Identification of the Impacts of Code Changes on the Security of Software

Companies develop their software in versions and iterations. Ensuring the security of each additional version using code review is costly and time consuming. This paper investigates automated tracing of the impacts of code changes on the security of a given software. To this end, we use call graphs to model the software code, and security assurance cases to model the security requirements of the software. Then we relate assurance case elements to code through the entry point methods of the software, creating a map of monitored security functions. This mapping allows to evaluate the security requirements that are affected by code changes. The approach is implemented in a set of tools and evaluated using three open-source ERP/E-commerce software applications. The limited evaluation showed that the approach is effective in identifying the impacts of code changes on the security of the software. The approach promises to considerably reduce the security assessment time of the subsequent releases and iterations of software, keeping the initial security state throughout the software lifetime

Using Assurance Cases to Develop Iteratively Security Features Using Scrum

A security feature is a customer-valued capability of software for mitigating a set of security threats. Incremental development of security features, using the Scrum method, often leads to developing ineffective features in addressing the threats they target due to factors such as incomplete security tests. This paper proposes the use of security assurance cases to maintain a global view of the security claims as the feature is being developed iteratively and a process that enables the incremental development of security features while ensuring the security requirements of the feature are fulfilled

Propuesta estratégica de prácticas seguras para el desarrollo de software con metodologías ágiles

Este trabajo tiene como objetivo general plantear una propuesta estratégica de prácticas seguras para el desarrollo de software con metodologías ágiles, esto se logra inicialmente con la revisión del estado y tendencia actual, la identificación de modelos vigentes propuestos para el desarrollo seguro, la caracterización de principios y prácticas ágiles usadas en la industria para el desarrollo de software y los aspectos de seguridad de la información deseables en proyectos de tecnología con base en la norma ISO 27002. Finalmente, se realiza un análisis del cumplimiento de agilidad y seguridad de las prácticas identificadas en donde se obtienen las más ágiles y seguras, que en conjunto un ejercicio prospectivo sobre las variables estratégicas: Valores, Principios, Objetivos de control, Prácticas y Metodologías ágiles, generan los escenarios probables que permiten orientar una organización en las acciones concretas a emprender para encontrar la senda hacia un futuro más favorable en la implementación del agilismo.Abstract : This study concentrated on giving an strategic proposal of secure practices for software development with Agile methodologies, this is achieved by reviewing the current state of use and trend of agile methodologies, presenting current models for secure software development using agile methodologies, also establishing the agile principles and practices used in the industry for software development and selecting the desirable security aspects in software development projects based on the standard ISO 27002. Finally, an analysis is performed to determinate the compliance of agility and security of current practices where the most agile and secure practices are obtained, which together with a prospective exercise on strategic variables associated with the environment such as: values, principles, control objectives and practices agile, allows the identification of the most likely north to give to an organization to find the path to a more favorable implementation agilismo from the knowledge of its potential future action scenarios.Maestrí

INTEGRATION OF SOFTWARE SAFETY ASSURANCE PRINCIPLES WITH AN AGILE DEVELOPMENT METHOD

Agile software development has had success in different domains. However there is one area where the implementation of agile methods still needs significant development – that is in the field of agile and safety-critical system development. In this field, software engineering processes need to be justified against the requirements of software safety assurance standards (such as ISO 26262 in the automotive domain). It is therefore important that agile development processes can be justified to levels of assurance equivalent to that provided by traditional development approaches. While there is existing literature concerning the integration of agile methods with specific safety-critical system development standards and agile methods, the question of how fundamental software safety assurance principles can be addressed within agile methods has received little attention. In this thesis we describe the results of practitioner surveys that highlight the primary concerns regarding the use of agile methods within safety-critical development. In the context of this survey, and of existing work on software safety assurance principles, we then present an initial proposal as to how assurance could be addressed with an existing agile development method – Scrum. This proposal was submitted to practitioners for initial feedback and evaluation. The results of this evaluation are also presented

Integracija bezbednosne analize dizajna softverau proces agilnog razvoja

This thesis presents research in the field of secure software engineering. Two methods are developed that, when combined, facilitate the integration of software security design analysis into the agile development workflow. The first method is a training framework for creating workshops aimed at teaching software engineers on how to perform security design analysis. The second method is a process that expands on the security design analysis method to facilitate better integration with the needs of the organization. The first method is evaluated through a controlled experiment, while the second method is evaluated through comparative analysis and case study analysis, where the process is tailored and implemented for two different software vendors.U sklopu disertacije izvršeno je istraživanje u oblasti razvoja bezbednog softvera. Razvijene su dve metode koje zajedno omogućuju integraciju bezbednosne analize dizajna softvera u proces agilnog razvoja. Prvi metod predstavlja radni okvir za konstruisanje radionica čija svrha je obuka inženjera softvera kako da sprovode bezbednosnu analizu dizajna. Drugi metod je proces koji proširuje metod bezbednosne analize dizajna kako bi podržao bolju integraciju spram potreba organizacije. Prvi metod je evaluiran kroz kontrolisan eksperiment, dok je drugi metod evaluiran upotrebom komparativne analize i analize studija slučaja, gde je proces implementiran u kontekstu dve organizacije koje se bave razvojem softvera

A software development framework for secure microservices

Abstract: The software development community has seen the proliferation of a new style of building applications based on small and specialized autonomous units of computation logic called microservices. Microservices collaborate by sending light-weight messages to automate a business task. These microservices are independently deployable with arbitrary schedules, allowing enterprises to quickly create new sets of business capabilities in response to changing business requirements. It is expected that the use of microservices will become the default style of building software applications by the year 2023, with the microservices’ market projected to reach thirtytwo billion United States of American dollars. The adoption of microservices presents new security challenges due to the way the units of computation logic are designed, deployed and maintained. The decomposition of an application into small independent units increases the attack surface, and makes it a challenge to secure and control network traffic for each unit. These new security challenges cannot be addressed by traditional security strategies. Software engineers developing microservices are facing growing pressure to build secure microservices to ensure the security of business information assets and guarantee business continuity. The research conducted in this thesis proposes a software development framework that software engineers can use to build secure microservices. The framework defines artefacts, development and maintenance activities together with methods and techniques that software engineers can use to ensure that microservices are developed from the ground up to be secure. The goal of the framework is to ensure that microservices are designed and built to be able to detect, react, respond and recover from attacks during day-to-day operations. To prove the capability of the framework, a microservices-based application is developed using the proposed software development framework as part of an experiment to determine its effectiveness. These results, together with a comparative and quality review of the framework indicate that the software development framework can be effectively used to develop secure microservices.Ph.D. (Computer Science