Influencing the security prioritisation of an agile software development project

Software security is a complex topic, and for development projects it can be challenging to assess what security is necessary and cost-effective. Agile Software Development (ASD) values self-management. Thus, teams and their Product Owners are expected to also manage software security prioritisation. In this paper we build on the notion that security experts who want to influence the priority given to security in ASD need to do this through interactions and support for teams rather than prescribing certain activities or priorities. But to do this effectively, there is a need to understand what hinders and supports teams in prioritising security. Based on a longitudinal case study, this article offers insight into the strategy used by one security professional in an SME to influence the priority of security in software development projects in the company. The main result is a model of influences on security prioritisation that can assist in understanding what supports or hinders the prioritisation of security in ASD, thus providing recommendations for security professionals. Two alternative strategies are outlined for software security in ASD – prescribed and emerging – where we hypothesise that an emerging approach can be more relevant for SMEs doing ASD, and that this can impact how such companies should consider software security maturity.publishedVersio

Finnish Enterprise Agile Transformations : A Survey Study

Peer reviewe

State of the art techniques for creating secure software within the Agile process: a systematic literature review

Agile processes have become ubiquitous in the software development community, and are used by the majority of companies. At the same time, the need for secure and trustworthy software has been steadily growing. Agile software processes nonetheless have proven difficult to integrate with the preexisting security frameworks developed for the Waterfall processes. This thesis presents the results of a systematic literature review that investigates solutions to this problem. The research questions to which the researcher tried to answer are: "which are the latest solutions to enhance the security of the software developed using the Agile process??" and "Which of the solutions discussed have performed best pilot studies?". This study analyzed 39 papers published between 2011 and 2018. The results were ordered according to which exhibited the highest consensus and coded into four sets. The most salient suggestions were: increase the training of the developers, add dedicated security figures to the development team, hybridize security solution from the waterfall processes and add security artifacts such as the "security backlog" and "evil user stories" to Agile

Security but not for security’s sake: The impact of social considerations on app developers’ choices

We explore a dataset of app developer reasoning to better understand the reasons that may inadvertently promote or demote app developers' prioritization of security. We identify a number of reasons: caring vs. fear of users, the impact of norms, and notions of 'otherness' and 'self' in terms of belonging to groups. Based on our preliminary findings, we propose an interdisciplinary research agenda to explore the impact of 'social identity (a psychological theory) on developers’ security rationales, and how this could be leveraged to guide developers towards making more secure choices

Дослідження системи операційного менеджменту організації, на прикладі Apple Computer, Inc

The object of investigation is the process of managing of operating activities of Apple, Inc. The aim of the work is to formulate theoretical approaches and to develop practical recommendations on directions of improvement of operating management at the organization. Research methods cover methods of analysis, synthesis, comparison, detailing, system approach. This master’s research paper analyzes the operational management of Apple, Inc. and provides recommendations for it’s improvement. In particular, the main directions of solving the problems of operational management of the company have been outlined, the proposals on improvement of expansion distribution network and organization of innovative activity of the Apple Inc. have been made.Об'єкт дослідження ‒ процес управління операційною діяльністю компанії Apple, Inc. Мета дослідження - формування теоретичних підходів та розробка практичних рекомендацій щодо напрямів вдосконалення системи операційного менеджменту компанії Apple, Inc. Методи дослідження: методи аналізу, синтезу, порівняння, деталізації, системний підхід. У роботі проведено аналіз операційного менеджменту Apple, Inc., а також викладені рекомендації щодо його вдосконалення. Зокрема, окреслено основні напрями вирішення проблем операційного менеджменту компанії, внесено пропозиції щодо розширення дистриб’юторської мережі, а також вдосконалення організації інноваційної діяльності Apple Inc.Introduction 6 CHAPTER 1 THE THEORETICAL FRAMEWORK OF OPERATIONAL MANAGEMENT 8 1.1 Meanings and definition of operational management 8 1.2 Principles and methods of operations management 12 1.3 Factors affecting the Operations activity of Apple Inc. company 21 CHAPTER 2 RESEARCH AND ANALYSIS 31 2.1 Сompany introduction 31 2.2 SWOT - analysis of Apple Inc. Company 46 2.3 Analysis of operation management at Apple Inc 50 CHAPTER 3 RECOMMENDATIONS FOR IMPROVING OF OPERATIONAL MANAGEMENT AT THE APPLE INC 63 3.1 The main directions of solving operational management problems of the company 63 3.2 Recommendations concerning improvements of Distribution in the organization 65 3.3 Recommendations concerning improvements of innovative activity at the organization 67 CHAPTER 4 SPECIAL PART 73 4.1 Current trends in the field 73 4.2 Company policy in the market 75 CHAPTER 5 RATIONALE FOR RECOMMENDATIONS 77 5.1 Statement for recommendations at Company 77 CHAPTER 6 OCCUPATIONAL HEALTH AND SAFETY AT THE ENTERPRISE 79 6.1 The aim of occupational health 79 6.2 Organization of occupational health and safety at the enterprise 86 CHAPTER 7 ENVIRONMENTAL ISSUES 92 7.1 Environmental issues in the field 92 7.2 Еnvironmental factors 94 Conclusions 96 References 98 Appendices 10

Dealing with Data Challenges when Delivering Data-Intensive Software Solutions

The predicted increase in demand for data-intensive solution development is driving the need for software, data, and domain experts to effectively collaborate in multi-disciplinary data-intensive software teams (MDSTs). We conducted a socio-technical grounded theory study through interviews with 24 practitioners in MDSTs to better understand the challenges these teams face when delivering data-intensive software solutions. The interviews provided perspectives across different types of roles including domain, data and software experts, and covered different organisational levels from team members, team managers to executive leaders. We found that the key concern for these teams is dealing with data-related challenges. In this paper, we present the theory of dealing with data challenges that explains the challenges faced by MDSTs including gaining access to data, aligning data, understanding data, and resolving data quality issues; the context in and condition under which these challenges occur, the causes that lead to the challenges, and the related consequences such as having to conduct remediation activities, inability to achieve expected outcomes and lack of trust in the delivered solutions. We also identified contingencies or strategies applied to address the challenges including high-level strategic approaches such as implementing data governance, implementing new tools and techniques such as data quality visualisation and monitoring tools, as well as building stronger teams by focusing on people dynamics, communication skill development and cross-skilling. Our findings have direct implications for practitioners and researchers to better understand the landscape of data challenges and how to deal with them.Comment: Submitted to IEEE Transactions on Software Engineering, 22 pages, 4 Figures, 1 Tabl

Rational Cybersecurity for Business

Use the guidance in this comprehensive field guide to gain the support of your top executives for aligning a rational cybersecurity plan with your business. You will learn how to improve working relationships with stakeholders in complex digital businesses, IT, and development environments. You will know how to prioritize your security program, and motivate and retain your team. Misalignment between security and your business can start at the top at the C-suite or happen at the line of business, IT, development, or user level. It has a corrosive effect on any security project it touches. But it does not have to be like this. Author Dan Blum presents valuable lessons learned from interviews with over 70 security and business leaders. You will discover how to successfully solve issues related to: risk management, operational security, privacy protection, hybrid cloud management, security culture and user awareness, and communication challenges. This open access book presents six priority areas to focus on to maximize the effectiveness of your cybersecurity program: risk management, control baseline, security culture, IT rationalization, access control, and cyber-resilience. Common challenges and good practices are provided for businesses of different types and sizes. And more than 50 specific keys to alignment are included. What You Will Learn Improve your security culture: clarify security-related roles, communicate effectively to businesspeople, and hire, motivate, or retain outstanding security staff by creating a sense of efficacy Develop a consistent accountability model, information risk taxonomy, and risk management framework Adopt a security and risk governance model consistent with your business structure or culture, manage policy, and optimize security budgeting within the larger business unit and CIO organization IT spend Tailor a control baseline to your organization’s maturity level, regulatory requirements, scale, circumstances, and critical assets Help CIOs, Chief Digital Officers, and other executives to develop an IT strategy for curating cloud solutions and reducing shadow IT, building up DevSecOps and Disciplined Agile, and more Balance access control and accountability approaches, leverage modern digital identity standards to improve digital relationships, and provide data governance and privacy-enhancing capabilities Plan for cyber-resilience: work with the SOC, IT, business groups, and external sources to coordinate incident response and to recover from outages and come back stronger Integrate your learnings from this book into a quick-hitting rational cybersecurity success plan Who This Book Is For Chief Information Security Officers (CISOs) and other heads of security, security directors and managers, security architects and project leads, and other team members providing security leadership to your busines

Interventions for Software Security:Creating a Lightweight Program of Assurance Techniques for Developers

Though some software development teams are highly effective at delivering security, others either do not care or do not have access to security experts to teach them how. Unfortunately, these latter teams are still responsible for the security of the systems they build: systems that are ever more important to ever more people. We propose that a series of lightweight interventions, six hours of facilitated workshops delivered over three months, can improve a team’s motivation to consider security and awareness of assurance techniques, changing its security culture even when no security experts are involved. The interventions were developed after an Appreciative Inquiry and Grounded Theory survey of security professionals to find out what approaches work best. They were then validated in fieldwork with a Participatory Action Research study that de-livered the workshops to three development organizations. This approach has the potential to be applied by many development teams, improving the security of software worldwide

ICSEA 2022: the seventeenth international conference on software engineering advances

The Seventeenth International Conference on Software Engineering Advances (ICSEA 2022), held between October 16th and October 20th, 2022, continued a series of events covering a broad spectrum of software-related topics. The conference covered fundamentals on designing, implementing, testing, validating and maintaining various kinds of software. Several tracks were proposed to treat the topics from theory to practice, in terms of methodologies, design, implementation, testing, use cases, tools, and lessons learned. The conference topics covered classical and advanced methodologies, open source, agile software, as well as software deployment and software economics and education. Other advanced aspects are related to on-time practical aspects, such as run-time vulnerability checking, rejuvenation process, updates partial or temporary feature deprecation, software deployment and configuration, and on-line software updates. These aspects trigger implications related to patenting, licensing, engineering education, new ways for software adoption and improvement, and ultimately, to software knowledge management. There are many advanced applications requiring robust, safe, and secure software: disaster recovery applications, vehicular systems, biomedical-related software, biometrics related software, mission critical software, E-health related software, crisis-situation software. These applications require appropriate software engineering techniques, metrics and formalisms, such as, software reuse, appropriate software quality metrics, composition and integration, consistency checking, model checking, provers and reasoning. The nature of research in software varies slightly with the specific discipline researchers work in, yet there is much common ground and room for a sharing of best practice, frameworks, tools, languages and methodologies. Despite the number of experts we have available, little work is done at the meta level, that is examining how we go about our research, and how this process can be improved. There are questions related to the choice of programming language, IDEs and documentation styles and standard. Reuse can be of great benefit to research projects yet reuse of prior research projects introduces special problems that need to be mitigated. The research environment is a mix of creativity and systematic approach which leads to a creative tension that needs to be managed or at least monitored. Much of the coding in any university is undertaken by research students or young researchers. Issues of skills training, development and quality control can have significant effects on an entire department. In an industrial research setting, the environment is not quite that of industry as a whole, nor does it follow the pattern set by the university. The unique approaches and issues of industrial research may hold lessons for researchers in other domains. We take here the opportunity to warmly thank all the members of the ICSEA 2022 technical program committee, as well as all the reviewers. The creation of such a high-quality conference program would not have been possible without their involvement. We also kindly thank all the authors who dedicated much of their time and effort to contribute to ICSEA 2022. We truly believe that, thanks to all these efforts, the final conference program consisted of top-quality contributions. We also thank the members of the ICSEA 2022 organizing committee for their help in handling the logistics of this event. We hope that ICSEA 2022 was a successful international forum for the exchange of ideas and results between academia and industry and for the promotion of progress in software engineering advances