Software security requirements management as an emerging cloud computing service

© 2016 Elsevier Ltd. All rights reserved.Emerging cloud applications are growing rapidly and the need for identifying and managing service requirements is also highly important and critical at present. Software Engineering and Information Systems has established techniques, methods and technology over two decades to help achieve cloud service requirements, design, development, and testing. However, due to the lack of understanding of software security vulnerabilities that should have been identified and managed during the requirements engineering phase, we have not been so successful in applying software engineering, information management, and requirements management principles that have been established for the past at least 25 years, when developing secure software systems. Therefore, software security cannot just be added after a system has been built and delivered to customers as seen in today's software applications. This paper provides concise methods, techniques, and best practice requirements engineering and management as an emerging cloud service (SSREMaaES) and also provides guidelines on software security as a service. This paper also discusses an Integrated-Secure SDLC model (IS-SDLC), which will benefit practitioners, researchers, learners, and educators. This paper illustrates our approach for a large cloud system Amazon EC2 service

Security in agile software development: A practitioner survey

Context: Software security engineering provides the means to define, implement and verify security in software products. Software security engineering is performed by following a software security development life cycle model or a security capability maturity model. However, agile software development methods and processes, dominant in the software industry, are viewed to be in conflict with these security practices and the security requirements. Objective: Empirically verify the use and impact of software security engineering activities in the context of agile software development, as practiced by software developer professionals. Method: A survey (N=61) was performed among software practitioners in Finland regarding their use of 40 common security engineering practices and their perceived security impact, in conjunction with the use of 16 agile software development items and activities. Results: The use of agile items and activities had a measurable effect on the selection of security engineering practices. Perceived impact of the security practices was lower than the rate of use would imply: This was taken to indicate a selection bias, caused by e.g. developers’ awareness of only certain security engineering practices, or by difficulties in applying the security engineering practices into an iterative software development workflow. Security practices deemed to have most impact were proactive and took place in the early phases of software development. Conclusion: Systematic use of agile practices conformed, and was observed to take place in conjunction with the use of security practices. Security activities were most common in the requirement and implementation phases. In general, the activities taking place early in the life cycle were also considered most impactful. A discrepancy between the level of use and the perceived security impact of many security activities was observed. This prompts research and methodological development for better integration of security engineering activities into software development processes, methods, and tools.</p

A Novel Practice-Based Process Model for Secure Agile Software Development

Nigeria is ranked second globally after India in reported incidences of cyberattacks. Attackers usually exploit vulnerabilities in software which may not have considered security features during the development process. Agile methodologies are a well-established paradigm in the software development field. Its adoption has contributed to improving software quality. However, agile software products remain vulnerable to security challenges and susceptible to cyberattacks. Agile methods also tend to neglect non-functional requirements such as security. Despite its significance, there is paucity of research addressing security. The problem tackled in this research is the lack of security practices integration in agile software development. Thus, this thesis aims to improve security of the software development process when using agile methods through the developed secure process model.The methodology arising from the research context is a multi-methods qualitative approach divided into four phases involving 35 practitioners from 17 organisations. The first phase describes an exploratory case study conducted to empirically explore the agile security practices adopted by software developers and security professionals in United Kingdom (UK). The second phase involves conducting semi-structured interviews to investigate the impact of regulatory policy for building secure agile software in Nigeria. The third phase developed a novel practice-based agile software development process model derived from the results of the interview data analysis conducted. Finally, the model was preliminarily validated through a focus group comprising of 5 senior agile cybersecurity professionals to evaluate its relevancy and novelty. The focus group was conducted online, comprising predominantly UK practitioners previously interviewed, along with a few participants who were not involved in the earlier stages of data collection. The model was also applied at a Nigerian company involved in secure agile software development.Using the adopted methodology, this thesis presents a taxonomy of security practices identified in the UK research sites. They were categorized according to agile use in organisation - roles, ceremonies, and artefacts. Based on the analysis of interviews conducted in Nigeria, a grounded theory of the security challenges confronting agile practitioners was also developed which was termed Policy Adherence Challenges (PAC) model. The four challenges identified are: (a) a lack of collaboration between security and agile teams; (b) the tendency to use foreign software hosting companies; (c) a poor cybersecurity culture; and (d) the high cost of building secure agile software. Also, the model developed in this thesis used swim lane diagrams to highlight the process flow of security activities. 24 security practices were identified and organized into a process flow. The practices were mapped onto five swim lanes each representing an agile role. The preliminary model evaluation conducted through a focus group workshop proposed a new practice, in response to an observed lack of collaborative ceremonies, to disseminate awareness of and hence compliance with security standards. Further evaluation of the secure process model led to several positive changes in the chosen organisation. These include enhanced collaboration through introducing security retrospectives sessions, intervention to reduce manager’s work tasks by introducing a security champion role, action to enhance team security competence by reducing collaborative gap with senior roles which form mitigation mechanisms to improve regulatory compliance in the global south context. This research recommends practitioners integrate practices such as the proposed “compliance sprint” to improve the security of their products thereby reducing the incidences of cyberattacks. Also, there is need for government action by creating the enabling environment to ensure compliance to regulatory policies and security standards for practitioners developing secure software products