Myths and Facts About Static Application Security Testing Tools: An Action Research at Telenor Digital

It is claimed that integrating agile and security in practice is challenging. There is the notion that security is a heavy process, requires expertise, and consumes developers’ time. These contrast with the agile vision. Regardless of these challenges, it is important for organizations to address security within their agile processes since critical assets must be protected against attacks. One way is to integrate tools that could help to identify security weaknesses during implementation and suggest methods to refactor them. We used quantitative and qualitative approaches to investigate the efficiency of the tools and what they mean to the actual users (i.e. developers) at Telenor Digital. Our findings, although not surprising, show that several barriers exist both in terms of tool’s performance and developers’ perceptions. We suggest practical ways for improvement.publishedVersio

How is security testing done in agile teams? A cross-case analysis of four software teams

Security testing can broadly be described as (1) the testing of security requirements that concerns confidentiality, integrity, availability, authentication, authorization, nonrepudiation and (2) the testing of the software to validate how much it can withstand an attack. Agile testing involves immediately integrating changes into the main system, continuously testing all changes and updating test cases to be able to run a regression test at any time to verify that changes have not broken existing functionality. Software companies have a challenge to systematically apply security testing in their processes nowadays. There is a lack of guidelines in practice as well as empirical studies in real-world projects on agile security testing; industry in general needs a more systematic approach to security. The findings of this research are not surprising, but at the same time are alarming. The lack of knowledge on security by agile teams in general, the large dependency on incidental pen-testers, and the ignorance in static testing for security are indicators that security testing is highly under addressed and that more efforts should be addressed to security testing in agile teams.acceptedVersio

A Perception of the Practice of Software Security and Performance Verification

Security and performance are critical nonfunctional requirements for software systems. Thus, it is crucial to include verification activities during software development to identify defects related to such requirements, avoiding their occurrence after release. Software verification, including testing and reviews, encompasses a set of activities that have a purpose of analyzing the software searching for defects. Security and performance verification are activities that look at defects related to these specific quality attributes. Few empirical studies have been focused on how is the state of the practice in security and performance verification. This paper presents the results of a case study performed in the context of Brazilian organizations aiming to characterize security and performance verification practices. Additionally, it provides a set of conjectures indicating recommendations to improve security and performance verification activities.acceptedVersio

Sensei : enforcing secure coding guidelines in the integrated development environment

We discuss the potential benefits, requirements, and implementation challenges of a security-by-design approach in which an integrated development environment (IDE) plugin assists software developers to write code that complies with secure coding guidelines. We discuss how such a plugin can enable a company's policy-setting security experts and developers to pass their knowledge on to each other more efficiently, and to let developers more effectively put that knowledge into practice. This is achieved by letting the team members develop customized rule sets that formalize coding guidelines and by letting the plugin check the compliance of code being written to those rule sets in real time, similar to an as-you-type spell checker. Upon detected violations, the plugin suggests options to quickly fix them and offers additional information for the developer. We share our experience with proof-of-concept designs and implementations rolled out in multiple companies, and present some future research and development directions

State of the art techniques for creating secure software within the Agile process: a systematic literature review

Agile processes have become ubiquitous in the software development community, and are used by the majority of companies. At the same time, the need for secure and trustworthy software has been steadily growing. Agile software processes nonetheless have proven difficult to integrate with the preexisting security frameworks developed for the Waterfall processes. This thesis presents the results of a systematic literature review that investigates solutions to this problem. The research questions to which the researcher tried to answer are: "which are the latest solutions to enhance the security of the software developed using the Agile process??" and "Which of the solutions discussed have performed best pilot studies?". This study analyzed 39 papers published between 2011 and 2018. The results were ordered according to which exhibited the highest consensus and coded into four sets. The most salient suggestions were: increase the training of the developers, add dedicated security figures to the development team, hybridize security solution from the waterfall processes and add security artifacts such as the "security backlog" and "evil user stories" to Agile

Strategies to manage quality requirements in agile software development: a multiple case study

Agile methods can deliver software that fulfills customer needs rapidly and continuously. Quality requirements (QRs) are important in this regard; however, detailed studies on how companies applying agile methods to manage QRs are limited, as are studies on the rationale for choosing specific QR management practices and related challenges. The aim of this study was to address why practitioners manage QRs as they do and what challenges they face. We also analyzed how existing practices mitigate some of the found challenges. Lastly, we connect the contextual elements of the companies with their practices and challenges. We conducted 36 interviews with practitioners from four companies of varying sizes. Since each company operates in different domains, comparing QR management strategies and related challenges in different contexts was possible. We found that the companies apply proactive, reactive, and interactive strategies to manage QRs. Additionally, our study revealed 40 challenges in six categories that companies applying agile methods may face in QR management. We also identified nine contextual elements that affect QR management practice choices and which, importantly, can explain many related challenges. Based on these findings, we constructed a theoretical model about the connection between context, QR management practices, and challenges. Practitioners in similar contexts can learn from the practices identified in this study. Our preliminary theoretical model can help other practitioners identify what challenges they can expect to face in QR management in different developmental contexts as well as which practices to apply to mitigate these challenges.This work was supported by the European Union’s Horizon 2020 Research and Innovation Programme under Grant Agreement 732253.Peer ReviewedPostprint (published version

Framework for automated testing on Event-Driven Microservices

Vivemos numa era de revolução digital que leva à constante redefinição das regras de negócio de forma a acompanhar as necessidades dos utilizadores e clientes. Os microsserviços permitem facilitar a readaptação do software às regras de negócio, no entanto alguns desafios se levantam no que diz respeito à engenharia de software, nomeadamente no que respeita a área de qualidade de software. Ao analisar várias fontes, percebemos que não existe uma forma padronizada para abordar o processo de qualidade em microsserviços que apresentem assincronismo. Uma potencial causa para esta falta de padrão é a ausência de ferramentas no mercado especializadas na verificação de serviços assíncronos numa perspetiva orientada ao comportamento. Este trabalho compromete-se a propor uma solução para a limitação abordada no parágrafo anterior, através do desenvolvimento de uma framework para implementação de testes automatizados orientados ao comportamento esperado do microsserviço. Foram levantados requisitos baseados nas características esperadas de uma framework de desenvolvimento bem como nos aspetos técnicos inerentes à tecnologia de assincronismo escolhida neste trabalho. A avaliação final da framework desenvolvida, e consequentemente do trabalho que esta dissertação propõe, foi feita com base nos vários testes especificados para cada um dos requisitos referidos.We live in an era of digital revolution that leads to the constant redefinition of business rules to keep up with the needs of users and customers. Microservices facilitate the readaptation of software to business rules, however some challenges arise regarding software engineering, particularly regarding the area of software quality. When analyzing various sources, we realized that there is no standardized way to approach the quality process in microservices that present asynchronism. A potential cause for this lack of standard is the lack of tools on the market specialized in verifying asynchronous services from a behavior-driven perspective. In this work it was proposed a solution to the limitation addressed in the previous paragraph, through the development of a framework for implementing automated tests oriented to the expected behavior of the microservice. Requirements were raised based on the expected characteristics of a development framework as well as on the technical aspects inherent to the asynchronism technology chosen in this work. The final evaluation of the developed framework was made based on the various tests specified for each of the requirements