sonia Archana Singhal, Jyoti Balwani, (2014). Analysing Security and Software
Requirements using Multi-Layered Iterative Model. Delhi, India.
20. Steffen Bartsch. Practitioners’ Perspectives on Security in Agile Development.
TZI, University of Bremen, Bremen, Germany.
21. Stephen Wood, and Chris Thomson, (2014). Successful extreme programming:
Fidelity to the methodology or good team working? University of Leicester,
Leicester, UK.
22. Tanel Tenso and Kuldar Taveter, Requirements Engineering With Agent-Oriented
Models, Department of Informatics, Tallinn University of Technology.
23. Security Development Lifecycle for Agile Development, 2009 Microsoft
Corporation.
p
38. Towards Secure Agile Agent-Oriented System Design
4, Mar. 2015
38
24. Christopher Wood & Gregory Knox, (Guidelines for Agile Security Requirements
Engineering.
25. George Grispos & William Bradley Glisson, Rethinking Security Incident
Response: The Integration of Agile Principles, AMCIS 2014.
26. J. Wäyrynen, M. Bodén, and G. Boström, "Security Engineering and eXtreme
Programming: an Impossible marriage?," in Extreme programming and agile
methodsXP/Agile Universe 2004, C. Zannier, H. Erdogmus, and L. Lindstrom,
Eds. LNSC3134, Berlin: Springer-Verlag, 2004, pp. 117-128.
27. Adila Firdaus, Imran Ghani, and Nor Izzaty Mohd Yasin, Developing Secure
Websites Using Feature Driven Development (FDD): A Case Study. Journal of
Clean Energy Technologies, Vol. 1, No. 4, October 2013.
28. Abdullahi Sani, Adila Firdaus, Seung Ryul Jeong, Imran Ghani, A Review on
Software Development Security Engineering using Dynamic System Method
(DSDM). International Journal of Computer Applications (0975 – 8887) Volume
69– No.25, May 2013.
29. Ian Sommerville, SOFTWARE ENGINEERING Ninth Edition, Addison-Wesley,
USA, 2011.
p
39. Towards Secure Agile Agent-Oriented System Design
4, Mar. 2015
39
Appendix A: XP Practices
XP carries out agile principles through its own practices.
There are 12 related practices and works best for small
teams of 5 to 15 developers. The following is the list for
XP practices:
Small release
Simple Design
Planning game
Continuous integration
On-site customer
p
40. Towards Secure Agile Agent-Oriented System Design
4, Mar. 2015
40
Codding standard
Refactoring
Pair programming
Testing
Metaphor
Collective ownership
40-hour weeks
p