AGILE AND SECURE SOFTWARE DEVELOPMENT: AN UNFINISHED STORY

Given the widespread adoption of agile methods and the rising number of software vulnerabilities, we analyze the literature with an interest in the effect of security practices on software development agility. We propose a novel taxonomy to systematize the body of knowledge around secure agile development and then organize and summarize the selected research using the new taxonomy. At a high-level we create two categories, Phase Focused and Phase Independent. The Phase Focused category is then subdivided along the traditional SDLC phases. The Phase Independent category spans all phases of the SDLC or is phase independent. We conclude that, although there is a significant body of literature on the topic, the story is unfinished. There is further investigation needed to ensure agility as secure development practices are adopted and in regard to empirical evaluations of the proposed agile and secure software development integration approaches

Understanding Agile Software Development Assimilation Beyond Acceptance

Agile software development methods represent a departure from the heavily regimented and document-driven procedures of traditional, waterfall approaches. Despite the highly touted benefits of employing agile ISD methods and the growth of agile adoption rates over the past two decades, it is not clear why some organizations fail to routinize agile methods, while others do so and realize their promised benefits. Motivated by the need to understand the factors that influence agile routinization, this study empirically examines the deep contextual factors that impact the extent to which agile methods are proliferated throughout an organization. Findings indicate that project success from initial agile use does not translate to routine agile use. Instead, findings from the study suggest that organizational factors of organizational culture and structure play a pivotal role in the routinization of agile methods

Agile or non-agile, that is the question: designing a decision support system for an agile approach in software development projects

To know how to choose an approach to manage a software development project is essential to maximize the chances to achieve success. One of the great dilemmas we face nowadays concerns the option for an Agile or a traditional development methodology. There are several characteristics of software projects and the business environments in which they are performed that we must consider while choosing a suitable option. Although Agile development methodologies have been increasingly expanding and consolidating worldwide as effective ways of building software since the early 2000s, they are not a one-size-fits-all approach. When to use Agile and which methodology is most suitable are the great questions we aim to answer in this research. Through a comprehensive revision of the literature and an exploratory study with Agile practitioners, we explored and identified the main factors that favour the use of an Agile approach. We also unveiled the characteristics of software development projects and organisational environments that lead development teams to opt for one of the common Agile frameworks: Scrum, Extreme Programming (XP), Kanban, or Lean Software Development (LSD). Based on the results obtained, we conceived a conceptual model to support decision making and developed a prototype of an information system that implements this conceptual model. Our major goal in this study is to clarify what is important to consider in the choice of an Agile methodology and help the decision-maker selecting an appropriate development approach. The results of this research contribute to the literature related to processes of selection of software development methodologies, as well as to the diffusion of Agile within development teams and organisations with none or low degree of maturity in Agile, but interested in knowing more or adopting this development approach.Escolher uma abordagem adequada para gerenciar um projeto de desenvolvimento de software é essencial para maximizar as chances de se obter sucesso. Um dos grandes dilemas da atualidade diz respeito à opção por uma metodologia de desenvolvimento Agile ou tradicional. Existem diversas características dos projetos de software e dos ambientes organizacionais onde eles são executados que devemos considerar ao escolher uma opção apropriada. Embora as metodologias de desenvolvimento Agile venham se expandindo e consolidando mundialmente desde o início dos anos 2000 como soluções eficazes para se construir software, elas não se aplicam a todos os cenários de desenvolvimento. Quando usar Agile e qual das suas metodologias é a mais adequada são as grandes questões que pretendemos responder nesta investigação. Através de uma abrangente revisão de literatura e de um estudo exploratório com profissionais com experiência nas metodologias Agile, exploramos e identificamos os principais fatores que favorecem o uso de uma abordagem Agile. Também estudamos as características de projetos de desenvolvimento de software e de ambientes organizacionais que levam as equipas de desenvolvimento a optar por uma das suas metodologias mais comuns: Scrum, Extreme Programming (XP), Kanban ou Lean Software Development (LSD). Com base nos resultados obtidos, concebemos um modelo conceitual para apoiar a tomada de decisão e desenvolvemos um protótipo de um sistema que implementa tal modelo conceitual. Nosso principal objetivo é esclarecer o que é importante considerar na escolha de uma metodologia Agile e ajudar o tomador de decisão a selecionar uma opção adequada. Os resultados desta investigação enriquecem a literatura voltada para os métodos de seleção de processos de desenvolvimento de software, e contribuem para a difusão do Agile entre as equipas de desenvolvimento e as organizações com nenhum ou baixo grau de maturidade em Agile, mas que estejam interessadas em conhecer mais ou adotar esta abordagem de desenvolvimento

Adopting agile methodologies in distributed software development

From the second half of the '90s, some software engineering practitioners introduced a new group of software development methodologies called Agile Methodologies (Ams): they have been developed to overcome the limits of the traditional approaches in the software development. FLOSS (Free Libre Open Source Software) has been proposed as possible different solution to the software crisis that is afflicting the ICT worldwide business. If the AMs improve the quality code and allow to respond quickly to requirement changes, FLOSS approach decreases the development costs and increases the spreading of competences about the software products. A debate is shaping about the compatibility of these two approaches. Software development teams have been spreading around the world, with users in Europe, management in the USA and programmers in the USA and India. The scattering of team members and functions around the world introduces barriers to productivity, cultural and languages differences can lead to misunderstanding of requirements, time zone differences can delay project schedules. Agile methods can provide a competitive advantage by delivering early, simplifying communication and allowing the business to respond more quickly to the market by changing the software. Trying to distribute a development project in an agile way isn't easy and will involve compromises. The goal of this thesis is to determine the application of the AMs in several contexts so to define which of these can be used effectively in non traditional software projects as the distributed development

Adopting agile methodologies in distributed software development

From the second half of the '90s, some software engineering practitioners introduced a new group of software development methodologies called Agile Methodologies (Ams): they have been developed to overcome the limits of the traditional approaches in the software development. FLOSS (Free Libre Open Source Software) has been proposed as possible different solution to the software crisis that is afflicting the ICT worldwide business. If the AMs improve the quality code and allow to respond quickly to requirement changes, FLOSS approach decreases the development costs and increases the spreading of competences about the software products. A debate is shaping about the compatibility of these two approaches. Software development teams have been spreading around the world, with users in Europe, management in the USA and programmers in the USA and India. The scattering of team members and functions around the world introduces barriers to productivity, cultural and languages differences can lead to misunderstanding of requirements, time zone differences can delay project schedules. Agile methods can provide a competitive advantage by delivering early, simplifying communication and allowing the business to respond more quickly to the market by changing the software. Trying to distribute a development project in an agile way isn't easy and will involve compromises. The goal of this thesis is to determine the application of the AMs in several contexts so to define which of these can be used effectively in non traditional software projects as the distributed development

Development of Secure Software : Rationale, Standards and Practices

The society is run by software. Electronic processing of personal and financial data forms the core of nearly all societal and economic activities, and concerns every aspect of life. Software systems are used to store, transfer and process this vital data. The systems are further interfaced by other systems, forming complex networks of data stores and processing entities.This data requires protection from misuse, whether accidental or intentional. Elaborate and extensive security mechanisms are built around the protected information assets. These mechanisms cover every aspect of security, from physical surroundings and people to data classification schemes, access control, identity management, and various forms of encryption. Despite the extensive information security effort, repeated security incidents keep compromising our financial assets, intellectual property, and privacy. In addition to the direct and indirect cost, they erode the trust in the very foundation of information security: availability, integrity, and confidentiality of our data. Lawmakers at various national and international levels have reacted by creating a growing body of regulation to establish a baseline for information security. Increased awareness of information security issues has led to extend this regulation to one of the core issues in secure data processing: security of the software itself. Information security contains many aspects. It is generally classified into organizational security, infrastructure security, and application security. Within application security, the various security engineering processes and techniques utilized at development time form the discipline of software security engineering. The aim of these security activities is to address the software-induced risk toward the organization, reduce the security incidents and thereby lower the lifetime cost of the software. Software security engineering manages the software risk by implementing various security controls right into the software, and by providing security assurance for the existence of these controls by verification and validation. A software development process has typically several objectives, of which security may form only a part. When security is not expressly prioritized, the development organizations have a tendency to direct their resources to the primary requirements. While producing short-term cost and time savings, the increased software risk, induced by a lack of security and assurance engineering, will have to be mitigated by other means. In addition to increasing the lifetime cost of software, unmitigated or even unidentified risk has an increased chance of being exploited and cause other software issues. This dissertation concerns security engineering in agile software development. The aim of the research is to find ways to produce secure software through the introduction of security engineering into the agile software development processes. Security engineering processes are derived from extant literature, industry practices, and several national and international standards. The standardized requirements for software security are traced to their origins in the late 1960s, and the alignment of the software engineering and security engineering objectives followed from their original challenges to the current agile software development methods. The research provides direct solutions to the formation of security objectives in software development, and to the methods used to achieve them. It also identifies and addresses several issues and challenges found in the integration of these activities into the development processes, providing directly applicable and clearly stated solutions for practical security engineering problems. The research found the practices and principles promoted by agile and lean software development methods to be compatible with many security engineering activities. Automated, tool-based processes and the drive for efficiency and improved software quality were found to directly support the security engineering techniques and objectives. Several new ways to integrate software engineering into agile software development processes were identified. Ways to integrate security assurance into the development process were also found, in the form of security documentation, analyses, and reviews. Assurance artifacts can be used to improve software design and enhance quality assurance. In contrast, detached security engineering processes may create security assurance that serves only purposes external to the software processes. The results provide direct benefits to all software stakeholders, from the developers and customers to the end users. Security awareness is the key to more secure software. Awareness creates a demand for security, and the demand gives software developers the concrete objectives and the rationale for the security work. This also creates a demand for new security tools, processes and controls to improve the efficiency and effectiveness of software security engineering. At first, this demand is created by increased security regulation. The main pressure for change will emanate from the people and organizations utilizing the software: security is a mandatory requirement, and software must provide it. This dissertation addresses these new challenges. Software security continues to gain importance, prompting for new solutions and research.Ohjelmistot ovat keskeinen osa yhteiskuntamme perusinfrastruktuuria. Merkittävä osa sosiaalisesta ja taloudellisesta toiminnastamme perustuu tiedon sähköiseen käsittelyyn, varastointiin ja siirtoon. Näitä tehtäviä suorittamaan on kehitetty merkittävä joukko ohjelmistoja, jotka muodostavat mutkikkaita tiedon yhteiskäytön mahdollistavia verkostoja. Tiedon suojaamiseksi sen ympärille on kehitetty lukuisia suojamekanismeja, joiden tarkoituksena on estää tiedon väärinkäyttö, oli se sitten tahatonta tai tahallista. Suojausmekanismit koskevat paitsi ohjelmistoja, myös niiden käyttöympäristöjä ja käyttäjiä sekä itse käsiteltävää tietoa: näitä mekanismeja ovat esimerkiksi tietoluokittelut, tietoon pääsyn rajaaminen, käyttäjäidentiteettien hallinta sekä salaustekniikat. Suojaustoimista huolimatta tietoturvaloukkaukset vaarantavat sekä liiketoiminnan ja yhteiskunnan strategisia tietovarantoj että henkilökohtaisia tietojamme. Taloudellisten menetysten lisäksi hyökkäykset murentavat luottamusta tietoturvan kulmakiviin: tiedon luottamuksellisuuteen, luotettavuuteen ja sen saatavuuteen. Näiden tietoturvan perustusten suojaamiseksi on laadittu kasvava määrä tietoturvaa koskevia säädöksiä, jotka määrittävät tietoturvan perustason. Lisääntyneen tietoturvatietoisuuden ansiosta uusi säännöstö on ulotettu koskemaan myös turvatun tietojenkäsittelyn ydintä,ohjelmistokehitystä. Tietoturva koostuu useista osa-alueista. Näitä ovat organisaatiotason tietoturvakäytännöt, tietojenkäsittelyinfrastruktuurin tietoturva, sekä tämän tutkimuksen kannalta keskeisenä osana ohjelmistojen tietoturva. Tähän osaalueeseen sisältyvät ohjelmistojen kehittämisen aikana käytettävät tietoturvatekniikat ja -prosessit. Tarkoituksena on vähentää ohjelmistojen organisaatioille aiheuttamia riskejä, tai poistaa ne kokonaan. Ohjelmistokehityksen tietoturva pyrkii pienentämään ohjelmistojen elinkaarikustannuksia määrittämällä ja toteuttamalla tietoturvakontrolleja suoraan ohjelmistoon itseensä. Lisäksi kontrollien toimivuus ja tehokkuus osoitetaan erillisten verifiointija validointimenetelmien avulla. Tämä väitöskirjatutkimus keskittyy tietoturvatyöhön osana iteratiivista ja inkrementaalista ns. ketterää (agile) ohjelmistokehitystä. Tutkimuksen tavoitteena on löytää uusia tapoja tuottaa tietoturvallisia ohjelmistoja liittämällä tietoturvatyö kiinteäksi osaksi ohjelmistokehityksen prosesseja. Tietoturvatyön prosessit on johdettu alan tieteellisestä ja teknillisestä kirjallisuudesta, ohjelmistokehitystyön vallitsevista käytännöistä sekä kansallisista ja kansainvälisistä tietoturvastandardeista. Standardoitujen tietoturvavaatimusten kehitystä on seurattu aina niiden alkuajoilta 1960-luvulta lähtien, liittäen ne ohjelmistokehityksen tavoitteiden ja haasteiden kehitykseen: nykyaikaan ja ketterien menetelmien valtakauteen saakka. Tutkimuksessa esitetään konkreettisia ratkaisuja ohjelmistokehityksen tietoturvatyön tavoitteiden asettamiseen ja niiden saavuttamiseen. Tutkimuksessa myös tunnistetaan ongelmia ja haasteita tietoturvatyön ja ohjelmistokehityksen menetelmien yhdistämisessä, joiden ratkaisemiseksi tarjotaan toimintaohjeita ja -vaihtoehtoja. Tutkimuksen perusteella iteratiivisen ja inkrementaalisen ohjelmistokehityksen käytäntöjen ja periaatteiden yhteensovittaminen tietoturvatyön toimintojen kanssa parantaa ohjelmistojen laatua ja tietoturvaa, alentaen täten kustannuksia koko ohjelmiston ylläpitoelinkaaren aikana. Ohjelmistokehitystyön automatisointi, työkaluihin pohjautuvat prosessit ja pyrkimys tehokkuuteen sekä korkeaan laatuun ovat suoraan yhtenevät tietoturvatyön menetelmien ja tavoitteiden kanssa. Tutkimuksessa tunnistettiin useita uusia tapoja yhdistää ohjelmistokehitys ja tietoturvatyö. Lisäksi on löydetty tapoja käyttää dokumentointiin, analyyseihin ja katselmointeihin perustuvaa tietoturvan todentamiseen tuotettavaa materiaalia osana ohjelmistojen suunnittelua ja laadunvarmistusta. Erillisinä nämä prosessit johtavat tilanteeseen, jossa tietoturvamateriaalia hyödynnetään pelkästään ohjelmistokehityksen ulkopuolisiin tarpeisiin. Tutkimustulokset hyödyttävät kaikkia sidosryhmiä ohjelmistojen kehittäjistä niiden tilaajiin ja loppukäyttäjiin. Ohjelmistojen tietoturvatyö perustuu tietoon ja koulutukseen. Tieto puolestaan lisää kysyntää, joka luo tietoturvatyölle konkreettiset tavoitteet ja perustelut jo ohjelmistokehitysvaiheessa. Tietoturvatyön painopiste siirtyy torjunnasta ja vahinkojen korjauksesta kohti vahinkojen rakenteellista ehkäisyä. Kysyntä luo tarpeen myös uusille työkaluille, prosesseille ja tekniikoille, joilla lisätään tietoturvatyön tehokkuutta ja vaikuttavuutta. Tällä hetkellä kysyntää luovat lähinnä lisääntyneet tietoturvaa koskevat säädökset. Pääosa muutostarpeesta syntyy kuitenkin ohjelmistojen tilaajien ja käyttäjien vaatimuksista: ohjelmistojen tietoturvakyvykkyyden taloudellinen merkitys kasvaa. Tietoturvan tärkeys tulee korostumaan entisestään, lisäten tarvetta tietoturvatyölle ja tutkimukselle myös tulevaisuudessa

Estimating, planning and managing Agile Web development projects under a value-based perspective

Context: The processes of estimating, planning and managing are crucial for software development projects, since the results must be related to several business strategies. The broad expansion of the Internet and the global and interconnected economy make Web development projects be often characterized by expressions like delivering as soon as possible, reducing time to market and adapting to undefined requirements. In this kind of environment, traditional methodologies based on predictive techniques sometimes do not offer very satisfactory results. The rise of Agile methodologies and practices has provided some useful tools that, combined with Web Engineering techniques, can help to establish a framework to estimate, manage and plan Web development projects. Objective: This paper presents a proposal for estimating, planning and managing Web projects, by combining some existing Agile techniques with Web Engineering principles, presenting them as an unified framework which uses the business value to guide the delivery of features. Method: The proposal is analyzed by means of a case study, including a real-life project, in order to obtain relevant conclusions. Results: The results achieved after using the framework in a development project are presented, including interesting results on project planning and estimation, as well as on team productivity throughout the project. Conclusion: It is concluded that the framework can be useful in order to better manage Web-based projects, through a continuous value-based estimation and management process.Ministerio de Economía y Competitividad TIN2013-46928-C3-3-

A case study of agile software development for large-scale safety-critical systems projects

This study explores the introduction of agile software development within an avionics company engaged in safety-critical system engineering. There is increasing pressure throughout the software industry for development efforts to adopt agile software development in order to respond more rapidly to changing requirements and make more frequent deliveries of systems to customers for review and integration. This pressure is also being experienced in safety-critical industries, where release cycles on typically large and complex systems may run to several years on projects spanning decades. However, safety-critical system developments are normally highly regulated, which may constrain the adoption of agile software development or require adaptation of selected methods or practices. To investigate this potential conflict, we conducted a series of interviews with practitioners in the company, exploring their experiences of adopting agile software development and the challenges encountered. The study also explores the opportunities for altering the existing software process in the company to better fit agile software development to the constraints of software development for safety-critical systems. We conclude by identifying immediate future research directions to better align the tempo of software development for safety-critical systems and agile software development

Systematic mapping study of usability in post-implementation on agile software development

Abstract. Need for new software information systems is increasing year by year and information software systems have become present in everyday life of people. As the number of systems has increased so has the need of these systems to be usable and work properly. This thesis used systematic mapping study method to get overview of the current state of usability in agile software development. In the study, initially 269 papers were retrieved from SCOPUS and after exclusion of irrelevant papers 92 papers were selected to the study of which 75 papers got through inclusion criteria to the final stage of the study. In this thesis a look to current state of usability in agile software development is presented. Study suggested that usability usage in agile environment is still trying to find its place but there is research being done constantly to make it more prevalent in the field. From those agile software development projects, that had included the usage of some sort of usability method to development, too few included usability throughout the whole development cycle.Tiivistelmä. Tarve uusille tietojärjestelmille on kasvanut vuosi vuodelta suuremmaksi. Tietojärjestelmistä on tullut osa meidän jokapäiväistä elämäämme. Samalla, kun tietojärjestelmien määrä on kasvanut, on kasvanut myös tarve tehdä niistä entistä käytettävämpiä ja toimivia. Tässä tutkielmassa on käytetty systemaattista tutkimuskirjallisuuden kartoitus menetelmää, jonka avulla on hankittu yleiskuva tämän hetkisestä käytettävyyden tilasta ketterässä ohjelmistokehityksessä. Tutkimukseen otettiin alun perin 269 julkaisua, jotka haettiin SCOPUS tietokannasta. Tulosten seulonnan jälkeen 92 julkaisun todettiin liittyvän olennaisesti aiheeseen. Näistä 92 julkaisusta tutkimuksen viimeiseen vaiheeseen hyväksyttiin 75 julkaisua. Tässä tutkielmassa annetaan yleiskuva käytettävyydestä ketterässä ohjelmistokehityksessä tämän hetken kirjallisuuden perusteella. Tutkimuksessa todettiin, että käytettävyyden käyttö ketterässä ohjelmistokehityksessä yrittää vielä löytää omaa paikkaansa, mutta tutkimuksessa tapahtuu jatkuvaa kehitystä, jotta käytettävyys saataisiin selkeäksi myös ketterässä ohjelmistokehityksessä. Niissä projekteissa, joissa ketterää ohjelmistokehitystä harjoitettiin ja käytettävyys oli otettu huomioon, liian harva sisällytti käytettävyyden menetelmiä tukemaan kehitystä läpi koko ohjelmiston kehityskaaren