Development of Secure Software : Rationale, Standards and Practices

The society is run by software. Electronic processing of personal and financial data forms the core of nearly all societal and economic activities, and concerns every aspect of life. Software systems are used to store, transfer and process this vital data. The systems are further interfaced by other systems, forming complex networks of data stores and processing entities.This data requires protection from misuse, whether accidental or intentional. Elaborate and extensive security mechanisms are built around the protected information assets. These mechanisms cover every aspect of security, from physical surroundings and people to data classification schemes, access control, identity management, and various forms of encryption. Despite the extensive information security effort, repeated security incidents keep compromising our financial assets, intellectual property, and privacy. In addition to the direct and indirect cost, they erode the trust in the very foundation of information security: availability, integrity, and confidentiality of our data. Lawmakers at various national and international levels have reacted by creating a growing body of regulation to establish a baseline for information security. Increased awareness of information security issues has led to extend this regulation to one of the core issues in secure data processing: security of the software itself. Information security contains many aspects. It is generally classified into organizational security, infrastructure security, and application security. Within application security, the various security engineering processes and techniques utilized at development time form the discipline of software security engineering. The aim of these security activities is to address the software-induced risk toward the organization, reduce the security incidents and thereby lower the lifetime cost of the software. Software security engineering manages the software risk by implementing various security controls right into the software, and by providing security assurance for the existence of these controls by verification and validation. A software development process has typically several objectives, of which security may form only a part. When security is not expressly prioritized, the development organizations have a tendency to direct their resources to the primary requirements. While producing short-term cost and time savings, the increased software risk, induced by a lack of security and assurance engineering, will have to be mitigated by other means. In addition to increasing the lifetime cost of software, unmitigated or even unidentified risk has an increased chance of being exploited and cause other software issues. This dissertation concerns security engineering in agile software development. The aim of the research is to find ways to produce secure software through the introduction of security engineering into the agile software development processes. Security engineering processes are derived from extant literature, industry practices, and several national and international standards. The standardized requirements for software security are traced to their origins in the late 1960s, and the alignment of the software engineering and security engineering objectives followed from their original challenges to the current agile software development methods. The research provides direct solutions to the formation of security objectives in software development, and to the methods used to achieve them. It also identifies and addresses several issues and challenges found in the integration of these activities into the development processes, providing directly applicable and clearly stated solutions for practical security engineering problems. The research found the practices and principles promoted by agile and lean software development methods to be compatible with many security engineering activities. Automated, tool-based processes and the drive for efficiency and improved software quality were found to directly support the security engineering techniques and objectives. Several new ways to integrate software engineering into agile software development processes were identified. Ways to integrate security assurance into the development process were also found, in the form of security documentation, analyses, and reviews. Assurance artifacts can be used to improve software design and enhance quality assurance. In contrast, detached security engineering processes may create security assurance that serves only purposes external to the software processes. The results provide direct benefits to all software stakeholders, from the developers and customers to the end users. Security awareness is the key to more secure software. Awareness creates a demand for security, and the demand gives software developers the concrete objectives and the rationale for the security work. This also creates a demand for new security tools, processes and controls to improve the efficiency and effectiveness of software security engineering. At first, this demand is created by increased security regulation. The main pressure for change will emanate from the people and organizations utilizing the software: security is a mandatory requirement, and software must provide it. This dissertation addresses these new challenges. Software security continues to gain importance, prompting for new solutions and research.Ohjelmistot ovat keskeinen osa yhteiskuntamme perusinfrastruktuuria. Merkittävä osa sosiaalisesta ja taloudellisesta toiminnastamme perustuu tiedon sähköiseen käsittelyyn, varastointiin ja siirtoon. Näitä tehtäviä suorittamaan on kehitetty merkittävä joukko ohjelmistoja, jotka muodostavat mutkikkaita tiedon yhteiskäytön mahdollistavia verkostoja. Tiedon suojaamiseksi sen ympärille on kehitetty lukuisia suojamekanismeja, joiden tarkoituksena on estää tiedon väärinkäyttö, oli se sitten tahatonta tai tahallista. Suojausmekanismit koskevat paitsi ohjelmistoja, myös niiden käyttöympäristöjä ja käyttäjiä sekä itse käsiteltävää tietoa: näitä mekanismeja ovat esimerkiksi tietoluokittelut, tietoon pääsyn rajaaminen, käyttäjäidentiteettien hallinta sekä salaustekniikat. Suojaustoimista huolimatta tietoturvaloukkaukset vaarantavat sekä liiketoiminnan ja yhteiskunnan strategisia tietovarantoj että henkilökohtaisia tietojamme. Taloudellisten menetysten lisäksi hyökkäykset murentavat luottamusta tietoturvan kulmakiviin: tiedon luottamuksellisuuteen, luotettavuuteen ja sen saatavuuteen. Näiden tietoturvan perustusten suojaamiseksi on laadittu kasvava määrä tietoturvaa koskevia säädöksiä, jotka määrittävät tietoturvan perustason. Lisääntyneen tietoturvatietoisuuden ansiosta uusi säännöstö on ulotettu koskemaan myös turvatun tietojenkäsittelyn ydintä,ohjelmistokehitystä. Tietoturva koostuu useista osa-alueista. Näitä ovat organisaatiotason tietoturvakäytännöt, tietojenkäsittelyinfrastruktuurin tietoturva, sekä tämän tutkimuksen kannalta keskeisenä osana ohjelmistojen tietoturva. Tähän osaalueeseen sisältyvät ohjelmistojen kehittämisen aikana käytettävät tietoturvatekniikat ja -prosessit. Tarkoituksena on vähentää ohjelmistojen organisaatioille aiheuttamia riskejä, tai poistaa ne kokonaan. Ohjelmistokehityksen tietoturva pyrkii pienentämään ohjelmistojen elinkaarikustannuksia määrittämällä ja toteuttamalla tietoturvakontrolleja suoraan ohjelmistoon itseensä. Lisäksi kontrollien toimivuus ja tehokkuus osoitetaan erillisten verifiointija validointimenetelmien avulla. Tämä väitöskirjatutkimus keskittyy tietoturvatyöhön osana iteratiivista ja inkrementaalista ns. ketterää (agile) ohjelmistokehitystä. Tutkimuksen tavoitteena on löytää uusia tapoja tuottaa tietoturvallisia ohjelmistoja liittämällä tietoturvatyö kiinteäksi osaksi ohjelmistokehityksen prosesseja. Tietoturvatyön prosessit on johdettu alan tieteellisestä ja teknillisestä kirjallisuudesta, ohjelmistokehitystyön vallitsevista käytännöistä sekä kansallisista ja kansainvälisistä tietoturvastandardeista. Standardoitujen tietoturvavaatimusten kehitystä on seurattu aina niiden alkuajoilta 1960-luvulta lähtien, liittäen ne ohjelmistokehityksen tavoitteiden ja haasteiden kehitykseen: nykyaikaan ja ketterien menetelmien valtakauteen saakka. Tutkimuksessa esitetään konkreettisia ratkaisuja ohjelmistokehityksen tietoturvatyön tavoitteiden asettamiseen ja niiden saavuttamiseen. Tutkimuksessa myös tunnistetaan ongelmia ja haasteita tietoturvatyön ja ohjelmistokehityksen menetelmien yhdistämisessä, joiden ratkaisemiseksi tarjotaan toimintaohjeita ja -vaihtoehtoja. Tutkimuksen perusteella iteratiivisen ja inkrementaalisen ohjelmistokehityksen käytäntöjen ja periaatteiden yhteensovittaminen tietoturvatyön toimintojen kanssa parantaa ohjelmistojen laatua ja tietoturvaa, alentaen täten kustannuksia koko ohjelmiston ylläpitoelinkaaren aikana. Ohjelmistokehitystyön automatisointi, työkaluihin pohjautuvat prosessit ja pyrkimys tehokkuuteen sekä korkeaan laatuun ovat suoraan yhtenevät tietoturvatyön menetelmien ja tavoitteiden kanssa. Tutkimuksessa tunnistettiin useita uusia tapoja yhdistää ohjelmistokehitys ja tietoturvatyö. Lisäksi on löydetty tapoja käyttää dokumentointiin, analyyseihin ja katselmointeihin perustuvaa tietoturvan todentamiseen tuotettavaa materiaalia osana ohjelmistojen suunnittelua ja laadunvarmistusta. Erillisinä nämä prosessit johtavat tilanteeseen, jossa tietoturvamateriaalia hyödynnetään pelkästään ohjelmistokehityksen ulkopuolisiin tarpeisiin. Tutkimustulokset hyödyttävät kaikkia sidosryhmiä ohjelmistojen kehittäjistä niiden tilaajiin ja loppukäyttäjiin. Ohjelmistojen tietoturvatyö perustuu tietoon ja koulutukseen. Tieto puolestaan lisää kysyntää, joka luo tietoturvatyölle konkreettiset tavoitteet ja perustelut jo ohjelmistokehitysvaiheessa. Tietoturvatyön painopiste siirtyy torjunnasta ja vahinkojen korjauksesta kohti vahinkojen rakenteellista ehkäisyä. Kysyntä luo tarpeen myös uusille työkaluille, prosesseille ja tekniikoille, joilla lisätään tietoturvatyön tehokkuutta ja vaikuttavuutta. Tällä hetkellä kysyntää luovat lähinnä lisääntyneet tietoturvaa koskevat säädökset. Pääosa muutostarpeesta syntyy kuitenkin ohjelmistojen tilaajien ja käyttäjien vaatimuksista: ohjelmistojen tietoturvakyvykkyyden taloudellinen merkitys kasvaa. Tietoturvan tärkeys tulee korostumaan entisestään, lisäten tarvetta tietoturvatyölle ja tutkimukselle myös tulevaisuudessa

Aligning Security Objectives With Agile Software Development

Success of the software development process is defined by its ability to transform the business objectives into requirements, and these further into features and functionality. In addition to business objectives, software development also has security objectives requiring security engineering activities. In contrast to the iterative and incremental software development process, software security engineering is defined by sequential life cycle models: security and business objectives are thus implemented using conflicting approaches. To identify the incompatibilities between the methodologies, in this study the security engineering activities are mapped into common agile software development practises, processes and artifacts. Security engineering activities from Microsoft SDL, the ISO Common Criteria and OWASP SAMM security development lifecycle models are mapped into common agile processes, practises and artifacts. The organizational and technical aspects of the mapping are considered primarily from the point of view of achieving the security objectives set for the software engineering process: setting security requirements for design, their implementation and verification, and releasing secure software through efficient software security development process.acceptedVersionPeer reviewe

A Novel Practice-Based Process Model for Secure Agile Software Development

Nigeria is ranked second globally after India in reported incidences of cyberattacks. Attackers usually exploit vulnerabilities in software which may not have considered security features during the development process. Agile methodologies are a well-established paradigm in the software development field. Its adoption has contributed to improving software quality. However, agile software products remain vulnerable to security challenges and susceptible to cyberattacks. Agile methods also tend to neglect non-functional requirements such as security. Despite its significance, there is paucity of research addressing security. The problem tackled in this research is the lack of security practices integration in agile software development. Thus, this thesis aims to improve security of the software development process when using agile methods through the developed secure process model.The methodology arising from the research context is a multi-methods qualitative approach divided into four phases involving 35 practitioners from 17 organisations. The first phase describes an exploratory case study conducted to empirically explore the agile security practices adopted by software developers and security professionals in United Kingdom (UK). The second phase involves conducting semi-structured interviews to investigate the impact of regulatory policy for building secure agile software in Nigeria. The third phase developed a novel practice-based agile software development process model derived from the results of the interview data analysis conducted. Finally, the model was preliminarily validated through a focus group comprising of 5 senior agile cybersecurity professionals to evaluate its relevancy and novelty. The focus group was conducted online, comprising predominantly UK practitioners previously interviewed, along with a few participants who were not involved in the earlier stages of data collection. The model was also applied at a Nigerian company involved in secure agile software development.Using the adopted methodology, this thesis presents a taxonomy of security practices identified in the UK research sites. They were categorized according to agile use in organisation - roles, ceremonies, and artefacts. Based on the analysis of interviews conducted in Nigeria, a grounded theory of the security challenges confronting agile practitioners was also developed which was termed Policy Adherence Challenges (PAC) model. The four challenges identified are: (a) a lack of collaboration between security and agile teams; (b) the tendency to use foreign software hosting companies; (c) a poor cybersecurity culture; and (d) the high cost of building secure agile software. Also, the model developed in this thesis used swim lane diagrams to highlight the process flow of security activities. 24 security practices were identified and organized into a process flow. The practices were mapped onto five swim lanes each representing an agile role. The preliminary model evaluation conducted through a focus group workshop proposed a new practice, in response to an observed lack of collaborative ceremonies, to disseminate awareness of and hence compliance with security standards. Further evaluation of the secure process model led to several positive changes in the chosen organisation. These include enhanced collaboration through introducing security retrospectives sessions, intervention to reduce manager’s work tasks by introducing a security champion role, action to enhance team security competence by reducing collaborative gap with senior roles which form mitigation mechanisms to improve regulatory compliance in the global south context. This research recommends practitioners integrate practices such as the proposed “compliance sprint” to improve the security of their products thereby reducing the incidences of cyberattacks. Also, there is need for government action by creating the enabling environment to ensure compliance to regulatory policies and security standards for practitioners developing secure software products

A software development methodology for solo software developers: leveraging the product quality of independent developers

Software security for agile methods, particularly for those designed for individual developers, is still a major concern. With most software products deployed over the Internet, security as a key component of software quality has become a major problem. In addressing this problem, this research proposes a solo software development methodology (SSDM) that uses as minimum resources as possible, at the same time conforming to the best practice for delivering secure and high-quality software products. Agile methods have excelled on delivering timely and quality software. At the same time research also shows that most agile methods do not address the problem of security in the developed software. A metasynthesis of SSDMs conducted in this thesis confirmed the lack practices that promote security in the developed software product. On the other hand, some researchers have demonstrated the feasibility of incorporating existing lightweight security practices into agile methods. This research uses Design Science Research (DSR) to build, demonstrate and evaluate a lightweight SSDM. Using an algorithm adapted for the purpose, the research systematically integrates lightweight security and quality practices to produce an agile secure-solo software development methodology (Secure-SSDM). A multiple-case study in an academic and industry setting is conducted to demonstrate and evaluate the utility of the methodology. This demonstration and evaluation thereof, indicates the applicability of the methodology in building high-quality and secure software products. Theoretical evaluation of the agility of the Secure-SSDM using the four-dimensional analytical tool (4-DAT) shows satisfactory compliance of the methodology with agile principles. The main contributions in this thesis are: the Secure-SSDM, which entails description of the concepts, modelling languages, stages, tasks, tools and techniques; generation of a quality theory on practices that promote quality in a solo software development environment; adaptation of Keramati and Mirian-Hosseinabadi’s algorithm for the purposes of integrating quality and security practices. This research would be of value to researchers as it introduces the security component of software quality into a solo software development environment, probing more research in the area. To software developers the research has provided a lightweight methodology that builds quality and security into the product using minimum resources.School of ComputingD. Phil. (Computer Science