SlideShare a Scribd company logo

A REVIEW OF SECURITY INTEGRATION TECHNIQUE IN AGILE SOFTWARE DEVELOPMENT

ijseajournal
ijseajournal

Agile software development has gained a lot of popularity in the software industry due to its iterative and incremental approach as well as user involvement. Agile has also been criticized due to lack of its ability to deliver secure software. In this paper, extensive literature has been performed, in order to highlight the existing security issues in agile software development. Majority of challenges reported in literature, occurred due to lack of involvement of security expert. Improving security of a software system without damaging the real essence of Agile can achieved with the continuous involvement of security engineer throughout development lifecycle with its defined role and responsibilities.

1 of 20
Download to read offline
1
International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 DOI : 10.5121/ijsea.2016.7304 49 A REVIEW OF SECURITY INTEGRATION TECHNIQUE IN AGILE SOFTWARE DEVELOPMENT Raja Khaim1 , Saba Naz*1 , Fakhar Abbas2 ,Naila Iqbal3 , Memoona Hamayun5 1,2,3,4 University Institute of Information Technology, PMAS University, Rawalpindi Pakistan ABSTRACT Agile software development has gained a lot of popularity in the software industry due to its iterative and incremental approach as well as user involvement. Agile has also been criticized due to lack of its ability to deliver secure software. In this paper, extensive literature has been performed, in order to highlight the existing security issues in agile software development. Majority of challenges reported in literature, occurred due to lack of involvement of security expert. Improving security of a software system without damaging the real essence of Agile can achieved with the continuous involvement of security engineer throughout development lifecycle with its defined role and responsibilities. KEYWORDS Agile development, Agile Security Development 1. INTRODUCTION Agile practices have a significant impact in developing software in recent few years [1]. A fair amount of affirmative response has been noted from organizations [2] that use agile practices. These practices are quite popular for producing evolving software’s [3]. Agile practices are related to improved product quality, customer satisfaction, and developer productivity than traditional waterfall practices [4]. Over the period of time one of significant concern is software security. Up to certain level security is successfully integrated in traditional development by developers [5], but there is some serious criticism of agile development methodology to produce less secure software’s [6], [7]. Acceptance of changing requirements, favoring regular deliveries, and exclusion of security engineering activities make secure software development challenging using agile methodology [8].This leads agile practices reiteration in respect of making secure software, which negatively affects project timeline, considerable increase in costs, and decreased customer belief and satisfaction, which in the end diminishes the notion of these practices as agile [9]. These
2
International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 50 characteristics serve as the foundation of serious criticism on agile methods to produce unsecure software’s. In this study the analysis of related work is mostly revealed about the issues of integration of security in agile. This paper presents the systematic review of techniques, methods for security integration in agile. Existing techniques and methods have been scrutinized that have not impressively produced any significance review or survey based on this particular topic. For supposed investigations, Systematic literature review SLR technique has been used. Keeping in view of these investigations, a thorough exploration has been executed. The organization of the paper is: Sec. 2 includes the literature review, Sec. 3 includes the materials and methods, Sec. 4 includes the results and inferences, Sec. 5 includes the discussion and Sec. 6 includes conclusions. 2. RELATED WORK The aim of this section is to elaborate the literature done on incorporating security in agile. Various methods are considered with different approaches to conduct surveys on incorporating security in agile. Review on extreme programming was conducted by Ghani and Yasin [1]. They study literature related to the extreme programming with the perspective of security and they had observed that extreme programming partly supports integrating of security in it. Few of researchers worked on these topics, still comprehensive information regarding their outcome and usage was not published yet. They had concluded that the existing extreme programming practices are not adequate in term of security, hence new XP practices based upon security require to be proposed. Sani [9] conducted a literature survey on DSDM in term of security incorporated in it. From literature they had spotted that currently DSDM lack behind in providing support for secure development of software’s. They find that only a single paper discuss about security integration in DSDM and no work done yet by the researchers for secure software development via DSDM. And their intention is to enhance current DSDM model so that it can support secure development. Ghani [10] performed a survey on it model that had been proposed by them for secure software development using DSDM in order to validate their model. After collecting, analyzing, comparing the results they had concluded that their model is very much beneficial in developing secure software using their enhanced DSDM model. Adila[11] presented an extensive survey on feature driven development aim of literature survey is to study feature driven development with the intensions to produce a secure software. They find that there is no reputable research in respect of feature driven development and its integration with security and finally they had summarized that there is a need of revised feature driven model that can facilitate the secure development of software without compromising agile manifesto. Oustlati [12] conducted a systematic review of agile development methodology and elaborates the challenges its face while developing secure software. They found 20 challenges in 10 studies and categorize them and founded that 14 out 20 challenges are valid in respect of agile methodology and 6 are invalid in case of agile principles. They concluded that secure software development using agile quite challenges, there is a lot of space for researchers to work in this area.
3
International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 51 Othmane [13] performed systematic review, and this review is just a mere extension of [12] above mentioned review. Parameters and results of both reviews are almost same but the difference exists between [12] and [13] is of the number of papers selected for both reviews, in [13] number of papers are double as comparable to paper selected by [12]. From above literature, it is extracted that the majority of studies focus on a particular agile practice such as XP, DSDM, FDD in their reviews[1, 10, 9, 11]. And their focus is to identify that how much work is regarding security integration in agile or in particular agile practices and secondly scope of some studies [12, 13] are limited to fewer number of research papers. Although reviews performed in [41, 44] are very systematic but not much systematic in term of agile practices. The Intention of this study is to perform a comprehensive literature which is not limited to any specific agile practice and this study will take into account of all agile practices rather than to some specific practice of agile. Considering all agile practices in regards of secure software development in a systematic manner make our study unique from above mentioned studies. 3. METHODOLOGY In this literature study, research methodology followed is Systematic Literature Review. A SLR is a mechanism of identifying, understanding and estimating complete existing research interrelated to a specific research query, topic area or matter of consideration. SLR involves following steps such as planning stage, conducting stage and reporting stage [14] complete procedure shown in (Fig.1). A unique research study facilitating a systematic review and known as primary research studies whereas a systematic review is a kind of secondary study. The necessity for the systematic study (Step 1), the communal causes are: • To precise the relevant research work evidences significant in term of incorporating security in agile. • In order to mined out gaps in current research and to enhanced proposed parts for further investigation. • Systematic reviews may be exercised to study the degree to which experimental evidence promotes/negate suppositions, or even to promote the development of novel theories. A search experiment was conducted recording the subsequent searched strings in ACM digital library, Springer and IEEE Xplore. The literature obtained from the string searching may possibly be helpful in discovering a trend for the software development and verification &validation of the preferred search items and the desirable protocols. ((“Incorporating Security” OR “Integrated Software Security” OR “Secure Software Development” OR “Software Security”) AND (“Agile Practices” OR “Dynamic Systems Development Method” OR “Extreme Programming” OR “Feature Driven Development”) AND (“Challenges” OR “Issues”)).
4
International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 52 • The research questions (Step 2) in section (3.1) indicate what should be extracted from the selected studies. Figure 1: SLR Process 3.1 . Research Questions (Staples, M. and Niazi, M.2007) [15]: encouraged the searching criteria that are being considered in order to assure the research papers quality and to exclude non-relevant work. The R. questions discussed in the work are as under: RQ1. What types of approaches are being suggested for the purpose of security incorporation in agile and its practices?
5
International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 53 RQ2. What is the role of Security expert/ Engineer in these approaches? RQ3. What kind of challenges emerges while incorporating security in agile and its practices? The purpose of (Step 3) the protocol review ensures to overcome likely investigator’s bias that will allow duplication in the study (Kitchen ham, 2007) [14]. In (Step 4,) the evaluation of protocol and the aid of drill in executing studies systematically by scholars. Depends on opinion and collected knowledge during the development, we repeatedly advanced the evaluation structure. The brief of the conclusive protocol is presented in sec. 3.2 to sec. 3.5. 3.2 Search Strategy We adapted the procedure proposed in (as shown in Fig.2) for the selection of work. From the questions for research, we extracted the key-phrases for the mining. In order to validate the strings quality used for searching, we conducted a sample search on, IEEE Xplore, Science Direct and Google Scholar. Figure 2: Search Strategy
6
International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 54 3.3 Study Selection Criteria The vital aspects for concluding as primary study is data elaboration, depictingthat the studies to be used that are related to our key-phrases that are similar to those described in the test searchingis calculated shown in (Table.1) and therefore answering the research questions. So, all papers on incorporating security in agile and its practices will be incorporated.We eliminated non-English data that is books, text and presentations. We ignored material that was not included in our searched strings and non-relevant data to security in agile development and studies that do not satisfy agile development practices. Table 1: Criteria for Selection Study Selection Of study papers left Based on complete text 45 Based on Abstract 69 Based on title 102 Based on searched strings 172 3.4 Study Selection Procedure The study selection procedure (Step 5) was performed for the collection of a related analysis of the selection criteria between the investigators that organized the review. The selection criteria were implemented to the title and the abstract and essentially, for the complete text of the papers of the related area. As an experiment, we solely evaluated 69 randomly selected studies from a search conducted in ACM, Google Scholar, Springer and IEEE Xplore. We documented the unclear explanation of the questions and selection principles on which the judgment for selection was exclusively grounded upon. We found total 45 papers, applying searching string, that have data interrelated to incorporating security in agile and its practices (as show n in Graph 1). We rejected documents that have emphasis on other domains than our related area of study. We aggregated needed sections from the papers to enhance the inferences towards success in finding incorporating security in agile (as shown in Fig.3). In addition, once more we read from selected papers and guaranteed that the papers selected are absolutely lawful as indication for integrated security in agile practices, (as shown in Table.2) as the outcomes# per basis and increased points of indications gathered (as shown in Graph.2).
7
International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 55 Graph 1: Selected Papers 3.5 Study Quality Assessment In this section (Step 6) depicts the quality of our research. We hardly found relevant work for the questions that are entirely in support of our research work. Using data collected, we supported our choices and explorations. From QA-1, it is found that relevant approaches which incorporated security in agile and its practices. With QA2, we examined the challengesemerges while incorporating security in agile. With QA3, we evaluated those approaches were sufficient for integrated security in agile development.
8
International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 56 Figure 3: Selection of Primary Studies
9
International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 57 Table 2: Results over sources IEEE Google scholar Elsevier ACM Science Direct Springer Primary studies 11 17 2 7 3 5 Total Found 29 60 15 16 19 33 Candidate studies 16 40 10 9 12 15 3.6 Data Extraction In the similar fashion, we break-down the work. Data extraction (Step 7) was achieved in a repetitive manner.We have endorsed the inferences given by [14]; it is predicted which might found challenging constituting a precedence a comprehensive group of charges for the whole belongings. We initiated the mining form with the attributes like research techniques, perspectives that displays the mapping to the particular. Questions addressed by the attribute (as shown in Table.3). Table 3: Data Extraction Attributes Research question Title/Year/Author Overview of candidate literature Context Overview of candidate literature Search Strategy SLR
10
International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 58 Graph 2: Number of results per sources 4. RESULT AND ANALYSIS RQ1. What types of approaches are being suggested for the purpose of security incorporation in agile and its practices? In order to answer to RQ1 we conduct a detailed analysis to facilitate our finding (see table 4).Twenty six studies are considered for analysis, foundation of considering studies in this particular review study is that only those studies are considered which provide any technique, method, principal framework for integrating security in agile methodology and its practices. The Parameters of this study were hauled out from numerous existing methodologies and studies were evaluated on the basis of succeeding parameters. (1) For which particular agile practice mechanism for security incorporation is provided [10]. (2) Involvement of security engineer/expert in particular technique [16], [17]. (3) Provision of framework or principal for security integration [10], [9]. (4) Research methodology used in the study [18]. (5) Domain consider in a particular paper. [19], [20].It has been observed that out total50% of the studies consider integration of security in agile generally, while 15% in Scrum, 23% in XP, only 12% in FDD and no study mention any mechanism for security integration in DSDM(see graph 3). These agile practices are included in this literature study because they are considered as popular among researchers and practitioners. Table 4: Selected Studies Analysis Title Year Of Publicatio n Agile Practice [10] Involvement of security engineer/exp ert [16],[17] Framewo rk/securi ty principal [10],[9] Methodolog y [18] Domain [19],[20] Agile Development of Secure Web Applications [19] 2006 FDD No Principal Case Study Web applicatio ns
11
International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 59 Agile Security using an incremental architecture [21] 2005 Agile No Principal Exploratory Not mentioned Agile Development with Security Engineering Activities [22] 2011 Agile No Framewor k Case Study Mobile applicatio n Improved Extreme Programming Methodology with Inbuilt Security [23] 2011 XP No Framewor k Case Study Web applicatio ns FISA-XP: An Agile- based Integration of Security Activities with Extreme Programming [16] 2014 XP Yes Framewor k Experiment Not mentioned Selection of Security Activities for Integration with Agile Methods after Combining their Agility and Effectiveness [24] 2014 Agile Yes Framewor k Exploratory Not mentioned A Novel Security- Enhanced Agile Software Development Process Applied in an Industrial Setting [25] 2015 Agile Yes Framewor k Experiment Mobile applicatio n Extending the Agile Development Approach to Develop Acceptably Secure Software [26] 2014 Agile No Principal Case Study Web applicatio ns ROLE-BASED EXTREME PROGRAMMING (XP) FOR SECURE SOFTWARE DEVELOPMENT [27] 2013 XP Yes Framewor k Exploratory Not mentioned Developing a Secure website using Feature 2013 FDD No Not mentioned Case Study Web applicatio ns
12
International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 60 Driven Development (FDD) [20] Risk-Driven Security Metrics in Agile Software Development – An Industrial Pilot Study [28] 2012 Agile No Framewor k Experiment Mobile applicatio n Secure Software Development Model: A Guide for Secure Software Life Cycle [29] 2010 Xp Yes Framewor k Exploratory Not mentioned S-Scrum: a Secure Methodology for Agile Development of Web Services [30] 2013 Scrum No Framewor k Case Study Web applicatio ns Towards Agile Security Assurance [31] 2005 Agile No Principal Exploratory Not mentioned Extending XP Practices to Support Security Requirements Engineering [32] 2006 XP Yes Framewor k Experiment Web applicatio ns Security Planning and Refactoring in Extreme Programming [33] 2006 XP No Principal Case Study Web applicatio ns Security Backlog in Scrum Security Practices [34] 2011 Scrum Yes Framewor k Exploratory Not mentioned Integrating Security into Agile Development Methods [35] 2005 Agile No Principal Case Study Web applicatio ns Development of Agile Security Framework Using a Hybrid Technique for Requirements Elicitation [17] 2011 Agile Yes Framewor k Case Study Not mentioned Integration Analysis of Security Activities from the perspective of agility[36] 2012 Agile Yes Principal Exploratory Not mentioned Integrating 2008 Agile Yes Principal Exploratory Not
13
International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 61 Software Development Security Activities with Agile Methodologies[37 ] mentioned Using Assurance Cases to Develop Iteratively Security Features Using Scrum[38] 2014 Scrum No Framewor k Case study Communic ation Secure Feature Driven Development (SFDD) Model for Secure Software Development[39] 2013 FDD Yes Framewor k Exploratory Not mentioned Secure Scrum: Development of Secure Software with Scrum[40] Scrum No Framewor k Survey Not mentioned The Creation of a Distributed Agile Team [41] 2007 Agile No Framewor k Exploratory Web Services Towards Agile Security in Web Applications [42] 2006 Agile YES Principal Exploratory Not mentioned Graph 3: Agile practices that integrate security
14
International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 62 RQ2. What is the role of Security expert/Engineer in these approaches? In order to develop secure software, it is important to have a dedicated person that has a fair amount of knowledge about software security or in other word require security expert[24], [16]. Security experts should be responsible for proper integration of security in particular software system [24], [36]. Traditionally involvement of security expert in agile software development for developing secure software is considered as overhead [27]. But it has been observed that for developing secure software using agile it is important to have a security expert and it will increase the level of agility in development [16], [36]. Most of the time development teams are not aware and familiar of security related construct and issues in the developing secure software and because of lack of expertise in term of security it is difficult for developers to properly integrate security in projects and increase the development time which in turn effect deliverable time of agile increments [36],[29]. Thus, it is important to have the involvement security expert in agile methodology to facilitate secure development. From literature that has been sighted it is extracted that 54% studies had not mentioned the involvement of security expert in their approaches that has been proposed for secure software development using Agile and its practices which is a major drawback of these techniques and rest of 46 % mentioned the involvement of security expert in their approaches (see graph 4) Graph 4: Numbers of studies involving security expert 46% of studies encourage the participation of security engineer, after analyzing the studies encouraging the participation of security expert it is spotted that [36], [16], [24], [37] calculate the
15
International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 63 agility degree of various security activities using different techniques and proposed that the activity with high agility degree needs to be integrated with agile methods so that it will not disturb the agility of methods. If security engineer is involved throughout the development process it is being assigned high value of agility and partial involvement is assigned as low values of agility [16]. Rest of studies practically involved security expert in their proposed techniques. We have analyzed these studies on the basis of two parameters which are derived from the above discussion. (P1) involvement of security expert throughout the development lifecycle or in any particular phase while (P2) clear definition and description of roles and responsibilities of security expert.(See Table 5) Table 5: Involvement of Security Expert in SDLC phases Paper P1 P2 [25] Throughout development lifecycle [27] Not mentioned [29] Requirement engineering& design phase [32] Requirement engineering phase [34] Documentation, analysis & testing phase [17] Requirement engineering phase [39] Documentation, Development & testing phase In (table 5) only [25] encourage the throughout involvement of security expert’s during the development life cycle with defined roles, but major drawback of this approach is that it involves security expertise more than required like security manager, security architect, security expert. Involving a number of security experts e.g. 3 or more security related personals in agile team don’t seem to be effective and may consider as overhead, whereas [34] doesn’t involve expert throughout development life cycle and partially define the role and responsibilities of security expert. RQ3. What kind of challenges emerges while incorporating security in agile and its practices? Underneath are some of the challenges that are reported in the literature that limit agile methodology and its practices to produce secure software (see Table 6). It is observed that challenge Ch1, Ch5, Ch10, and Ch12 are closely related to the collaboration and awareness among stakeholder in an agile development environment. Challenge Ch2, Ch4, Ch7, Ch11 are often caused due to the iterative and incremental nature of agile development methodology. Challenge Ch3, Ch9 have occurred as a consequence of security assurance of agile increments. Ch6, Ch8, Ch13 are directly related to the development life cycle of agile. In Oder to improve
16
International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 64 agile methodology and its practices to provide secure software, it is quite necessary to eliminate these challenges or to trigger down their effect to possible minimal level. Table 6: Agile security challenges Code Challenge Papers Ch1 Need of separation of roles between software developer and security expert [42],[40],[37],[29] Ch2 Security assurance of increment & activities are difficult if the code is changing continuously. [31],[26] Ch3 Detailed documentation is required for security assessment [31],[42], Ch4 Security constraints are violated due to refracting [31],[33] Ch5 Lack of experience of developers in developing secure software [29],[20],[24] Ch6 Neglecting risk assessment [32],[28],[19] Ch7 Security requirements are difficult to track if requirements change frequently. [32] Ch8 Security measure is not considered in every iteration [31],[23],[19],[26] Ch9 Test cases are not adequate to ensure the integration of security related requirement [31],[24] Ch10 Lack of security requirements and considerations [7],[17] Ch11 Requirements change and design change violate the security requirement of the system. [32],[17] Ch12 Unawareness of customer in term of security [34],[39] Ch13 Neglecting security requirements in elicitation phase [32],[19],[17] 5. DISCUSSION After reviewing and analyzing the literature, it is observed that involvement of security expert throughout the development life cycle is necessary in order to cater security related concern and for proper integration of security in agile increment. In the majority of studies (54%) security expert is unavailable and seems that it is undefined, who will be responsible for maintaining security of agile increments and deliverables. In the absence of security expert it is hard to define that who will be responsible for this critical task, because it is quite unjustified to handover this critical task to individuals having limited knowledge and background of software security. If this important and critical task is assigned to teams or individuals who are not expert in the field of software security it will not only increase the cost in term of time and negatively affects the quality of software in term of security. Out of the total 45 % of the studies mentioned the involvement of security expert in their techniques, but the major draw of these studies is that they are not facilitating the involvement of security expert throughout development life cycle and secondly there is no clear description of roles and responsibilities of security expert. Ch1, Ch5 and Ch12 (see table) can be catered by involving security expert with defined and separate roles and responsibilities in software development life cycle, Ch13 and Ch10 can be managed by the involvement of security expert in requirements engineering phase by taking into account of security requirements. Involving security expert in the construction phase can affect Ch7, Ch8 and Ch11 positivity by having a critical eye on the construction phase in term of security. Ch2, Ch9 can be handled by involving security expert in testing and transition phase.
17
International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 65 From the consequence of the above discussion, it is mined that useful techniques has been proposed in regard of developing secure software using agile. The Major weakness of these techniques due which they are not able to properly integrate security in agile are lack of involvement of a security expert, or if involved, then he was not been involved throughout the development life cycle and his roles and responsibilities are not defined. So it is quite important to have the involvement of security expert with defining roles and responsibilities throughout the agile development life cycle, i.e. in inception, construction and transition phase, in order to take care of security related aspect of software and for fruitful integration of security in every agile iteration and deliverable. It has hauled out from literature that if security is not considered in every phase of the agile development cycle, it makes secure software development challenging and leaves possible glitches in developed software in term of security. 6.CONCLUSION To gain insight into the current status of security in Agile Development Cycle and its techniques, a systematic literature review (SLR) has been conducted that highlights the current issues of security in Agile practices. Agile has been criticized for lacking security due to its incremental approach. Some complications have been highlighted such as lack of consideration of security throughout the agile development life cycle and absence of the dedicated resource person, having a fair knowledge of software security, with defined responsibilities. From review it has been observed that some researcher has agreed that there should be a defined role to fulfil security aspects in complete lifecycle. In the future, we are planning to develop a framework in order to address the issues mentioned in this paper for security integration in agile properly and correctly with ease and to obtain better results. 7.REFRENCES [1] I. Ghani, & I.Yasin, (2013) "Software Security Engineering In Extreme Programming Methodology : A Systematic Literature", Science International Volume No.25 (2), pp-215–221. [2] M. V. Mohamed, (2014) "Implementation of Scrum Framework of Agile Methodology for an Online Project", International Journal of Emerging Technology & Advance Engineering, Volume 4 (7), pp- 435–440 [3] R. C. Martin, (2003.) “Agile Software Development: Principles, Patterns, and Practices”, 1st ed. Upper Saddle River, NJ, USA: Prentice Hall PTR, [4] T. Dyba & T. Dingsoyr, (2008) “Empirical studies of agile software development: A systematic review,” Information and Software Technology Elsevier, vol. 50, (9) 10, pp. 833 – 859 [5] J. Wäyrynen, M. Bodén. & G. Boström, Security (2004) “Engineering and extreme Programming: An Impossible Marriage?” In Proceedings of the 4th Conference on Extreme Programming and Agile Methods. 2004, Springer-Verlag, Lecture Notes in Computer Science, pp. 117 [6] J. C. Alberts, & R. S. Allen, (2011) “Risk based measurement and analysis: Application to software security”, Software Engineering Institute, Carnegie Mellon University Pittsburgh. [7] S. Bryan, Streamline (2010) “Security Practices for Agile Development”. MSDN Magazine. [8] C. Zannier, H. Erdogmus & Lowell Lindstrom (2002), “On bricks and walls: Why building secure software is hard, “Computers& Security”, vol. 21(3), pp. 229–238.
18
International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 66 [9] A. Sani, & A. Firdaus, (2013), "A Review on Software Development Security Engineering using Dynamic System Method ( DSDM )", International Journal Of Computer Applications ,Volume No. 69 (25), pp-37–44. [10] I. Ghani, N. Niknejad, M. Bello, M. W. Chughtai, & S. R. Jeong, (2015) " ( SDSDM ): A Survey About Its Suitability", Journal of Theoretical and Applied Information Technology, Volume No.74 (1). [11] A. Firdaus, A. Universiti, I. Ghani, & Teknologi, (2014) "A Systematic Literature Review on Secure Software Development using Feature Driven Development ( FDD ) Agile Model", Journal of the Society for Internet Information, Article No 15 (1), pp. 13-27 http://doi.org/10.7472/jksii.2014.15.1.13. [12] H. Oueslati, (2015) "Literature Review of the Challenges of Developing Secure Software Using the Agile Approach" 10th IEEE International Conference on Availability, Reliabilty & security, pp. 540- 547. [13] Oueslati et al., (2016) "Evaluation of the challenges of developing secure software using agile approach". International Journal of secure software Enginerring Volume 7 ( 4). [14] B. Kitchenham, R. Pretorius, D. Budgen, O. P. Brereton, M. Turner, M. Niazi, & S. Linkman, (2010) "Systematic literature reviews in software engineering – A tertiary study". Information and Software Technology, Volume No.52 (8), pp- 792–805. http://doi.org/10.1016/j.infsof.2010.03.006 [15] M. Staples, & M. Niazi, (2007). “Experiences Using Systematic Review Guidelines”. Journal of Systems and Software, ACM, Vol. 80(9) pp. 1425-1437. [16] S. Singhal, & H. Banati, (2014) “Fisa-Xp”. ACM SIGSOFT Software Engineering Notes, volume 39(3),. pp.1–14. http://doi.org/10.1145/2597716.2597728 [17] A. Singhal, (n.d.). (2011) "Development of Agile Security Framework Using a Hybrid Technique for Requirements Elicitation", Advances in communiaction & control Springer Berlin Heidelberg. [18] G. E. Richard, (April 2008), "Getting Students to Think about How Agile Processes Can Be Made More Secure", 21st IEEE Conference on Software Engineering Education and Training pp.51-58. [19] X. Ge, R. F. Paige, F. a. C. Polack, H. Chivers, & P. J. Brooke, (2006) “Agile development of secure web applications". Proceedings of the 6th International Conference on Web Engineering, ACM - ICWE ’ 06, pp. 305–312 http://doi.org/10.1145/1145581.1145641 [20] A. Firdaus, I. Ghani, Izzaty, & M. Yasin, ( 2013) "Developing Secure Websites Using Feature Driven Development ( FDD ): A Case Study", Journal of clean Energy Technology, volume 01(4). http://doi.org/10.7763/JOCET.2013.V1.73 [21] H. Chivers, R. F. Paige, & X. Ge, (2005) “Agile Security Using an Incremental Security Architecture”, Extreme Programming and Agile Processes in Software Engineering. Springer Berlin Heidelberg, pp. 57–65. [22] B. Carlsson, (2011) “Agile Development with Security Engineering Activities”, Proceedings of the 2011 International Conference on Software and Systems Process. ACM, pp. 149–158. [23] S, B. M., & N. Norwawi, (2011) “Improved Extreme Programming Methodology with Inbuilt Security”, IEEE Symposium on Computers & Informatics pp. 674–679. [24] A. Singhal, (n.d.). (2014) “Selection of Security Activities for Integration with Agile Methods after Combining their Agility and Effectiveness,”volume 6 (2), pp. 57–67 [25] D. Baca, M. Boldt, B. Carlsson, & A. Jacobson, (2015) "A Novel Security-Enhanced Agile Software Development Process Applied in an Industrial Setting", 10th International Conference on Availability, Reliability and Security. http://doi.org/10.1109/ARES.2015.45. [26] L. Othmane, P. Angin, H. Weffers, & B. Bhargava, (2014) "Extending the Agile Development Approach to Develop Acceptably Secure Software", Dependable and Secure Computing, IEEE Transactions on volume 11(06), pp 1–14. http://doi.org/10.1109/TDSC.2014.2298011 [27] I. Ghani, & A. Firdaus. (2013) "Role-Based Extreme Programming ( Xp ) For Secure sofware Development" Vol. 25,
19
International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 67 [28] R. M. Savola, C. Frühwirth, & Pietikäinen, (2012) "A. Risk-Driven Security Metrics in Agile Software Development – An Industrial Pilot Study", Journal of Universal computer Science, volume 18( 12) , pp.1679–1702. [29] M. I. Daud, (2010 ) "Secure Software Development Model : A Guide for Secure Software Life Cycle.", International Multiconference of Engineers and computer scientist volume No.1. pp. 17-19. [30] D. Mougouei, N. Fazlida, M. Sani, & M. M. Almasi, (2013) "S-Scrum : a Secure Methodology for Agile Development of Web Services", world of computer science & Information Technology Journal volume No. 3 (1), pp. 15–19. [31] K. Beznosov, & P. Kruchten, (2005), "Towards Agile Security Assurance", Proceedings of the 2004 workshop on New security paradigms. ACM, pp. 47–54. [32] Boström, K. Beznosov, & P. Kruchten, (2006) "Extending XP Practices to Support Security Requirements Engineering", International workshop on software enginerring for secure system , ACM pp. 11–18. [33] E. G., Aydal, R. F. Paige, H. Chivers, & P. J. Brooke, (2006) "Security Planning and Refactoring in Extreme Programming", Springer Berlin Heidelberg, pp. 154–163. [34] Z. Azham, (2011) "Security Backlog in Scrum Security Practices" 5th Malaysian Conference on IEEE, pp. 414–417 [35] M. Siponen, R. Baskerville & T. Kuivalainen, 2005 “Integrating Security into Agile Development Methods”, System Sciences, 2005. HICSS'05. Proceedings of the 38th Annual Hawaii International Conference on. IEEE, pp.185a-185a [36] Singhal, A. (2012). “Integration Analysis of Security Activities from the perspective of agility” Conference on IEEE http://doi.org/10.1109/AgileIndia.2012.9 [37] H. Keramati, (2008) "Integrating Software Development Security Activities with Agile Methodologies", Computer System & Application International conference on IEEE, pp 749-754. [38] L. Othmane, (2014) "Using Assurance Cases to Develop Iteratively Security Features Using Scrum",9th International Conference on IEEE http://doi.org/10.1109/ARES.2014.73. [39] A. Firdaus, I. Ghani, & S. Ryul, (2014) "Secure Feature Driven Development ( SFDD ) Model for Secure Software Development” 2nd International Conference on Innovation, Management and Technology Research Procedia - Social and Behavioral Sciences Elsevier, Volume No.129, pp. 546– 553. http://doi.org/10.1016/j.sbspro.2014.03.712. [40] C.Pohl, (n.dl.). ( 2015) "Secure Scrum : Development of Secure Software with Scrum" arXiv preprint arXiv: 1507.02992. [41] P, K & F Cannizzo, British, (2007) "The Creation of a Distributed Agile Team", In Agile Processes in Software Engineering and Extreme Programming, Springer Berlin Heidelberg pp. 235-239. [42] V. Kongsli, (2006) "Towards Agile Security in Web Applications", Companion to the 21st ACM SIGPLAN symposium on Object-oriented programming systems, languages, and applications. ACM, pp. 805-808. [43] Usman Rafi, Tasleem Mustafa, (2015) “US-Scrum: A Methodology for Developing Software with Enhanced Correctness, Usability and Security”. International Journal of Scientific & Engineering Research, Volume 6, (9), 377 ISSN 2229-5518. pp- 377-383. [44] A. A. Liza, M. G. Andrew, B.W. Gary, (2012)" Emergence of Agile Methods: Perceptions from Software” Practitioners in Malaysia, Conference of IEEE Agile India, pp. 30-39 [45] A. Tuli, et al. (2014), "Empirical investigation of agile software development: cloud perspective." ACM SIGSOFT Software Engineering Volume 39(4) pp. 1-6
20
International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 68 Authors Raja Khaim Shahzad was born in Islamabad, Pakistan. He is research student, done BS (CS) from PMAS Arid Agriculture University Rawalpindi, Pakistan in 2012, now doing MS (CS) from same University. His research area is software engineering, agile software development, software Security, Information Security Saba Naz, research student, done MCS from International Islamic University Islamabad, Pakistan in 2013, now doing MS (CS) from PMAS Arid Agriculture University Rawalpindi, Pakistan. Her research area is image processing, software security, information security, data mining. Syed Fakhar Abbas, research student, done MCS from PMAS Arid Agriculture University Rawalpindi, Pakistan in 2009, now doing now doing MS (CS) from same University. His research area is software engineering and web development. Naila Iqbal research student, done BSCS from Fatimah Jinnah University Rawalpindi, Pakistan in 2013, now doing MS (CS) from PMAS Arid Agriculture University Rawalpindi, Pakistan. Her research area is software engineering, agile software development and requirement Engineering. Mamoona Humayun is Ph.D. in computer science by Harbin Institute of Technology, Harbin China, in 2014. She is assistant professor at University Institute of Information Technology, PMAS-Arid Agriculture University Rawalpindi. Her research interests are Global software development, requirement engineering, and knowledge management and web application security vulnerabilities.
International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 DOI : 10.5121/ijsea.2016.7304 49 A REVIEW OF SECURITY INTEGRATION TECHNIQUE IN AGILE SOFTWARE DEVELOPMENT Raja Khaim1 , Saba Naz*1 , Fakhar Abbas2 ,Naila Iqbal3 , Memoona Hamayun5 1,2,3,4 University Institute of Information Technology, PMAS University, Rawalpindi Pakistan ABSTRACT Agile software development has gained a lot of popularity in the software industry due to its iterative and incremental approach as well as user involvement. Agile has also been criticized due to lack of its ability to deliver secure software. In this paper, extensive literature has been performed, in order to highlight the existing security issues in agile software development. Majority of challenges reported in literature, occurred due to lack of involvement of security expert. Improving security of a software system without damaging the real essence of Agile can achieved with the continuous involvement of security engineer throughout development lifecycle with its defined role and responsibilities. KEYWORDS Agile development, Agile Security Development 1. INTRODUCTION Agile practices have a significant impact in developing software in recent few years [1]. A fair amount of affirmative response has been noted from organizations [2] that use agile practices. These practices are quite popular for producing evolving software’s [3]. Agile practices are related to improved product quality, customer satisfaction, and developer productivity than traditional waterfall practices [4]. Over the period of time one of significant concern is software security. Up to certain level security is successfully integrated in traditional development by developers [5], but there is some serious criticism of agile development methodology to produce less secure software’s [6], [7]. Acceptance of changing requirements, favoring regular deliveries, and exclusion of security engineering activities make secure software development challenging using agile methodology [8].This leads agile practices reiteration in respect of making secure software, which negatively affects project timeline, considerable increase in costs, and decreased customer belief and satisfaction, which in the end diminishes the notion of these practices as agile [9]. These
International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 50 characteristics serve as the foundation of serious criticism on agile methods to produce unsecure software’s. In this study the analysis of related work is mostly revealed about the issues of integration of security in agile. This paper presents the systematic review of techniques, methods for security integration in agile. Existing techniques and methods have been scrutinized that have not impressively produced any significance review or survey based on this particular topic. For supposed investigations, Systematic literature review SLR technique has been used. Keeping in view of these investigations, a thorough exploration has been executed. The organization of the paper is: Sec. 2 includes the literature review, Sec. 3 includes the materials and methods, Sec. 4 includes the results and inferences, Sec. 5 includes the discussion and Sec. 6 includes conclusions. 2. RELATED WORK The aim of this section is to elaborate the literature done on incorporating security in agile. Various methods are considered with different approaches to conduct surveys on incorporating security in agile. Review on extreme programming was conducted by Ghani and Yasin [1]. They study literature related to the extreme programming with the perspective of security and they had observed that extreme programming partly supports integrating of security in it. Few of researchers worked on these topics, still comprehensive information regarding their outcome and usage was not published yet. They had concluded that the existing extreme programming practices are not adequate in term of security, hence new XP practices based upon security require to be proposed. Sani [9] conducted a literature survey on DSDM in term of security incorporated in it. From literature they had spotted that currently DSDM lack behind in providing support for secure development of software’s. They find that only a single paper discuss about security integration in DSDM and no work done yet by the researchers for secure software development via DSDM. And their intention is to enhance current DSDM model so that it can support secure development. Ghani [10] performed a survey on it model that had been proposed by them for secure software development using DSDM in order to validate their model. After collecting, analyzing, comparing the results they had concluded that their model is very much beneficial in developing secure software using their enhanced DSDM model. Adila[11] presented an extensive survey on feature driven development aim of literature survey is to study feature driven development with the intensions to produce a secure software. They find that there is no reputable research in respect of feature driven development and its integration with security and finally they had summarized that there is a need of revised feature driven model that can facilitate the secure development of software without compromising agile manifesto. Oustlati [12] conducted a systematic review of agile development methodology and elaborates the challenges its face while developing secure software. They found 20 challenges in 10 studies and categorize them and founded that 14 out 20 challenges are valid in respect of agile methodology and 6 are invalid in case of agile principles. They concluded that secure software development using agile quite challenges, there is a lot of space for researchers to work in this area.
International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 51 Othmane [13] performed systematic review, and this review is just a mere extension of [12] above mentioned review. Parameters and results of both reviews are almost same but the difference exists between [12] and [13] is of the number of papers selected for both reviews, in [13] number of papers are double as comparable to paper selected by [12]. From above literature, it is extracted that the majority of studies focus on a particular agile practice such as XP, DSDM, FDD in their reviews[1, 10, 9, 11]. And their focus is to identify that how much work is regarding security integration in agile or in particular agile practices and secondly scope of some studies [12, 13] are limited to fewer number of research papers. Although reviews performed in [41, 44] are very systematic but not much systematic in term of agile practices. The Intention of this study is to perform a comprehensive literature which is not limited to any specific agile practice and this study will take into account of all agile practices rather than to some specific practice of agile. Considering all agile practices in regards of secure software development in a systematic manner make our study unique from above mentioned studies. 3. METHODOLOGY In this literature study, research methodology followed is Systematic Literature Review. A SLR is a mechanism of identifying, understanding and estimating complete existing research interrelated to a specific research query, topic area or matter of consideration. SLR involves following steps such as planning stage, conducting stage and reporting stage [14] complete procedure shown in (Fig.1). A unique research study facilitating a systematic review and known as primary research studies whereas a systematic review is a kind of secondary study. The necessity for the systematic study (Step 1), the communal causes are: • To precise the relevant research work evidences significant in term of incorporating security in agile. • In order to mined out gaps in current research and to enhanced proposed parts for further investigation. • Systematic reviews may be exercised to study the degree to which experimental evidence promotes/negate suppositions, or even to promote the development of novel theories. A search experiment was conducted recording the subsequent searched strings in ACM digital library, Springer and IEEE Xplore. The literature obtained from the string searching may possibly be helpful in discovering a trend for the software development and verification &validation of the preferred search items and the desirable protocols. ((“Incorporating Security” OR “Integrated Software Security” OR “Secure Software Development” OR “Software Security”) AND (“Agile Practices” OR “Dynamic Systems Development Method” OR “Extreme Programming” OR “Feature Driven Development”) AND (“Challenges” OR “Issues”)).
International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 52 • The research questions (Step 2) in section (3.1) indicate what should be extracted from the selected studies. Figure 1: SLR Process 3.1 . Research Questions (Staples, M. and Niazi, M.2007) [15]: encouraged the searching criteria that are being considered in order to assure the research papers quality and to exclude non-relevant work. The R. questions discussed in the work are as under: RQ1. What types of approaches are being suggested for the purpose of security incorporation in agile and its practices?
International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 53 RQ2. What is the role of Security expert/ Engineer in these approaches? RQ3. What kind of challenges emerges while incorporating security in agile and its practices? The purpose of (Step 3) the protocol review ensures to overcome likely investigator’s bias that will allow duplication in the study (Kitchen ham, 2007) [14]. In (Step 4,) the evaluation of protocol and the aid of drill in executing studies systematically by scholars. Depends on opinion and collected knowledge during the development, we repeatedly advanced the evaluation structure. The brief of the conclusive protocol is presented in sec. 3.2 to sec. 3.5. 3.2 Search Strategy We adapted the procedure proposed in (as shown in Fig.2) for the selection of work. From the questions for research, we extracted the key-phrases for the mining. In order to validate the strings quality used for searching, we conducted a sample search on, IEEE Xplore, Science Direct and Google Scholar. Figure 2: Search Strategy
International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 54 3.3 Study Selection Criteria The vital aspects for concluding as primary study is data elaboration, depictingthat the studies to be used that are related to our key-phrases that are similar to those described in the test searchingis calculated shown in (Table.1) and therefore answering the research questions. So, all papers on incorporating security in agile and its practices will be incorporated.We eliminated non-English data that is books, text and presentations. We ignored material that was not included in our searched strings and non-relevant data to security in agile development and studies that do not satisfy agile development practices. Table 1: Criteria for Selection Study Selection Of study papers left Based on complete text 45 Based on Abstract 69 Based on title 102 Based on searched strings 172 3.4 Study Selection Procedure The study selection procedure (Step 5) was performed for the collection of a related analysis of the selection criteria between the investigators that organized the review. The selection criteria were implemented to the title and the abstract and essentially, for the complete text of the papers of the related area. As an experiment, we solely evaluated 69 randomly selected studies from a search conducted in ACM, Google Scholar, Springer and IEEE Xplore. We documented the unclear explanation of the questions and selection principles on which the judgment for selection was exclusively grounded upon. We found total 45 papers, applying searching string, that have data interrelated to incorporating security in agile and its practices (as show n in Graph 1). We rejected documents that have emphasis on other domains than our related area of study. We aggregated needed sections from the papers to enhance the inferences towards success in finding incorporating security in agile (as shown in Fig.3). In addition, once more we read from selected papers and guaranteed that the papers selected are absolutely lawful as indication for integrated security in agile practices, (as shown in Table.2) as the outcomes# per basis and increased points of indications gathered (as shown in Graph.2).
International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 55 Graph 1: Selected Papers 3.5 Study Quality Assessment In this section (Step 6) depicts the quality of our research. We hardly found relevant work for the questions that are entirely in support of our research work. Using data collected, we supported our choices and explorations. From QA-1, it is found that relevant approaches which incorporated security in agile and its practices. With QA2, we examined the challengesemerges while incorporating security in agile. With QA3, we evaluated those approaches were sufficient for integrated security in agile development.
International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 56 Figure 3: Selection of Primary Studies
International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 57 Table 2: Results over sources IEEE Google scholar Elsevier ACM Science Direct Springer Primary studies 11 17 2 7 3 5 Total Found 29 60 15 16 19 33 Candidate studies 16 40 10 9 12 15 3.6 Data Extraction In the similar fashion, we break-down the work. Data extraction (Step 7) was achieved in a repetitive manner.We have endorsed the inferences given by [14]; it is predicted which might found challenging constituting a precedence a comprehensive group of charges for the whole belongings. We initiated the mining form with the attributes like research techniques, perspectives that displays the mapping to the particular. Questions addressed by the attribute (as shown in Table.3). Table 3: Data Extraction Attributes Research question Title/Year/Author Overview of candidate literature Context Overview of candidate literature Search Strategy SLR
International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 58 Graph 2: Number of results per sources 4. RESULT AND ANALYSIS RQ1. What types of approaches are being suggested for the purpose of security incorporation in agile and its practices? In order to answer to RQ1 we conduct a detailed analysis to facilitate our finding (see table 4).Twenty six studies are considered for analysis, foundation of considering studies in this particular review study is that only those studies are considered which provide any technique, method, principal framework for integrating security in agile methodology and its practices. The Parameters of this study were hauled out from numerous existing methodologies and studies were evaluated on the basis of succeeding parameters. (1) For which particular agile practice mechanism for security incorporation is provided [10]. (2) Involvement of security engineer/expert in particular technique [16], [17]. (3) Provision of framework or principal for security integration [10], [9]. (4) Research methodology used in the study [18]. (5) Domain consider in a particular paper. [19], [20].It has been observed that out total50% of the studies consider integration of security in agile generally, while 15% in Scrum, 23% in XP, only 12% in FDD and no study mention any mechanism for security integration in DSDM(see graph 3). These agile practices are included in this literature study because they are considered as popular among researchers and practitioners. Table 4: Selected Studies Analysis Title Year Of Publicatio n Agile Practice [10] Involvement of security engineer/exp ert [16],[17] Framewo rk/securi ty principal [10],[9] Methodolog y [18] Domain [19],[20] Agile Development of Secure Web Applications [19] 2006 FDD No Principal Case Study Web applicatio ns
International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 59 Agile Security using an incremental architecture [21] 2005 Agile No Principal Exploratory Not mentioned Agile Development with Security Engineering Activities [22] 2011 Agile No Framewor k Case Study Mobile applicatio n Improved Extreme Programming Methodology with Inbuilt Security [23] 2011 XP No Framewor k Case Study Web applicatio ns FISA-XP: An Agile- based Integration of Security Activities with Extreme Programming [16] 2014 XP Yes Framewor k Experiment Not mentioned Selection of Security Activities for Integration with Agile Methods after Combining their Agility and Effectiveness [24] 2014 Agile Yes Framewor k Exploratory Not mentioned A Novel Security- Enhanced Agile Software Development Process Applied in an Industrial Setting [25] 2015 Agile Yes Framewor k Experiment Mobile applicatio n Extending the Agile Development Approach to Develop Acceptably Secure Software [26] 2014 Agile No Principal Case Study Web applicatio ns ROLE-BASED EXTREME PROGRAMMING (XP) FOR SECURE SOFTWARE DEVELOPMENT [27] 2013 XP Yes Framewor k Exploratory Not mentioned Developing a Secure website using Feature 2013 FDD No Not mentioned Case Study Web applicatio ns
International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 60 Driven Development (FDD) [20] Risk-Driven Security Metrics in Agile Software Development – An Industrial Pilot Study [28] 2012 Agile No Framewor k Experiment Mobile applicatio n Secure Software Development Model: A Guide for Secure Software Life Cycle [29] 2010 Xp Yes Framewor k Exploratory Not mentioned S-Scrum: a Secure Methodology for Agile Development of Web Services [30] 2013 Scrum No Framewor k Case Study Web applicatio ns Towards Agile Security Assurance [31] 2005 Agile No Principal Exploratory Not mentioned Extending XP Practices to Support Security Requirements Engineering [32] 2006 XP Yes Framewor k Experiment Web applicatio ns Security Planning and Refactoring in Extreme Programming [33] 2006 XP No Principal Case Study Web applicatio ns Security Backlog in Scrum Security Practices [34] 2011 Scrum Yes Framewor k Exploratory Not mentioned Integrating Security into Agile Development Methods [35] 2005 Agile No Principal Case Study Web applicatio ns Development of Agile Security Framework Using a Hybrid Technique for Requirements Elicitation [17] 2011 Agile Yes Framewor k Case Study Not mentioned Integration Analysis of Security Activities from the perspective of agility[36] 2012 Agile Yes Principal Exploratory Not mentioned Integrating 2008 Agile Yes Principal Exploratory Not
International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 61 Software Development Security Activities with Agile Methodologies[37 ] mentioned Using Assurance Cases to Develop Iteratively Security Features Using Scrum[38] 2014 Scrum No Framewor k Case study Communic ation Secure Feature Driven Development (SFDD) Model for Secure Software Development[39] 2013 FDD Yes Framewor k Exploratory Not mentioned Secure Scrum: Development of Secure Software with Scrum[40] Scrum No Framewor k Survey Not mentioned The Creation of a Distributed Agile Team [41] 2007 Agile No Framewor k Exploratory Web Services Towards Agile Security in Web Applications [42] 2006 Agile YES Principal Exploratory Not mentioned Graph 3: Agile practices that integrate security
International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 62 RQ2. What is the role of Security expert/Engineer in these approaches? In order to develop secure software, it is important to have a dedicated person that has a fair amount of knowledge about software security or in other word require security expert[24], [16]. Security experts should be responsible for proper integration of security in particular software system [24], [36]. Traditionally involvement of security expert in agile software development for developing secure software is considered as overhead [27]. But it has been observed that for developing secure software using agile it is important to have a security expert and it will increase the level of agility in development [16], [36]. Most of the time development teams are not aware and familiar of security related construct and issues in the developing secure software and because of lack of expertise in term of security it is difficult for developers to properly integrate security in projects and increase the development time which in turn effect deliverable time of agile increments [36],[29]. Thus, it is important to have the involvement security expert in agile methodology to facilitate secure development. From literature that has been sighted it is extracted that 54% studies had not mentioned the involvement of security expert in their approaches that has been proposed for secure software development using Agile and its practices which is a major drawback of these techniques and rest of 46 % mentioned the involvement of security expert in their approaches (see graph 4) Graph 4: Numbers of studies involving security expert 46% of studies encourage the participation of security engineer, after analyzing the studies encouraging the participation of security expert it is spotted that [36], [16], [24], [37] calculate the
International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 63 agility degree of various security activities using different techniques and proposed that the activity with high agility degree needs to be integrated with agile methods so that it will not disturb the agility of methods. If security engineer is involved throughout the development process it is being assigned high value of agility and partial involvement is assigned as low values of agility [16]. Rest of studies practically involved security expert in their proposed techniques. We have analyzed these studies on the basis of two parameters which are derived from the above discussion. (P1) involvement of security expert throughout the development lifecycle or in any particular phase while (P2) clear definition and description of roles and responsibilities of security expert.(See Table 5) Table 5: Involvement of Security Expert in SDLC phases Paper P1 P2 [25] Throughout development lifecycle [27] Not mentioned [29] Requirement engineering& design phase [32] Requirement engineering phase [34] Documentation, analysis & testing phase [17] Requirement engineering phase [39] Documentation, Development & testing phase In (table 5) only [25] encourage the throughout involvement of security expert’s during the development life cycle with defined roles, but major drawback of this approach is that it involves security expertise more than required like security manager, security architect, security expert. Involving a number of security experts e.g. 3 or more security related personals in agile team don’t seem to be effective and may consider as overhead, whereas [34] doesn’t involve expert throughout development life cycle and partially define the role and responsibilities of security expert. RQ3. What kind of challenges emerges while incorporating security in agile and its practices? Underneath are some of the challenges that are reported in the literature that limit agile methodology and its practices to produce secure software (see Table 6). It is observed that challenge Ch1, Ch5, Ch10, and Ch12 are closely related to the collaboration and awareness among stakeholder in an agile development environment. Challenge Ch2, Ch4, Ch7, Ch11 are often caused due to the iterative and incremental nature of agile development methodology. Challenge Ch3, Ch9 have occurred as a consequence of security assurance of agile increments. Ch6, Ch8, Ch13 are directly related to the development life cycle of agile. In Oder to improve
International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 64 agile methodology and its practices to provide secure software, it is quite necessary to eliminate these challenges or to trigger down their effect to possible minimal level. Table 6: Agile security challenges Code Challenge Papers Ch1 Need of separation of roles between software developer and security expert [42],[40],[37],[29] Ch2 Security assurance of increment & activities are difficult if the code is changing continuously. [31],[26] Ch3 Detailed documentation is required for security assessment [31],[42], Ch4 Security constraints are violated due to refracting [31],[33] Ch5 Lack of experience of developers in developing secure software [29],[20],[24] Ch6 Neglecting risk assessment [32],[28],[19] Ch7 Security requirements are difficult to track if requirements change frequently. [32] Ch8 Security measure is not considered in every iteration [31],[23],[19],[26] Ch9 Test cases are not adequate to ensure the integration of security related requirement [31],[24] Ch10 Lack of security requirements and considerations [7],[17] Ch11 Requirements change and design change violate the security requirement of the system. [32],[17] Ch12 Unawareness of customer in term of security [34],[39] Ch13 Neglecting security requirements in elicitation phase [32],[19],[17] 5. DISCUSSION After reviewing and analyzing the literature, it is observed that involvement of security expert throughout the development life cycle is necessary in order to cater security related concern and for proper integration of security in agile increment. In the majority of studies (54%) security expert is unavailable and seems that it is undefined, who will be responsible for maintaining security of agile increments and deliverables. In the absence of security expert it is hard to define that who will be responsible for this critical task, because it is quite unjustified to handover this critical task to individuals having limited knowledge and background of software security. If this important and critical task is assigned to teams or individuals who are not expert in the field of software security it will not only increase the cost in term of time and negatively affects the quality of software in term of security. Out of the total 45 % of the studies mentioned the involvement of security expert in their techniques, but the major draw of these studies is that they are not facilitating the involvement of security expert throughout development life cycle and secondly there is no clear description of roles and responsibilities of security expert. Ch1, Ch5 and Ch12 (see table) can be catered by involving security expert with defined and separate roles and responsibilities in software development life cycle, Ch13 and Ch10 can be managed by the involvement of security expert in requirements engineering phase by taking into account of security requirements. Involving security expert in the construction phase can affect Ch7, Ch8 and Ch11 positivity by having a critical eye on the construction phase in term of security. Ch2, Ch9 can be handled by involving security expert in testing and transition phase.
International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 65 From the consequence of the above discussion, it is mined that useful techniques has been proposed in regard of developing secure software using agile. The Major weakness of these techniques due which they are not able to properly integrate security in agile are lack of involvement of a security expert, or if involved, then he was not been involved throughout the development life cycle and his roles and responsibilities are not defined. So it is quite important to have the involvement of security expert with defining roles and responsibilities throughout the agile development life cycle, i.e. in inception, construction and transition phase, in order to take care of security related aspect of software and for fruitful integration of security in every agile iteration and deliverable. It has hauled out from literature that if security is not considered in every phase of the agile development cycle, it makes secure software development challenging and leaves possible glitches in developed software in term of security. 6.CONCLUSION To gain insight into the current status of security in Agile Development Cycle and its techniques, a systematic literature review (SLR) has been conducted that highlights the current issues of security in Agile practices. Agile has been criticized for lacking security due to its incremental approach. Some complications have been highlighted such as lack of consideration of security throughout the agile development life cycle and absence of the dedicated resource person, having a fair knowledge of software security, with defined responsibilities. From review it has been observed that some researcher has agreed that there should be a defined role to fulfil security aspects in complete lifecycle. In the future, we are planning to develop a framework in order to address the issues mentioned in this paper for security integration in agile properly and correctly with ease and to obtain better results. 7.REFRENCES [1] I. Ghani, & I.Yasin, (2013) "Software Security Engineering In Extreme Programming Methodology : A Systematic Literature", Science International Volume No.25 (2), pp-215–221. [2] M. V. Mohamed, (2014) "Implementation of Scrum Framework of Agile Methodology for an Online Project", International Journal of Emerging Technology & Advance Engineering, Volume 4 (7), pp- 435–440 [3] R. C. Martin, (2003.) “Agile Software Development: Principles, Patterns, and Practices”, 1st ed. Upper Saddle River, NJ, USA: Prentice Hall PTR, [4] T. Dyba & T. Dingsoyr, (2008) “Empirical studies of agile software development: A systematic review,” Information and Software Technology Elsevier, vol. 50, (9) 10, pp. 833 – 859 [5] J. Wäyrynen, M. Bodén. & G. Boström, Security (2004) “Engineering and extreme Programming: An Impossible Marriage?” In Proceedings of the 4th Conference on Extreme Programming and Agile Methods. 2004, Springer-Verlag, Lecture Notes in Computer Science, pp. 117 [6] J. C. Alberts, & R. S. Allen, (2011) “Risk based measurement and analysis: Application to software security”, Software Engineering Institute, Carnegie Mellon University Pittsburgh. [7] S. Bryan, Streamline (2010) “Security Practices for Agile Development”. MSDN Magazine. [8] C. Zannier, H. Erdogmus & Lowell Lindstrom (2002), “On bricks and walls: Why building secure software is hard, “Computers& Security”, vol. 21(3), pp. 229–238.
International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 66 [9] A. Sani, & A. Firdaus, (2013), "A Review on Software Development Security Engineering using Dynamic System Method ( DSDM )", International Journal Of Computer Applications ,Volume No. 69 (25), pp-37–44. [10] I. Ghani, N. Niknejad, M. Bello, M. W. Chughtai, & S. R. Jeong, (2015) " ( SDSDM ): A Survey About Its Suitability", Journal of Theoretical and Applied Information Technology, Volume No.74 (1). [11] A. Firdaus, A. Universiti, I. Ghani, & Teknologi, (2014) "A Systematic Literature Review on Secure Software Development using Feature Driven Development ( FDD ) Agile Model", Journal of the Society for Internet Information, Article No 15 (1), pp. 13-27 http://doi.org/10.7472/jksii.2014.15.1.13. [12] H. Oueslati, (2015) "Literature Review of the Challenges of Developing Secure Software Using the Agile Approach" 10th IEEE International Conference on Availability, Reliabilty & security, pp. 540- 547. [13] Oueslati et al., (2016) "Evaluation of the challenges of developing secure software using agile approach". International Journal of secure software Enginerring Volume 7 ( 4). [14] B. Kitchenham, R. Pretorius, D. Budgen, O. P. Brereton, M. Turner, M. Niazi, & S. Linkman, (2010) "Systematic literature reviews in software engineering – A tertiary study". Information and Software Technology, Volume No.52 (8), pp- 792–805. http://doi.org/10.1016/j.infsof.2010.03.006 [15] M. Staples, & M. Niazi, (2007). “Experiences Using Systematic Review Guidelines”. Journal of Systems and Software, ACM, Vol. 80(9) pp. 1425-1437. [16] S. Singhal, & H. Banati, (2014) “Fisa-Xp”. ACM SIGSOFT Software Engineering Notes, volume 39(3),. pp.1–14. http://doi.org/10.1145/2597716.2597728 [17] A. Singhal, (n.d.). (2011) "Development of Agile Security Framework Using a Hybrid Technique for Requirements Elicitation", Advances in communiaction & control Springer Berlin Heidelberg. [18] G. E. Richard, (April 2008), "Getting Students to Think about How Agile Processes Can Be Made More Secure", 21st IEEE Conference on Software Engineering Education and Training pp.51-58. [19] X. Ge, R. F. Paige, F. a. C. Polack, H. Chivers, & P. J. Brooke, (2006) “Agile development of secure web applications". Proceedings of the 6th International Conference on Web Engineering, ACM - ICWE ’ 06, pp. 305–312 http://doi.org/10.1145/1145581.1145641 [20] A. Firdaus, I. Ghani, Izzaty, & M. Yasin, ( 2013) "Developing Secure Websites Using Feature Driven Development ( FDD ): A Case Study", Journal of clean Energy Technology, volume 01(4). http://doi.org/10.7763/JOCET.2013.V1.73 [21] H. Chivers, R. F. Paige, & X. Ge, (2005) “Agile Security Using an Incremental Security Architecture”, Extreme Programming and Agile Processes in Software Engineering. Springer Berlin Heidelberg, pp. 57–65. [22] B. Carlsson, (2011) “Agile Development with Security Engineering Activities”, Proceedings of the 2011 International Conference on Software and Systems Process. ACM, pp. 149–158. [23] S, B. M., & N. Norwawi, (2011) “Improved Extreme Programming Methodology with Inbuilt Security”, IEEE Symposium on Computers & Informatics pp. 674–679. [24] A. Singhal, (n.d.). (2014) “Selection of Security Activities for Integration with Agile Methods after Combining their Agility and Effectiveness,”volume 6 (2), pp. 57–67 [25] D. Baca, M. Boldt, B. Carlsson, & A. Jacobson, (2015) "A Novel Security-Enhanced Agile Software Development Process Applied in an Industrial Setting", 10th International Conference on Availability, Reliability and Security. http://doi.org/10.1109/ARES.2015.45. [26] L. Othmane, P. Angin, H. Weffers, & B. Bhargava, (2014) "Extending the Agile Development Approach to Develop Acceptably Secure Software", Dependable and Secure Computing, IEEE Transactions on volume 11(06), pp 1–14. http://doi.org/10.1109/TDSC.2014.2298011 [27] I. Ghani, & A. Firdaus. (2013) "Role-Based Extreme Programming ( Xp ) For Secure sofware Development" Vol. 25,
International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 67 [28] R. M. Savola, C. Frühwirth, & Pietikäinen, (2012) "A. Risk-Driven Security Metrics in Agile Software Development – An Industrial Pilot Study", Journal of Universal computer Science, volume 18( 12) , pp.1679–1702. [29] M. I. Daud, (2010 ) "Secure Software Development Model : A Guide for Secure Software Life Cycle.", International Multiconference of Engineers and computer scientist volume No.1. pp. 17-19. [30] D. Mougouei, N. Fazlida, M. Sani, & M. M. Almasi, (2013) "S-Scrum : a Secure Methodology for Agile Development of Web Services", world of computer science & Information Technology Journal volume No. 3 (1), pp. 15–19. [31] K. Beznosov, & P. Kruchten, (2005), "Towards Agile Security Assurance", Proceedings of the 2004 workshop on New security paradigms. ACM, pp. 47–54. [32] Boström, K. Beznosov, & P. Kruchten, (2006) "Extending XP Practices to Support Security Requirements Engineering", International workshop on software enginerring for secure system , ACM pp. 11–18. [33] E. G., Aydal, R. F. Paige, H. Chivers, & P. J. Brooke, (2006) "Security Planning and Refactoring in Extreme Programming", Springer Berlin Heidelberg, pp. 154–163. [34] Z. Azham, (2011) "Security Backlog in Scrum Security Practices" 5th Malaysian Conference on IEEE, pp. 414–417 [35] M. Siponen, R. Baskerville & T. Kuivalainen, 2005 “Integrating Security into Agile Development Methods”, System Sciences, 2005. HICSS'05. Proceedings of the 38th Annual Hawaii International Conference on. IEEE, pp.185a-185a [36] Singhal, A. (2012). “Integration Analysis of Security Activities from the perspective of agility” Conference on IEEE http://doi.org/10.1109/AgileIndia.2012.9 [37] H. Keramati, (2008) "Integrating Software Development Security Activities with Agile Methodologies", Computer System & Application International conference on IEEE, pp 749-754. [38] L. Othmane, (2014) "Using Assurance Cases to Develop Iteratively Security Features Using Scrum",9th International Conference on IEEE http://doi.org/10.1109/ARES.2014.73. [39] A. Firdaus, I. Ghani, & S. Ryul, (2014) "Secure Feature Driven Development ( SFDD ) Model for Secure Software Development” 2nd International Conference on Innovation, Management and Technology Research Procedia - Social and Behavioral Sciences Elsevier, Volume No.129, pp. 546– 553. http://doi.org/10.1016/j.sbspro.2014.03.712. [40] C.Pohl, (n.dl.). ( 2015) "Secure Scrum : Development of Secure Software with Scrum" arXiv preprint arXiv: 1507.02992. [41] P, K & F Cannizzo, British, (2007) "The Creation of a Distributed Agile Team", In Agile Processes in Software Engineering and Extreme Programming, Springer Berlin Heidelberg pp. 235-239. [42] V. Kongsli, (2006) "Towards Agile Security in Web Applications", Companion to the 21st ACM SIGPLAN symposium on Object-oriented programming systems, languages, and applications. ACM, pp. 805-808. [43] Usman Rafi, Tasleem Mustafa, (2015) “US-Scrum: A Methodology for Developing Software with Enhanced Correctness, Usability and Security”. International Journal of Scientific & Engineering Research, Volume 6, (9), 377 ISSN 2229-5518. pp- 377-383. [44] A. A. Liza, M. G. Andrew, B.W. Gary, (2012)" Emergence of Agile Methods: Perceptions from Software” Practitioners in Malaysia, Conference of IEEE Agile India, pp. 30-39 [45] A. Tuli, et al. (2014), "Empirical investigation of agile software development: cloud perspective." ACM SIGSOFT Software Engineering Volume 39(4) pp. 1-6
International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 68 Authors Raja Khaim Shahzad was born in Islamabad, Pakistan. He is research student, done BS (CS) from PMAS Arid Agriculture University Rawalpindi, Pakistan in 2012, now doing MS (CS) from same University. His research area is software engineering, agile software development, software Security, Information Security Saba Naz, research student, done MCS from International Islamic University Islamabad, Pakistan in 2013, now doing MS (CS) from PMAS Arid Agriculture University Rawalpindi, Pakistan. Her research area is image processing, software security, information security, data mining. Syed Fakhar Abbas, research student, done MCS from PMAS Arid Agriculture University Rawalpindi, Pakistan in 2009, now doing now doing MS (CS) from same University. His research area is software engineering and web development. Naila Iqbal research student, done BSCS from Fatimah Jinnah University Rawalpindi, Pakistan in 2013, now doing MS (CS) from PMAS Arid Agriculture University Rawalpindi, Pakistan. Her research area is software engineering, agile software development and requirement Engineering. Mamoona Humayun is Ph.D. in computer science by Harbin Institute of Technology, Harbin China, in 2014. She is assistant professor at University Institute of Information Technology, PMAS-Arid Agriculture University Rawalpindi. Her research interests are Global software development, requirement engineering, and knowledge management and web application security vulnerabilities.
Ad

Recommended

Evolvea Frameworkfor SelectingPrime Software DevelopmentProcess
Evolvea Frameworkfor SelectingPrime Software DevelopmentProcessEvolvea Frameworkfor SelectingPrime Software DevelopmentProcess
Evolvea Frameworkfor SelectingPrime Software DevelopmentProcess
IJMER
 
SECURING SOFTWARE DEVELOPMENT STAGES USING ASPECT-ORIENTATION CONCEPTS
SECURING SOFTWARE DEVELOPMENT STAGES USING ASPECT-ORIENTATION CONCEPTSSECURING SOFTWARE DEVELOPMENT STAGES USING ASPECT-ORIENTATION CONCEPTS
SECURING SOFTWARE DEVELOPMENT STAGES USING ASPECT-ORIENTATION CONCEPTS
ijseajournal
 
Survey Based Reviewof Elicitation Problems
Survey Based Reviewof Elicitation ProblemsSurvey Based Reviewof Elicitation Problems
Survey Based Reviewof Elicitation Problems
IJERA Editor
 
Software Defect Prediction Using Local and Global Analysis
Software Defect Prediction Using Local and Global AnalysisSoftware Defect Prediction Using Local and Global Analysis
Software Defect Prediction Using Local and Global Analysis
Editor IJMTER
 
A Novel Agent Oriented Methodology – Styx Methodology
A Novel Agent Oriented Methodology – Styx MethodologyA Novel Agent Oriented Methodology – Styx Methodology
A Novel Agent Oriented Methodology – Styx Methodology
IJCSIS Research Publications
 
Ijcatr04051006
Ijcatr04051006Ijcatr04051006
Ijcatr04051006
Editor IJCATR
 
AN EFFECTIVE VERIFICATION AND VALIDATION STRATEGY FOR SAFETY-CRITICAL EMBEDDE...
AN EFFECTIVE VERIFICATION AND VALIDATION STRATEGY FOR SAFETY-CRITICAL EMBEDDE...AN EFFECTIVE VERIFICATION AND VALIDATION STRATEGY FOR SAFETY-CRITICAL EMBEDDE...
AN EFFECTIVE VERIFICATION AND VALIDATION STRATEGY FOR SAFETY-CRITICAL EMBEDDE...
IJSEA
 
Benchmarking machine learning techniques
Benchmarking machine learning techniquesBenchmarking machine learning techniques
Benchmarking machine learning techniques
ijseajournal
 
Distributed Software Development Process, Initiatives and Key Factors: A Syst...
Distributed Software Development Process, Initiatives and Key Factors: A Syst...Distributed Software Development Process, Initiatives and Key Factors: A Syst...
Distributed Software Development Process, Initiatives and Key Factors: A Syst...
zillesubhan
 
Software metrics validation
Software metrics validationSoftware metrics validation
Software metrics validation
ijseajournal
 
Unique fundamentals of software
Unique fundamentals of softwareUnique fundamentals of software
Unique fundamentals of software
ijcsit
 
Dc35579583
Dc35579583Dc35579583
Dc35579583
IJERA Editor
 
Abstract.doc
Abstract.docAbstract.doc
Abstract.doc
butest
 
STATE-OF-THE-ART IN EMPIRICAL VALIDATION OF SOFTWARE METRICS FOR FAULT PRONEN...
STATE-OF-THE-ART IN EMPIRICAL VALIDATION OF SOFTWARE METRICS FOR FAULT PRONEN...STATE-OF-THE-ART IN EMPIRICAL VALIDATION OF SOFTWARE METRICS FOR FAULT PRONEN...
STATE-OF-THE-ART IN EMPIRICAL VALIDATION OF SOFTWARE METRICS FOR FAULT PRONEN...
IJCSES Journal
 
Agile Methodologies
Agile MethodologiesAgile Methodologies
Agile Methodologies
ijtsrd
 
Using Fuzzy Clustering and Software Metrics to Predict Faults in large Indust...
Using Fuzzy Clustering and Software Metrics to Predict Faults in large Indust...Using Fuzzy Clustering and Software Metrics to Predict Faults in large Indust...
Using Fuzzy Clustering and Software Metrics to Predict Faults in large Indust...
IOSR Journals
 
IRJET- Factors in Selection of Construction Project Management Software i...
IRJET- Factors in Selection of Construction Project Management Software i...IRJET- Factors in Selection of Construction Project Management Software i...
IRJET- Factors in Selection of Construction Project Management Software i...
IRJET Journal
 
ITERATIVE AND INCREMENTAL DEVELOPMENT ANALYSIS STUDY OF VOCATIONAL CAREER INF...
ITERATIVE AND INCREMENTAL DEVELOPMENT ANALYSIS STUDY OF VOCATIONAL CAREER INF...ITERATIVE AND INCREMENTAL DEVELOPMENT ANALYSIS STUDY OF VOCATIONAL CAREER INF...
ITERATIVE AND INCREMENTAL DEVELOPMENT ANALYSIS STUDY OF VOCATIONAL CAREER INF...
ijseajournal
 
Transitioning IT Projects to Operations Effectively in Public Sector : A Case...
Transitioning IT Projects to Operations Effectively in Public Sector : A Case...Transitioning IT Projects to Operations Effectively in Public Sector : A Case...
Transitioning IT Projects to Operations Effectively in Public Sector : A Case...
ijmpict
 
Comparative Analysis of Model Based Testing and Formal Based Testing - A Review
Comparative Analysis of Model Based Testing and Formal Based Testing - A ReviewComparative Analysis of Model Based Testing and Formal Based Testing - A Review
Comparative Analysis of Model Based Testing and Formal Based Testing - A Review
IJERA Editor
 
ONE HIDDEN LAYER ANFIS MODEL FOR OOS DEVELOPMENT EFFORT ESTIMATION
ONE HIDDEN LAYER ANFIS MODEL FOR OOS DEVELOPMENT EFFORT ESTIMATIONONE HIDDEN LAYER ANFIS MODEL FOR OOS DEVELOPMENT EFFORT ESTIMATION
ONE HIDDEN LAYER ANFIS MODEL FOR OOS DEVELOPMENT EFFORT ESTIMATION
International Journal of Technical Research & Application
 
EVALUATION AND STUDY OF SOFTWARE DEGRADATION IN THE EVOLUTION OF SIX VERSIONS...
EVALUATION AND STUDY OF SOFTWARE DEGRADATION IN THE EVOLUTION OF SIX VERSIONS...EVALUATION AND STUDY OF SOFTWARE DEGRADATION IN THE EVOLUTION OF SIX VERSIONS...
EVALUATION AND STUDY OF SOFTWARE DEGRADATION IN THE EVOLUTION OF SIX VERSIONS...
csandit
 
Thesis Part I EMGT 698
Thesis Part I EMGT 698Thesis Part I EMGT 698
Thesis Part I EMGT 698
Karthik Murali
 
A survey of controlled experiments in software engineering
A survey of controlled experiments in software engineeringA survey of controlled experiments in software engineering
A survey of controlled experiments in software engineering
JULIO GONZALEZ SANZ
 
Comparison between Test-Driven Development and Conventional Development: A Ca...
Comparison between Test-Driven Development and Conventional Development: A Ca...Comparison between Test-Driven Development and Conventional Development: A Ca...
Comparison between Test-Driven Development and Conventional Development: A Ca...
IJERA Editor
 
2011 EASE - Motivation in Software Engineering: A Systematic Review Update
2011 EASE - Motivation in Software Engineering: A Systematic Review Update2011 EASE - Motivation in Software Engineering: A Systematic Review Update
2011 EASE - Motivation in Software Engineering: A Systematic Review Update
HASE – Human Aspects in Software Engineering
 
Software Cost Estimation Using Clustering and Ranking Scheme
Software Cost Estimation Using Clustering and Ranking SchemeSoftware Cost Estimation Using Clustering and Ranking Scheme
Software Cost Estimation Using Clustering and Ranking Scheme
Editor IJMTER
 
Change management and version control of Scientific Applications
Change management and version control of Scientific ApplicationsChange management and version control of Scientific Applications
Change management and version control of Scientific Applications
ijcsit
 
A SYSTEMATIC LITERATURE REVIEW ON SECURE SOFTWARE DEVELOPMENT AGILE PERSPECT...
A SYSTEMATIC LITERATURE REVIEW ON SECURE SOFTWARE DEVELOPMENT AGILE PERSPECT...A SYSTEMATIC LITERATURE REVIEW ON SECURE SOFTWARE DEVELOPMENT AGILE PERSPECT...
A SYSTEMATIC LITERATURE REVIEW ON SECURE SOFTWARE DEVELOPMENT AGILE PERSPECT...
Hannah Baker
 
Hp2413471352
Hp2413471352Hp2413471352
Hp2413471352
IJERA Editor
 

More Related Content

What's hot (20)

Distributed Software Development Process, Initiatives and Key Factors: A Syst...
Distributed Software Development Process, Initiatives and Key Factors: A Syst...Distributed Software Development Process, Initiatives and Key Factors: A Syst...
Distributed Software Development Process, Initiatives and Key Factors: A Syst...
zillesubhan
 
Software metrics validation
Software metrics validationSoftware metrics validation
Software metrics validation
ijseajournal
 
Unique fundamentals of software
Unique fundamentals of softwareUnique fundamentals of software
Unique fundamentals of software
ijcsit
 
Dc35579583
Dc35579583Dc35579583
Dc35579583
IJERA Editor
 
Abstract.doc
Abstract.docAbstract.doc
Abstract.doc
butest
 
STATE-OF-THE-ART IN EMPIRICAL VALIDATION OF SOFTWARE METRICS FOR FAULT PRONEN...
STATE-OF-THE-ART IN EMPIRICAL VALIDATION OF SOFTWARE METRICS FOR FAULT PRONEN...STATE-OF-THE-ART IN EMPIRICAL VALIDATION OF SOFTWARE METRICS FOR FAULT PRONEN...
STATE-OF-THE-ART IN EMPIRICAL VALIDATION OF SOFTWARE METRICS FOR FAULT PRONEN...
IJCSES Journal
 
Agile Methodologies
Agile MethodologiesAgile Methodologies
Agile Methodologies
ijtsrd
 
Using Fuzzy Clustering and Software Metrics to Predict Faults in large Indust...
Using Fuzzy Clustering and Software Metrics to Predict Faults in large Indust...Using Fuzzy Clustering and Software Metrics to Predict Faults in large Indust...
Using Fuzzy Clustering and Software Metrics to Predict Faults in large Indust...
IOSR Journals
 
IRJET- Factors in Selection of Construction Project Management Software i...
IRJET- Factors in Selection of Construction Project Management Software i...IRJET- Factors in Selection of Construction Project Management Software i...
IRJET- Factors in Selection of Construction Project Management Software i...
IRJET Journal
 
ITERATIVE AND INCREMENTAL DEVELOPMENT ANALYSIS STUDY OF VOCATIONAL CAREER INF...
ITERATIVE AND INCREMENTAL DEVELOPMENT ANALYSIS STUDY OF VOCATIONAL CAREER INF...ITERATIVE AND INCREMENTAL DEVELOPMENT ANALYSIS STUDY OF VOCATIONAL CAREER INF...
ITERATIVE AND INCREMENTAL DEVELOPMENT ANALYSIS STUDY OF VOCATIONAL CAREER INF...
ijseajournal
 
Transitioning IT Projects to Operations Effectively in Public Sector : A Case...
Transitioning IT Projects to Operations Effectively in Public Sector : A Case...Transitioning IT Projects to Operations Effectively in Public Sector : A Case...
Transitioning IT Projects to Operations Effectively in Public Sector : A Case...
ijmpict
 
Comparative Analysis of Model Based Testing and Formal Based Testing - A Review
Comparative Analysis of Model Based Testing and Formal Based Testing - A ReviewComparative Analysis of Model Based Testing and Formal Based Testing - A Review
Comparative Analysis of Model Based Testing and Formal Based Testing - A Review
IJERA Editor
 
ONE HIDDEN LAYER ANFIS MODEL FOR OOS DEVELOPMENT EFFORT ESTIMATION
ONE HIDDEN LAYER ANFIS MODEL FOR OOS DEVELOPMENT EFFORT ESTIMATIONONE HIDDEN LAYER ANFIS MODEL FOR OOS DEVELOPMENT EFFORT ESTIMATION
ONE HIDDEN LAYER ANFIS MODEL FOR OOS DEVELOPMENT EFFORT ESTIMATION
International Journal of Technical Research & Application
 
EVALUATION AND STUDY OF SOFTWARE DEGRADATION IN THE EVOLUTION OF SIX VERSIONS...
EVALUATION AND STUDY OF SOFTWARE DEGRADATION IN THE EVOLUTION OF SIX VERSIONS...EVALUATION AND STUDY OF SOFTWARE DEGRADATION IN THE EVOLUTION OF SIX VERSIONS...
EVALUATION AND STUDY OF SOFTWARE DEGRADATION IN THE EVOLUTION OF SIX VERSIONS...
csandit
 
Thesis Part I EMGT 698
Thesis Part I EMGT 698Thesis Part I EMGT 698
Thesis Part I EMGT 698
Karthik Murali
 
A survey of controlled experiments in software engineering
A survey of controlled experiments in software engineeringA survey of controlled experiments in software engineering
A survey of controlled experiments in software engineering
JULIO GONZALEZ SANZ
 
Comparison between Test-Driven Development and Conventional Development: A Ca...
Comparison between Test-Driven Development and Conventional Development: A Ca...Comparison between Test-Driven Development and Conventional Development: A Ca...
Comparison between Test-Driven Development and Conventional Development: A Ca...
IJERA Editor
 
2011 EASE - Motivation in Software Engineering: A Systematic Review Update
2011 EASE - Motivation in Software Engineering: A Systematic Review Update2011 EASE - Motivation in Software Engineering: A Systematic Review Update
2011 EASE - Motivation in Software Engineering: A Systematic Review Update
HASE – Human Aspects in Software Engineering
 
Software Cost Estimation Using Clustering and Ranking Scheme
Software Cost Estimation Using Clustering and Ranking SchemeSoftware Cost Estimation Using Clustering and Ranking Scheme
Software Cost Estimation Using Clustering and Ranking Scheme
Editor IJMTER
 
Change management and version control of Scientific Applications
Change management and version control of Scientific ApplicationsChange management and version control of Scientific Applications
Change management and version control of Scientific Applications
ijcsit
 
Distributed Software Development Process, Initiatives and Key Factors: A Syst...
Distributed Software Development Process, Initiatives and Key Factors: A Syst...Distributed Software Development Process, Initiatives and Key Factors: A Syst...
Distributed Software Development Process, Initiatives and Key Factors: A Syst...
zillesubhan
 
Software metrics validation
Software metrics validationSoftware metrics validation
Software metrics validation
ijseajournal
 
Unique fundamentals of software
Unique fundamentals of softwareUnique fundamentals of software
Unique fundamentals of software
ijcsit
 
Dc35579583
Dc35579583Dc35579583
Dc35579583
IJERA Editor
 
Abstract.doc
Abstract.docAbstract.doc
Abstract.doc
butest
 
STATE-OF-THE-ART IN EMPIRICAL VALIDATION OF SOFTWARE METRICS FOR FAULT PRONEN...
STATE-OF-THE-ART IN EMPIRICAL VALIDATION OF SOFTWARE METRICS FOR FAULT PRONEN...STATE-OF-THE-ART IN EMPIRICAL VALIDATION OF SOFTWARE METRICS FOR FAULT PRONEN...
STATE-OF-THE-ART IN EMPIRICAL VALIDATION OF SOFTWARE METRICS FOR FAULT PRONEN...
IJCSES Journal
 
Agile Methodologies
Agile MethodologiesAgile Methodologies
Agile Methodologies
ijtsrd
 
Using Fuzzy Clustering and Software Metrics to Predict Faults in large Indust...
Using Fuzzy Clustering and Software Metrics to Predict Faults in large Indust...Using Fuzzy Clustering and Software Metrics to Predict Faults in large Indust...
Using Fuzzy Clustering and Software Metrics to Predict Faults in large Indust...
IOSR Journals
 
IRJET- Factors in Selection of Construction Project Management Software i...
IRJET- Factors in Selection of Construction Project Management Software i...IRJET- Factors in Selection of Construction Project Management Software i...
IRJET- Factors in Selection of Construction Project Management Software i...
IRJET Journal
 
ITERATIVE AND INCREMENTAL DEVELOPMENT ANALYSIS STUDY OF VOCATIONAL CAREER INF...
ITERATIVE AND INCREMENTAL DEVELOPMENT ANALYSIS STUDY OF VOCATIONAL CAREER INF...ITERATIVE AND INCREMENTAL DEVELOPMENT ANALYSIS STUDY OF VOCATIONAL CAREER INF...
ITERATIVE AND INCREMENTAL DEVELOPMENT ANALYSIS STUDY OF VOCATIONAL CAREER INF...
ijseajournal
 
Transitioning IT Projects to Operations Effectively in Public Sector : A Case...
Transitioning IT Projects to Operations Effectively in Public Sector : A Case...Transitioning IT Projects to Operations Effectively in Public Sector : A Case...
Transitioning IT Projects to Operations Effectively in Public Sector : A Case...
ijmpict
 
Comparative Analysis of Model Based Testing and Formal Based Testing - A Review
Comparative Analysis of Model Based Testing and Formal Based Testing - A ReviewComparative Analysis of Model Based Testing and Formal Based Testing - A Review
Comparative Analysis of Model Based Testing and Formal Based Testing - A Review
IJERA Editor
 
ONE HIDDEN LAYER ANFIS MODEL FOR OOS DEVELOPMENT EFFORT ESTIMATION
ONE HIDDEN LAYER ANFIS MODEL FOR OOS DEVELOPMENT EFFORT ESTIMATIONONE HIDDEN LAYER ANFIS MODEL FOR OOS DEVELOPMENT EFFORT ESTIMATION
ONE HIDDEN LAYER ANFIS MODEL FOR OOS DEVELOPMENT EFFORT ESTIMATION
International Journal of Technical Research & Application
 
EVALUATION AND STUDY OF SOFTWARE DEGRADATION IN THE EVOLUTION OF SIX VERSIONS...
EVALUATION AND STUDY OF SOFTWARE DEGRADATION IN THE EVOLUTION OF SIX VERSIONS...EVALUATION AND STUDY OF SOFTWARE DEGRADATION IN THE EVOLUTION OF SIX VERSIONS...
EVALUATION AND STUDY OF SOFTWARE DEGRADATION IN THE EVOLUTION OF SIX VERSIONS...
csandit
 
Thesis Part I EMGT 698
Thesis Part I EMGT 698Thesis Part I EMGT 698
Thesis Part I EMGT 698
Karthik Murali
 
A survey of controlled experiments in software engineering
A survey of controlled experiments in software engineeringA survey of controlled experiments in software engineering
A survey of controlled experiments in software engineering
JULIO GONZALEZ SANZ
 
Comparison between Test-Driven Development and Conventional Development: A Ca...
Comparison between Test-Driven Development and Conventional Development: A Ca...Comparison between Test-Driven Development and Conventional Development: A Ca...
Comparison between Test-Driven Development and Conventional Development: A Ca...
IJERA Editor
 
2011 EASE - Motivation in Software Engineering: A Systematic Review Update
2011 EASE - Motivation in Software Engineering: A Systematic Review Update2011 EASE - Motivation in Software Engineering: A Systematic Review Update
2011 EASE - Motivation in Software Engineering: A Systematic Review Update
HASE – Human Aspects in Software Engineering
 
Software Cost Estimation Using Clustering and Ranking Scheme
Software Cost Estimation Using Clustering and Ranking SchemeSoftware Cost Estimation Using Clustering and Ranking Scheme
Software Cost Estimation Using Clustering and Ranking Scheme
Editor IJMTER
 
Change management and version control of Scientific Applications
Change management and version control of Scientific ApplicationsChange management and version control of Scientific Applications
Change management and version control of Scientific Applications
ijcsit
 

Similar to A REVIEW OF SECURITY INTEGRATION TECHNIQUE IN AGILE SOFTWARE DEVELOPMENT (20)

A SYSTEMATIC LITERATURE REVIEW ON SECURE SOFTWARE DEVELOPMENT AGILE PERSPECT...
A SYSTEMATIC LITERATURE REVIEW ON SECURE SOFTWARE DEVELOPMENT AGILE PERSPECT...A SYSTEMATIC LITERATURE REVIEW ON SECURE SOFTWARE DEVELOPMENT AGILE PERSPECT...
A SYSTEMATIC LITERATURE REVIEW ON SECURE SOFTWARE DEVELOPMENT AGILE PERSPECT...
Hannah Baker
 
Hp2413471352
Hp2413471352Hp2413471352
Hp2413471352
IJERA Editor
 
IRJET- A Research Study on Critical Challenges in Agile Requirements Engineering
IRJET- A Research Study on Critical Challenges in Agile Requirements EngineeringIRJET- A Research Study on Critical Challenges in Agile Requirements Engineering
IRJET- A Research Study on Critical Challenges in Agile Requirements Engineering
IRJET Journal
 
Suitability of Agile Methods for Safety-Critical Systems Development: A Surve...
Suitability of Agile Methods for Safety-Critical Systems Development: A Surve...Suitability of Agile Methods for Safety-Critical Systems Development: A Surve...
Suitability of Agile Methods for Safety-Critical Systems Development: A Surve...
Editor IJCATR
 
Penetration testing in agile software
Penetration testing in agile softwarePenetration testing in agile software
Penetration testing in agile software
ijcisjournal
 
DEVOPS ADOPTION IN INFORMATION SYSTEMS PROJECTS; A SYSTEMATIC LITERATURE REVIEW
DEVOPS ADOPTION IN INFORMATION SYSTEMS PROJECTS; A SYSTEMATIC LITERATURE REVIEWDEVOPS ADOPTION IN INFORMATION SYSTEMS PROJECTS; A SYSTEMATIC LITERATURE REVIEW
DEVOPS ADOPTION IN INFORMATION SYSTEMS PROJECTS; A SYSTEMATIC LITERATURE REVIEW
ijseajournal
 
Comparative Analysis of Agile Software Development Methodologies-A Review
Comparative Analysis of Agile Software Development Methodologies-A ReviewComparative Analysis of Agile Software Development Methodologies-A Review
Comparative Analysis of Agile Software Development Methodologies-A Review
IJERA Editor
 
Improvement opportunity in agile methodology and a survey on the adoption rat...
Improvement opportunity in agile methodology and a survey on the adoption rat...Improvement opportunity in agile methodology and a survey on the adoption rat...
Improvement opportunity in agile methodology and a survey on the adoption rat...
Alexander Decker
 
Car_anti_hijacking_system
Car_anti_hijacking_systemCar_anti_hijacking_system
Car_anti_hijacking_system
Sree Nikhilendra Prasad
 
Una decada de metodologias agiles
Una decada de metodologias agilesUna decada de metodologias agiles
Una decada de metodologias agiles
oscar-esoinosa
 
Review on Agile Method with Text Mining
Review on Agile Method with Text MiningReview on Agile Method with Text Mining
Review on Agile Method with Text Mining
IJARIIT
 
SAFECode’s latest “Software Security Guidance for Agile Practitioners” White...
SAFECode’s latest “Software Security Guidance for Agile Practitioners” White...SAFECode’s latest “Software Security Guidance for Agile Practitioners” White...
SAFECode’s latest “Software Security Guidance for Agile Practitioners” White...
EMC
 
Agile Methology Seminar Report
Agile Methology Seminar ReportAgile Methology Seminar Report
Agile Methology Seminar Report
Mohit Kumar
 
Ludmila Orlova HOW USE OF AGILE METHODOLOGY IN SOFTWARE DEVELO.docx
Ludmila Orlova HOW USE OF AGILE METHODOLOGY IN SOFTWARE DEVELO.docxLudmila Orlova HOW USE OF AGILE METHODOLOGY IN SOFTWARE DEVELO.docx
Ludmila Orlova HOW USE OF AGILE METHODOLOGY IN SOFTWARE DEVELO.docx
smile790243
 
Integrating of security activates in agile process
Integrating of security activates in agile processIntegrating of security activates in agile process
Integrating of security activates in agile process
Zubair Rahim
 
The Four Main Values Of The Agile Methodologies In...
The Four Main Values Of The Agile Methodologies In...The Four Main Values Of The Agile Methodologies In...
The Four Main Values Of The Agile Methodologies In...
Erin Moore
 
Presentation by meghna jadhav
Presentation by meghna jadhavPresentation by meghna jadhav
Presentation by meghna jadhav
PMI_IREP_TP
 
Comparative study on agile software development
Comparative study on agile software developmentComparative study on agile software development
Comparative study on agile software development
A B M Moniruzzaman
 
Extending Agile to Suite Big Projects
Extending Agile to Suite Big ProjectsExtending Agile to Suite Big Projects
Extending Agile to Suite Big Projects
Amin Bandeali
 
D0704014018
D0704014018D0704014018
D0704014018
IJERD Editor
 
A SYSTEMATIC LITERATURE REVIEW ON SECURE SOFTWARE DEVELOPMENT AGILE PERSPECT...
A SYSTEMATIC LITERATURE REVIEW ON SECURE SOFTWARE DEVELOPMENT AGILE PERSPECT...A SYSTEMATIC LITERATURE REVIEW ON SECURE SOFTWARE DEVELOPMENT AGILE PERSPECT...
A SYSTEMATIC LITERATURE REVIEW ON SECURE SOFTWARE DEVELOPMENT AGILE PERSPECT...
Hannah Baker
 
Hp2413471352
Hp2413471352Hp2413471352
Hp2413471352
IJERA Editor
 
IRJET- A Research Study on Critical Challenges in Agile Requirements Engineering
IRJET- A Research Study on Critical Challenges in Agile Requirements EngineeringIRJET- A Research Study on Critical Challenges in Agile Requirements Engineering
IRJET- A Research Study on Critical Challenges in Agile Requirements Engineering
IRJET Journal
 
Suitability of Agile Methods for Safety-Critical Systems Development: A Surve...
Suitability of Agile Methods for Safety-Critical Systems Development: A Surve...Suitability of Agile Methods for Safety-Critical Systems Development: A Surve...
Suitability of Agile Methods for Safety-Critical Systems Development: A Surve...
Editor IJCATR
 
Penetration testing in agile software
Penetration testing in agile softwarePenetration testing in agile software
Penetration testing in agile software
ijcisjournal
 
DEVOPS ADOPTION IN INFORMATION SYSTEMS PROJECTS; A SYSTEMATIC LITERATURE REVIEW
DEVOPS ADOPTION IN INFORMATION SYSTEMS PROJECTS; A SYSTEMATIC LITERATURE REVIEWDEVOPS ADOPTION IN INFORMATION SYSTEMS PROJECTS; A SYSTEMATIC LITERATURE REVIEW
DEVOPS ADOPTION IN INFORMATION SYSTEMS PROJECTS; A SYSTEMATIC LITERATURE REVIEW
ijseajournal
 
Comparative Analysis of Agile Software Development Methodologies-A Review
Comparative Analysis of Agile Software Development Methodologies-A ReviewComparative Analysis of Agile Software Development Methodologies-A Review
Comparative Analysis of Agile Software Development Methodologies-A Review
IJERA Editor
 
Improvement opportunity in agile methodology and a survey on the adoption rat...
Improvement opportunity in agile methodology and a survey on the adoption rat...Improvement opportunity in agile methodology and a survey on the adoption rat...
Improvement opportunity in agile methodology and a survey on the adoption rat...
Alexander Decker
 
Car_anti_hijacking_system
Car_anti_hijacking_systemCar_anti_hijacking_system
Car_anti_hijacking_system
Sree Nikhilendra Prasad
 
Una decada de metodologias agiles
Una decada de metodologias agilesUna decada de metodologias agiles
Una decada de metodologias agiles
oscar-esoinosa
 
Review on Agile Method with Text Mining
Review on Agile Method with Text MiningReview on Agile Method with Text Mining
Review on Agile Method with Text Mining
IJARIIT
 
SAFECode’s latest “Software Security Guidance for Agile Practitioners” White...
SAFECode’s latest “Software Security Guidance for Agile Practitioners” White...SAFECode’s latest “Software Security Guidance for Agile Practitioners” White...
SAFECode’s latest “Software Security Guidance for Agile Practitioners” White...
EMC
 
Agile Methology Seminar Report
Agile Methology Seminar ReportAgile Methology Seminar Report
Agile Methology Seminar Report
Mohit Kumar
 
Ludmila Orlova HOW USE OF AGILE METHODOLOGY IN SOFTWARE DEVELO.docx
Ludmila Orlova HOW USE OF AGILE METHODOLOGY IN SOFTWARE DEVELO.docxLudmila Orlova HOW USE OF AGILE METHODOLOGY IN SOFTWARE DEVELO.docx
Ludmila Orlova HOW USE OF AGILE METHODOLOGY IN SOFTWARE DEVELO.docx
smile790243
 
Integrating of security activates in agile process
Integrating of security activates in agile processIntegrating of security activates in agile process
Integrating of security activates in agile process
Zubair Rahim
 
The Four Main Values Of The Agile Methodologies In...
The Four Main Values Of The Agile Methodologies In...The Four Main Values Of The Agile Methodologies In...
The Four Main Values Of The Agile Methodologies In...
Erin Moore
 
Presentation by meghna jadhav
Presentation by meghna jadhavPresentation by meghna jadhav
Presentation by meghna jadhav
PMI_IREP_TP
 
Comparative study on agile software development
Comparative study on agile software developmentComparative study on agile software development
Comparative study on agile software development
A B M Moniruzzaman
 
Extending Agile to Suite Big Projects
Extending Agile to Suite Big ProjectsExtending Agile to Suite Big Projects
Extending Agile to Suite Big Projects
Amin Bandeali
 
D0704014018
D0704014018D0704014018
D0704014018
IJERD Editor
 
Ad

Recently uploaded (20)

Parenting Teens: Supporting Trust, resilience and independence
Parenting Teens: Supporting Trust, resilience and independenceParenting Teens: Supporting Trust, resilience and independence
Parenting Teens: Supporting Trust, resilience and independence
Pooky Knightsmith
 
SEXUALITY , UNWANTED PREGANCY AND SEXUAL ASSAULT .pptx
SEXUALITY , UNWANTED PREGANCY AND SEXUAL ASSAULT .pptxSEXUALITY , UNWANTED PREGANCY AND SEXUAL ASSAULT .pptx
SEXUALITY , UNWANTED PREGANCY AND SEXUAL ASSAULT .pptx
PoojaSen20
 
How to Create Quotation Templates Sequence in Odoo 18 Sales
How to Create Quotation Templates Sequence in Odoo 18 SalesHow to Create Quotation Templates Sequence in Odoo 18 Sales
How to Create Quotation Templates Sequence in Odoo 18 Sales
Celine George
 
THERAPEUTIC COMMUNICATION included definition, characteristics, nurse patient...
THERAPEUTIC COMMUNICATION included definition, characteristics, nurse patient...THERAPEUTIC COMMUNICATION included definition, characteristics, nurse patient...
THERAPEUTIC COMMUNICATION included definition, characteristics, nurse patient...
parmarjuli1412
 
Capitol Doctoral Presentation -June 2025.pptx
Capitol Doctoral Presentation -June 2025.pptxCapitol Doctoral Presentation -June 2025.pptx
Capitol Doctoral Presentation -June 2025.pptx
CapitolTechU
 
Adam Grant: Transforming Work Culture Through Organizational Psychology
Adam Grant: Transforming Work Culture Through Organizational PsychologyAdam Grant: Transforming Work Culture Through Organizational Psychology
Adam Grant: Transforming Work Culture Through Organizational Psychology
Prachi Shah
 
LDMMIA Free Reiki Yoga S9 Grad Level Intuition II
LDMMIA Free Reiki Yoga S9 Grad Level Intuition IILDMMIA Free Reiki Yoga S9 Grad Level Intuition II
LDMMIA Free Reiki Yoga S9 Grad Level Intuition II
LDM & Mia eStudios
 
Allomorps and word formation.pptx - Google Slides.pdf
Allomorps and word formation.pptx - Google Slides.pdfAllomorps and word formation.pptx - Google Slides.pdf
Allomorps and word formation.pptx - Google Slides.pdf
Abha Pandey
 
june 10 2025 ppt for madden on art science is over.pptx
june 10 2025 ppt for madden on art science is over.pptxjune 10 2025 ppt for madden on art science is over.pptx
june 10 2025 ppt for madden on art science is over.pptx
roger malina
 
Analysis of Quantitative Data Parametric and non-parametric tests.pptx
Analysis of Quantitative Data Parametric and non-parametric tests.pptxAnalysis of Quantitative Data Parametric and non-parametric tests.pptx
Analysis of Quantitative Data Parametric and non-parametric tests.pptx
Shrutidhara2
 
How to Configure Vendor Management in Lunch App of Odoo 18
How to Configure Vendor Management in Lunch App of Odoo 18How to Configure Vendor Management in Lunch App of Odoo 18
How to Configure Vendor Management in Lunch App of Odoo 18
Celine George
 
FEBA Sofia Univercity final diplian v3 GSDG 5.2025.pdf
FEBA Sofia Univercity final diplian v3 GSDG 5.2025.pdfFEBA Sofia Univercity final diplian v3 GSDG 5.2025.pdf
FEBA Sofia Univercity final diplian v3 GSDG 5.2025.pdf
ChristinaFortunova
 
Webcrawler_Mule_AIChain_MuleSoft_Meetup_Hyderabad
Webcrawler_Mule_AIChain_MuleSoft_Meetup_HyderabadWebcrawler_Mule_AIChain_MuleSoft_Meetup_Hyderabad
Webcrawler_Mule_AIChain_MuleSoft_Meetup_Hyderabad
Veera Pallapu
 
Energy Balances Of Oecd Countries 2011 Iea Statistics 1st Edition Oecd
Energy Balances Of Oecd Countries 2011 Iea Statistics 1st Edition OecdEnergy Balances Of Oecd Countries 2011 Iea Statistics 1st Edition Oecd
Energy Balances Of Oecd Countries 2011 Iea Statistics 1st Edition Oecd
razelitouali
 
How to Manage Upselling of Subscriptions in Odoo 18
How to Manage Upselling of Subscriptions in Odoo 18How to Manage Upselling of Subscriptions in Odoo 18
How to Manage Upselling of Subscriptions in Odoo 18
Celine George
 
IDF 30min presentation - December 2, 2024.pptx
IDF 30min presentation - December 2, 2024.pptxIDF 30min presentation - December 2, 2024.pptx
IDF 30min presentation - December 2, 2024.pptx
ArneeAgligar
 
Different pricelists for different shops in odoo Point of Sale in Odoo 17
Different pricelists for different shops in odoo Point of Sale in Odoo 17Different pricelists for different shops in odoo Point of Sale in Odoo 17
Different pricelists for different shops in odoo Point of Sale in Odoo 17
Celine George
 
Hemiptera & Neuroptera: Insect Diversity.pptx
Hemiptera & Neuroptera: Insect Diversity.pptxHemiptera & Neuroptera: Insect Diversity.pptx
Hemiptera & Neuroptera: Insect Diversity.pptx
Arshad Shaikh
 
Strengthened Senior High School - Landas Tool Kit.pptx
Strengthened Senior High School - Landas Tool Kit.pptxStrengthened Senior High School - Landas Tool Kit.pptx
Strengthened Senior High School - Landas Tool Kit.pptx
SteffMusniQuiballo
 
Ray Dalio How Countries go Broke the Big Cycle
Ray Dalio How Countries go Broke the Big CycleRay Dalio How Countries go Broke the Big Cycle
Ray Dalio How Countries go Broke the Big Cycle
Dadang Solihin
 
Parenting Teens: Supporting Trust, resilience and independence
Parenting Teens: Supporting Trust, resilience and independenceParenting Teens: Supporting Trust, resilience and independence
Parenting Teens: Supporting Trust, resilience and independence
Pooky Knightsmith
 
SEXUALITY , UNWANTED PREGANCY AND SEXUAL ASSAULT .pptx
SEXUALITY , UNWANTED PREGANCY AND SEXUAL ASSAULT .pptxSEXUALITY , UNWANTED PREGANCY AND SEXUAL ASSAULT .pptx
SEXUALITY , UNWANTED PREGANCY AND SEXUAL ASSAULT .pptx
PoojaSen20
 
How to Create Quotation Templates Sequence in Odoo 18 Sales
How to Create Quotation Templates Sequence in Odoo 18 SalesHow to Create Quotation Templates Sequence in Odoo 18 Sales
How to Create Quotation Templates Sequence in Odoo 18 Sales
Celine George
 
THERAPEUTIC COMMUNICATION included definition, characteristics, nurse patient...
THERAPEUTIC COMMUNICATION included definition, characteristics, nurse patient...THERAPEUTIC COMMUNICATION included definition, characteristics, nurse patient...
THERAPEUTIC COMMUNICATION included definition, characteristics, nurse patient...
parmarjuli1412
 
Capitol Doctoral Presentation -June 2025.pptx
Capitol Doctoral Presentation -June 2025.pptxCapitol Doctoral Presentation -June 2025.pptx
Capitol Doctoral Presentation -June 2025.pptx
CapitolTechU
 
Adam Grant: Transforming Work Culture Through Organizational Psychology
Adam Grant: Transforming Work Culture Through Organizational PsychologyAdam Grant: Transforming Work Culture Through Organizational Psychology
Adam Grant: Transforming Work Culture Through Organizational Psychology
Prachi Shah
 
LDMMIA Free Reiki Yoga S9 Grad Level Intuition II
LDMMIA Free Reiki Yoga S9 Grad Level Intuition IILDMMIA Free Reiki Yoga S9 Grad Level Intuition II
LDMMIA Free Reiki Yoga S9 Grad Level Intuition II
LDM & Mia eStudios
 
Allomorps and word formation.pptx - Google Slides.pdf
Allomorps and word formation.pptx - Google Slides.pdfAllomorps and word formation.pptx - Google Slides.pdf
Allomorps and word formation.pptx - Google Slides.pdf
Abha Pandey
 
june 10 2025 ppt for madden on art science is over.pptx
june 10 2025 ppt for madden on art science is over.pptxjune 10 2025 ppt for madden on art science is over.pptx
june 10 2025 ppt for madden on art science is over.pptx
roger malina
 
Analysis of Quantitative Data Parametric and non-parametric tests.pptx
Analysis of Quantitative Data Parametric and non-parametric tests.pptxAnalysis of Quantitative Data Parametric and non-parametric tests.pptx
Analysis of Quantitative Data Parametric and non-parametric tests.pptx
Shrutidhara2
 
How to Configure Vendor Management in Lunch App of Odoo 18
How to Configure Vendor Management in Lunch App of Odoo 18How to Configure Vendor Management in Lunch App of Odoo 18
How to Configure Vendor Management in Lunch App of Odoo 18
Celine George
 
FEBA Sofia Univercity final diplian v3 GSDG 5.2025.pdf
FEBA Sofia Univercity final diplian v3 GSDG 5.2025.pdfFEBA Sofia Univercity final diplian v3 GSDG 5.2025.pdf
FEBA Sofia Univercity final diplian v3 GSDG 5.2025.pdf
ChristinaFortunova
 
Webcrawler_Mule_AIChain_MuleSoft_Meetup_Hyderabad
Webcrawler_Mule_AIChain_MuleSoft_Meetup_HyderabadWebcrawler_Mule_AIChain_MuleSoft_Meetup_Hyderabad
Webcrawler_Mule_AIChain_MuleSoft_Meetup_Hyderabad
Veera Pallapu
 
Energy Balances Of Oecd Countries 2011 Iea Statistics 1st Edition Oecd
Energy Balances Of Oecd Countries 2011 Iea Statistics 1st Edition OecdEnergy Balances Of Oecd Countries 2011 Iea Statistics 1st Edition Oecd
Energy Balances Of Oecd Countries 2011 Iea Statistics 1st Edition Oecd
razelitouali
 
How to Manage Upselling of Subscriptions in Odoo 18
How to Manage Upselling of Subscriptions in Odoo 18How to Manage Upselling of Subscriptions in Odoo 18
How to Manage Upselling of Subscriptions in Odoo 18
Celine George
 
IDF 30min presentation - December 2, 2024.pptx
IDF 30min presentation - December 2, 2024.pptxIDF 30min presentation - December 2, 2024.pptx
IDF 30min presentation - December 2, 2024.pptx
ArneeAgligar
 
Different pricelists for different shops in odoo Point of Sale in Odoo 17
Different pricelists for different shops in odoo Point of Sale in Odoo 17Different pricelists for different shops in odoo Point of Sale in Odoo 17
Different pricelists for different shops in odoo Point of Sale in Odoo 17
Celine George
 
Hemiptera & Neuroptera: Insect Diversity.pptx
Hemiptera & Neuroptera: Insect Diversity.pptxHemiptera & Neuroptera: Insect Diversity.pptx
Hemiptera & Neuroptera: Insect Diversity.pptx
Arshad Shaikh
 
Strengthened Senior High School - Landas Tool Kit.pptx
Strengthened Senior High School - Landas Tool Kit.pptxStrengthened Senior High School - Landas Tool Kit.pptx
Strengthened Senior High School - Landas Tool Kit.pptx
SteffMusniQuiballo
 
Ray Dalio How Countries go Broke the Big Cycle
Ray Dalio How Countries go Broke the Big CycleRay Dalio How Countries go Broke the Big Cycle
Ray Dalio How Countries go Broke the Big Cycle
Dadang Solihin
 
Ad

A REVIEW OF SECURITY INTEGRATION TECHNIQUE IN AGILE SOFTWARE DEVELOPMENT

  • 1. International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 DOI : 10.5121/ijsea.2016.7304 49 A REVIEW OF SECURITY INTEGRATION TECHNIQUE IN AGILE SOFTWARE DEVELOPMENT Raja Khaim1 , Saba Naz*1 , Fakhar Abbas2 ,Naila Iqbal3 , Memoona Hamayun5 1,2,3,4 University Institute of Information Technology, PMAS University, Rawalpindi Pakistan ABSTRACT Agile software development has gained a lot of popularity in the software industry due to its iterative and incremental approach as well as user involvement. Agile has also been criticized due to lack of its ability to deliver secure software. In this paper, extensive literature has been performed, in order to highlight the existing security issues in agile software development. Majority of challenges reported in literature, occurred due to lack of involvement of security expert. Improving security of a software system without damaging the real essence of Agile can achieved with the continuous involvement of security engineer throughout development lifecycle with its defined role and responsibilities. KEYWORDS Agile development, Agile Security Development 1. INTRODUCTION Agile practices have a significant impact in developing software in recent few years [1]. A fair amount of affirmative response has been noted from organizations [2] that use agile practices. These practices are quite popular for producing evolving software’s [3]. Agile practices are related to improved product quality, customer satisfaction, and developer productivity than traditional waterfall practices [4]. Over the period of time one of significant concern is software security. Up to certain level security is successfully integrated in traditional development by developers [5], but there is some serious criticism of agile development methodology to produce less secure software’s [6], [7]. Acceptance of changing requirements, favoring regular deliveries, and exclusion of security engineering activities make secure software development challenging using agile methodology [8].This leads agile practices reiteration in respect of making secure software, which negatively affects project timeline, considerable increase in costs, and decreased customer belief and satisfaction, which in the end diminishes the notion of these practices as agile [9]. These
  • 2. International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 50 characteristics serve as the foundation of serious criticism on agile methods to produce unsecure software’s. In this study the analysis of related work is mostly revealed about the issues of integration of security in agile. This paper presents the systematic review of techniques, methods for security integration in agile. Existing techniques and methods have been scrutinized that have not impressively produced any significance review or survey based on this particular topic. For supposed investigations, Systematic literature review SLR technique has been used. Keeping in view of these investigations, a thorough exploration has been executed. The organization of the paper is: Sec. 2 includes the literature review, Sec. 3 includes the materials and methods, Sec. 4 includes the results and inferences, Sec. 5 includes the discussion and Sec. 6 includes conclusions. 2. RELATED WORK The aim of this section is to elaborate the literature done on incorporating security in agile. Various methods are considered with different approaches to conduct surveys on incorporating security in agile. Review on extreme programming was conducted by Ghani and Yasin [1]. They study literature related to the extreme programming with the perspective of security and they had observed that extreme programming partly supports integrating of security in it. Few of researchers worked on these topics, still comprehensive information regarding their outcome and usage was not published yet. They had concluded that the existing extreme programming practices are not adequate in term of security, hence new XP practices based upon security require to be proposed. Sani [9] conducted a literature survey on DSDM in term of security incorporated in it. From literature they had spotted that currently DSDM lack behind in providing support for secure development of software’s. They find that only a single paper discuss about security integration in DSDM and no work done yet by the researchers for secure software development via DSDM. And their intention is to enhance current DSDM model so that it can support secure development. Ghani [10] performed a survey on it model that had been proposed by them for secure software development using DSDM in order to validate their model. After collecting, analyzing, comparing the results they had concluded that their model is very much beneficial in developing secure software using their enhanced DSDM model. Adila[11] presented an extensive survey on feature driven development aim of literature survey is to study feature driven development with the intensions to produce a secure software. They find that there is no reputable research in respect of feature driven development and its integration with security and finally they had summarized that there is a need of revised feature driven model that can facilitate the secure development of software without compromising agile manifesto. Oustlati [12] conducted a systematic review of agile development methodology and elaborates the challenges its face while developing secure software. They found 20 challenges in 10 studies and categorize them and founded that 14 out 20 challenges are valid in respect of agile methodology and 6 are invalid in case of agile principles. They concluded that secure software development using agile quite challenges, there is a lot of space for researchers to work in this area.
  • 3. International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 51 Othmane [13] performed systematic review, and this review is just a mere extension of [12] above mentioned review. Parameters and results of both reviews are almost same but the difference exists between [12] and [13] is of the number of papers selected for both reviews, in [13] number of papers are double as comparable to paper selected by [12]. From above literature, it is extracted that the majority of studies focus on a particular agile practice such as XP, DSDM, FDD in their reviews[1, 10, 9, 11]. And their focus is to identify that how much work is regarding security integration in agile or in particular agile practices and secondly scope of some studies [12, 13] are limited to fewer number of research papers. Although reviews performed in [41, 44] are very systematic but not much systematic in term of agile practices. The Intention of this study is to perform a comprehensive literature which is not limited to any specific agile practice and this study will take into account of all agile practices rather than to some specific practice of agile. Considering all agile practices in regards of secure software development in a systematic manner make our study unique from above mentioned studies. 3. METHODOLOGY In this literature study, research methodology followed is Systematic Literature Review. A SLR is a mechanism of identifying, understanding and estimating complete existing research interrelated to a specific research query, topic area or matter of consideration. SLR involves following steps such as planning stage, conducting stage and reporting stage [14] complete procedure shown in (Fig.1). A unique research study facilitating a systematic review and known as primary research studies whereas a systematic review is a kind of secondary study. The necessity for the systematic study (Step 1), the communal causes are: • To precise the relevant research work evidences significant in term of incorporating security in agile. • In order to mined out gaps in current research and to enhanced proposed parts for further investigation. • Systematic reviews may be exercised to study the degree to which experimental evidence promotes/negate suppositions, or even to promote the development of novel theories. A search experiment was conducted recording the subsequent searched strings in ACM digital library, Springer and IEEE Xplore. The literature obtained from the string searching may possibly be helpful in discovering a trend for the software development and verification &validation of the preferred search items and the desirable protocols. ((“Incorporating Security” OR “Integrated Software Security” OR “Secure Software Development” OR “Software Security”) AND (“Agile Practices” OR “Dynamic Systems Development Method” OR “Extreme Programming” OR “Feature Driven Development”) AND (“Challenges” OR “Issues”)).
  • 4. International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 52 • The research questions (Step 2) in section (3.1) indicate what should be extracted from the selected studies. Figure 1: SLR Process 3.1 . Research Questions (Staples, M. and Niazi, M.2007) [15]: encouraged the searching criteria that are being considered in order to assure the research papers quality and to exclude non-relevant work. The R. questions discussed in the work are as under: RQ1. What types of approaches are being suggested for the purpose of security incorporation in agile and its practices?
  • 5. International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 53 RQ2. What is the role of Security expert/ Engineer in these approaches? RQ3. What kind of challenges emerges while incorporating security in agile and its practices? The purpose of (Step 3) the protocol review ensures to overcome likely investigator’s bias that will allow duplication in the study (Kitchen ham, 2007) [14]. In (Step 4,) the evaluation of protocol and the aid of drill in executing studies systematically by scholars. Depends on opinion and collected knowledge during the development, we repeatedly advanced the evaluation structure. The brief of the conclusive protocol is presented in sec. 3.2 to sec. 3.5. 3.2 Search Strategy We adapted the procedure proposed in (as shown in Fig.2) for the selection of work. From the questions for research, we extracted the key-phrases for the mining. In order to validate the strings quality used for searching, we conducted a sample search on, IEEE Xplore, Science Direct and Google Scholar. Figure 2: Search Strategy
  • 6. International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 54 3.3 Study Selection Criteria The vital aspects for concluding as primary study is data elaboration, depictingthat the studies to be used that are related to our key-phrases that are similar to those described in the test searchingis calculated shown in (Table.1) and therefore answering the research questions. So, all papers on incorporating security in agile and its practices will be incorporated.We eliminated non-English data that is books, text and presentations. We ignored material that was not included in our searched strings and non-relevant data to security in agile development and studies that do not satisfy agile development practices. Table 1: Criteria for Selection Study Selection Of study papers left Based on complete text 45 Based on Abstract 69 Based on title 102 Based on searched strings 172 3.4 Study Selection Procedure The study selection procedure (Step 5) was performed for the collection of a related analysis of the selection criteria between the investigators that organized the review. The selection criteria were implemented to the title and the abstract and essentially, for the complete text of the papers of the related area. As an experiment, we solely evaluated 69 randomly selected studies from a search conducted in ACM, Google Scholar, Springer and IEEE Xplore. We documented the unclear explanation of the questions and selection principles on which the judgment for selection was exclusively grounded upon. We found total 45 papers, applying searching string, that have data interrelated to incorporating security in agile and its practices (as show n in Graph 1). We rejected documents that have emphasis on other domains than our related area of study. We aggregated needed sections from the papers to enhance the inferences towards success in finding incorporating security in agile (as shown in Fig.3). In addition, once more we read from selected papers and guaranteed that the papers selected are absolutely lawful as indication for integrated security in agile practices, (as shown in Table.2) as the outcomes# per basis and increased points of indications gathered (as shown in Graph.2).
  • 7. International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 55 Graph 1: Selected Papers 3.5 Study Quality Assessment In this section (Step 6) depicts the quality of our research. We hardly found relevant work for the questions that are entirely in support of our research work. Using data collected, we supported our choices and explorations. From QA-1, it is found that relevant approaches which incorporated security in agile and its practices. With QA2, we examined the challengesemerges while incorporating security in agile. With QA3, we evaluated those approaches were sufficient for integrated security in agile development.
  • 8. International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 56 Figure 3: Selection of Primary Studies
  • 9. International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 57 Table 2: Results over sources IEEE Google scholar Elsevier ACM Science Direct Springer Primary studies 11 17 2 7 3 5 Total Found 29 60 15 16 19 33 Candidate studies 16 40 10 9 12 15 3.6 Data Extraction In the similar fashion, we break-down the work. Data extraction (Step 7) was achieved in a repetitive manner.We have endorsed the inferences given by [14]; it is predicted which might found challenging constituting a precedence a comprehensive group of charges for the whole belongings. We initiated the mining form with the attributes like research techniques, perspectives that displays the mapping to the particular. Questions addressed by the attribute (as shown in Table.3). Table 3: Data Extraction Attributes Research question Title/Year/Author Overview of candidate literature Context Overview of candidate literature Search Strategy SLR
  • 10. International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 58 Graph 2: Number of results per sources 4. RESULT AND ANALYSIS RQ1. What types of approaches are being suggested for the purpose of security incorporation in agile and its practices? In order to answer to RQ1 we conduct a detailed analysis to facilitate our finding (see table 4).Twenty six studies are considered for analysis, foundation of considering studies in this particular review study is that only those studies are considered which provide any technique, method, principal framework for integrating security in agile methodology and its practices. The Parameters of this study were hauled out from numerous existing methodologies and studies were evaluated on the basis of succeeding parameters. (1) For which particular agile practice mechanism for security incorporation is provided [10]. (2) Involvement of security engineer/expert in particular technique [16], [17]. (3) Provision of framework or principal for security integration [10], [9]. (4) Research methodology used in the study [18]. (5) Domain consider in a particular paper. [19], [20].It has been observed that out total50% of the studies consider integration of security in agile generally, while 15% in Scrum, 23% in XP, only 12% in FDD and no study mention any mechanism for security integration in DSDM(see graph 3). These agile practices are included in this literature study because they are considered as popular among researchers and practitioners. Table 4: Selected Studies Analysis Title Year Of Publicatio n Agile Practice [10] Involvement of security engineer/exp ert [16],[17] Framewo rk/securi ty principal [10],[9] Methodolog y [18] Domain [19],[20] Agile Development of Secure Web Applications [19] 2006 FDD No Principal Case Study Web applicatio ns
  • 11. International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 59 Agile Security using an incremental architecture [21] 2005 Agile No Principal Exploratory Not mentioned Agile Development with Security Engineering Activities [22] 2011 Agile No Framewor k Case Study Mobile applicatio n Improved Extreme Programming Methodology with Inbuilt Security [23] 2011 XP No Framewor k Case Study Web applicatio ns FISA-XP: An Agile- based Integration of Security Activities with Extreme Programming [16] 2014 XP Yes Framewor k Experiment Not mentioned Selection of Security Activities for Integration with Agile Methods after Combining their Agility and Effectiveness [24] 2014 Agile Yes Framewor k Exploratory Not mentioned A Novel Security- Enhanced Agile Software Development Process Applied in an Industrial Setting [25] 2015 Agile Yes Framewor k Experiment Mobile applicatio n Extending the Agile Development Approach to Develop Acceptably Secure Software [26] 2014 Agile No Principal Case Study Web applicatio ns ROLE-BASED EXTREME PROGRAMMING (XP) FOR SECURE SOFTWARE DEVELOPMENT [27] 2013 XP Yes Framewor k Exploratory Not mentioned Developing a Secure website using Feature 2013 FDD No Not mentioned Case Study Web applicatio ns
  • 12. International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 60 Driven Development (FDD) [20] Risk-Driven Security Metrics in Agile Software Development – An Industrial Pilot Study [28] 2012 Agile No Framewor k Experiment Mobile applicatio n Secure Software Development Model: A Guide for Secure Software Life Cycle [29] 2010 Xp Yes Framewor k Exploratory Not mentioned S-Scrum: a Secure Methodology for Agile Development of Web Services [30] 2013 Scrum No Framewor k Case Study Web applicatio ns Towards Agile Security Assurance [31] 2005 Agile No Principal Exploratory Not mentioned Extending XP Practices to Support Security Requirements Engineering [32] 2006 XP Yes Framewor k Experiment Web applicatio ns Security Planning and Refactoring in Extreme Programming [33] 2006 XP No Principal Case Study Web applicatio ns Security Backlog in Scrum Security Practices [34] 2011 Scrum Yes Framewor k Exploratory Not mentioned Integrating Security into Agile Development Methods [35] 2005 Agile No Principal Case Study Web applicatio ns Development of Agile Security Framework Using a Hybrid Technique for Requirements Elicitation [17] 2011 Agile Yes Framewor k Case Study Not mentioned Integration Analysis of Security Activities from the perspective of agility[36] 2012 Agile Yes Principal Exploratory Not mentioned Integrating 2008 Agile Yes Principal Exploratory Not
  • 13. International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 61 Software Development Security Activities with Agile Methodologies[37 ] mentioned Using Assurance Cases to Develop Iteratively Security Features Using Scrum[38] 2014 Scrum No Framewor k Case study Communic ation Secure Feature Driven Development (SFDD) Model for Secure Software Development[39] 2013 FDD Yes Framewor k Exploratory Not mentioned Secure Scrum: Development of Secure Software with Scrum[40] Scrum No Framewor k Survey Not mentioned The Creation of a Distributed Agile Team [41] 2007 Agile No Framewor k Exploratory Web Services Towards Agile Security in Web Applications [42] 2006 Agile YES Principal Exploratory Not mentioned Graph 3: Agile practices that integrate security
  • 14. International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 62 RQ2. What is the role of Security expert/Engineer in these approaches? In order to develop secure software, it is important to have a dedicated person that has a fair amount of knowledge about software security or in other word require security expert[24], [16]. Security experts should be responsible for proper integration of security in particular software system [24], [36]. Traditionally involvement of security expert in agile software development for developing secure software is considered as overhead [27]. But it has been observed that for developing secure software using agile it is important to have a security expert and it will increase the level of agility in development [16], [36]. Most of the time development teams are not aware and familiar of security related construct and issues in the developing secure software and because of lack of expertise in term of security it is difficult for developers to properly integrate security in projects and increase the development time which in turn effect deliverable time of agile increments [36],[29]. Thus, it is important to have the involvement security expert in agile methodology to facilitate secure development. From literature that has been sighted it is extracted that 54% studies had not mentioned the involvement of security expert in their approaches that has been proposed for secure software development using Agile and its practices which is a major drawback of these techniques and rest of 46 % mentioned the involvement of security expert in their approaches (see graph 4) Graph 4: Numbers of studies involving security expert 46% of studies encourage the participation of security engineer, after analyzing the studies encouraging the participation of security expert it is spotted that [36], [16], [24], [37] calculate the
  • 15. International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 63 agility degree of various security activities using different techniques and proposed that the activity with high agility degree needs to be integrated with agile methods so that it will not disturb the agility of methods. If security engineer is involved throughout the development process it is being assigned high value of agility and partial involvement is assigned as low values of agility [16]. Rest of studies practically involved security expert in their proposed techniques. We have analyzed these studies on the basis of two parameters which are derived from the above discussion. (P1) involvement of security expert throughout the development lifecycle or in any particular phase while (P2) clear definition and description of roles and responsibilities of security expert.(See Table 5) Table 5: Involvement of Security Expert in SDLC phases Paper P1 P2 [25] Throughout development lifecycle [27] Not mentioned [29] Requirement engineering& design phase [32] Requirement engineering phase [34] Documentation, analysis & testing phase [17] Requirement engineering phase [39] Documentation, Development & testing phase In (table 5) only [25] encourage the throughout involvement of security expert’s during the development life cycle with defined roles, but major drawback of this approach is that it involves security expertise more than required like security manager, security architect, security expert. Involving a number of security experts e.g. 3 or more security related personals in agile team don’t seem to be effective and may consider as overhead, whereas [34] doesn’t involve expert throughout development life cycle and partially define the role and responsibilities of security expert. RQ3. What kind of challenges emerges while incorporating security in agile and its practices? Underneath are some of the challenges that are reported in the literature that limit agile methodology and its practices to produce secure software (see Table 6). It is observed that challenge Ch1, Ch5, Ch10, and Ch12 are closely related to the collaboration and awareness among stakeholder in an agile development environment. Challenge Ch2, Ch4, Ch7, Ch11 are often caused due to the iterative and incremental nature of agile development methodology. Challenge Ch3, Ch9 have occurred as a consequence of security assurance of agile increments. Ch6, Ch8, Ch13 are directly related to the development life cycle of agile. In Oder to improve
  • 16. International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 64 agile methodology and its practices to provide secure software, it is quite necessary to eliminate these challenges or to trigger down their effect to possible minimal level. Table 6: Agile security challenges Code Challenge Papers Ch1 Need of separation of roles between software developer and security expert [42],[40],[37],[29] Ch2 Security assurance of increment & activities are difficult if the code is changing continuously. [31],[26] Ch3 Detailed documentation is required for security assessment [31],[42], Ch4 Security constraints are violated due to refracting [31],[33] Ch5 Lack of experience of developers in developing secure software [29],[20],[24] Ch6 Neglecting risk assessment [32],[28],[19] Ch7 Security requirements are difficult to track if requirements change frequently. [32] Ch8 Security measure is not considered in every iteration [31],[23],[19],[26] Ch9 Test cases are not adequate to ensure the integration of security related requirement [31],[24] Ch10 Lack of security requirements and considerations [7],[17] Ch11 Requirements change and design change violate the security requirement of the system. [32],[17] Ch12 Unawareness of customer in term of security [34],[39] Ch13 Neglecting security requirements in elicitation phase [32],[19],[17] 5. DISCUSSION After reviewing and analyzing the literature, it is observed that involvement of security expert throughout the development life cycle is necessary in order to cater security related concern and for proper integration of security in agile increment. In the majority of studies (54%) security expert is unavailable and seems that it is undefined, who will be responsible for maintaining security of agile increments and deliverables. In the absence of security expert it is hard to define that who will be responsible for this critical task, because it is quite unjustified to handover this critical task to individuals having limited knowledge and background of software security. If this important and critical task is assigned to teams or individuals who are not expert in the field of software security it will not only increase the cost in term of time and negatively affects the quality of software in term of security. Out of the total 45 % of the studies mentioned the involvement of security expert in their techniques, but the major draw of these studies is that they are not facilitating the involvement of security expert throughout development life cycle and secondly there is no clear description of roles and responsibilities of security expert. Ch1, Ch5 and Ch12 (see table) can be catered by involving security expert with defined and separate roles and responsibilities in software development life cycle, Ch13 and Ch10 can be managed by the involvement of security expert in requirements engineering phase by taking into account of security requirements. Involving security expert in the construction phase can affect Ch7, Ch8 and Ch11 positivity by having a critical eye on the construction phase in term of security. Ch2, Ch9 can be handled by involving security expert in testing and transition phase.
  • 17. International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 65 From the consequence of the above discussion, it is mined that useful techniques has been proposed in regard of developing secure software using agile. The Major weakness of these techniques due which they are not able to properly integrate security in agile are lack of involvement of a security expert, or if involved, then he was not been involved throughout the development life cycle and his roles and responsibilities are not defined. So it is quite important to have the involvement of security expert with defining roles and responsibilities throughout the agile development life cycle, i.e. in inception, construction and transition phase, in order to take care of security related aspect of software and for fruitful integration of security in every agile iteration and deliverable. It has hauled out from literature that if security is not considered in every phase of the agile development cycle, it makes secure software development challenging and leaves possible glitches in developed software in term of security. 6.CONCLUSION To gain insight into the current status of security in Agile Development Cycle and its techniques, a systematic literature review (SLR) has been conducted that highlights the current issues of security in Agile practices. Agile has been criticized for lacking security due to its incremental approach. Some complications have been highlighted such as lack of consideration of security throughout the agile development life cycle and absence of the dedicated resource person, having a fair knowledge of software security, with defined responsibilities. From review it has been observed that some researcher has agreed that there should be a defined role to fulfil security aspects in complete lifecycle. In the future, we are planning to develop a framework in order to address the issues mentioned in this paper for security integration in agile properly and correctly with ease and to obtain better results. 7.REFRENCES [1] I. Ghani, & I.Yasin, (2013) "Software Security Engineering In Extreme Programming Methodology : A Systematic Literature", Science International Volume No.25 (2), pp-215–221. [2] M. V. Mohamed, (2014) "Implementation of Scrum Framework of Agile Methodology for an Online Project", International Journal of Emerging Technology & Advance Engineering, Volume 4 (7), pp- 435–440 [3] R. C. Martin, (2003.) “Agile Software Development: Principles, Patterns, and Practices”, 1st ed. Upper Saddle River, NJ, USA: Prentice Hall PTR, [4] T. Dyba & T. Dingsoyr, (2008) “Empirical studies of agile software development: A systematic review,” Information and Software Technology Elsevier, vol. 50, (9) 10, pp. 833 – 859 [5] J. Wäyrynen, M. Bodén. & G. Boström, Security (2004) “Engineering and extreme Programming: An Impossible Marriage?” In Proceedings of the 4th Conference on Extreme Programming and Agile Methods. 2004, Springer-Verlag, Lecture Notes in Computer Science, pp. 117 [6] J. C. Alberts, & R. S. Allen, (2011) “Risk based measurement and analysis: Application to software security”, Software Engineering Institute, Carnegie Mellon University Pittsburgh. [7] S. Bryan, Streamline (2010) “Security Practices for Agile Development”. MSDN Magazine. [8] C. Zannier, H. Erdogmus & Lowell Lindstrom (2002), “On bricks and walls: Why building secure software is hard, “Computers& Security”, vol. 21(3), pp. 229–238.
  • 18. International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 66 [9] A. Sani, & A. Firdaus, (2013), "A Review on Software Development Security Engineering using Dynamic System Method ( DSDM )", International Journal Of Computer Applications ,Volume No. 69 (25), pp-37–44. [10] I. Ghani, N. Niknejad, M. Bello, M. W. Chughtai, & S. R. Jeong, (2015) " ( SDSDM ): A Survey About Its Suitability", Journal of Theoretical and Applied Information Technology, Volume No.74 (1). [11] A. Firdaus, A. Universiti, I. Ghani, & Teknologi, (2014) "A Systematic Literature Review on Secure Software Development using Feature Driven Development ( FDD ) Agile Model", Journal of the Society for Internet Information, Article No 15 (1), pp. 13-27 http://doi.org/10.7472/jksii.2014.15.1.13. [12] H. Oueslati, (2015) "Literature Review of the Challenges of Developing Secure Software Using the Agile Approach" 10th IEEE International Conference on Availability, Reliabilty & security, pp. 540- 547. [13] Oueslati et al., (2016) "Evaluation of the challenges of developing secure software using agile approach". International Journal of secure software Enginerring Volume 7 ( 4). [14] B. Kitchenham, R. Pretorius, D. Budgen, O. P. Brereton, M. Turner, M. Niazi, & S. Linkman, (2010) "Systematic literature reviews in software engineering – A tertiary study". Information and Software Technology, Volume No.52 (8), pp- 792–805. http://doi.org/10.1016/j.infsof.2010.03.006 [15] M. Staples, & M. Niazi, (2007). “Experiences Using Systematic Review Guidelines”. Journal of Systems and Software, ACM, Vol. 80(9) pp. 1425-1437. [16] S. Singhal, & H. Banati, (2014) “Fisa-Xp”. ACM SIGSOFT Software Engineering Notes, volume 39(3),. pp.1–14. http://doi.org/10.1145/2597716.2597728 [17] A. Singhal, (n.d.). (2011) "Development of Agile Security Framework Using a Hybrid Technique for Requirements Elicitation", Advances in communiaction & control Springer Berlin Heidelberg. [18] G. E. Richard, (April 2008), "Getting Students to Think about How Agile Processes Can Be Made More Secure", 21st IEEE Conference on Software Engineering Education and Training pp.51-58. [19] X. Ge, R. F. Paige, F. a. C. Polack, H. Chivers, & P. J. Brooke, (2006) “Agile development of secure web applications". Proceedings of the 6th International Conference on Web Engineering, ACM - ICWE ’ 06, pp. 305–312 http://doi.org/10.1145/1145581.1145641 [20] A. Firdaus, I. Ghani, Izzaty, & M. Yasin, ( 2013) "Developing Secure Websites Using Feature Driven Development ( FDD ): A Case Study", Journal of clean Energy Technology, volume 01(4). http://doi.org/10.7763/JOCET.2013.V1.73 [21] H. Chivers, R. F. Paige, & X. Ge, (2005) “Agile Security Using an Incremental Security Architecture”, Extreme Programming and Agile Processes in Software Engineering. Springer Berlin Heidelberg, pp. 57–65. [22] B. Carlsson, (2011) “Agile Development with Security Engineering Activities”, Proceedings of the 2011 International Conference on Software and Systems Process. ACM, pp. 149–158. [23] S, B. M., & N. Norwawi, (2011) “Improved Extreme Programming Methodology with Inbuilt Security”, IEEE Symposium on Computers & Informatics pp. 674–679. [24] A. Singhal, (n.d.). (2014) “Selection of Security Activities for Integration with Agile Methods after Combining their Agility and Effectiveness,”volume 6 (2), pp. 57–67 [25] D. Baca, M. Boldt, B. Carlsson, & A. Jacobson, (2015) "A Novel Security-Enhanced Agile Software Development Process Applied in an Industrial Setting", 10th International Conference on Availability, Reliability and Security. http://doi.org/10.1109/ARES.2015.45. [26] L. Othmane, P. Angin, H. Weffers, & B. Bhargava, (2014) "Extending the Agile Development Approach to Develop Acceptably Secure Software", Dependable and Secure Computing, IEEE Transactions on volume 11(06), pp 1–14. http://doi.org/10.1109/TDSC.2014.2298011 [27] I. Ghani, & A. Firdaus. (2013) "Role-Based Extreme Programming ( Xp ) For Secure sofware Development" Vol. 25,
  • 19. International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 67 [28] R. M. Savola, C. Frühwirth, & Pietikäinen, (2012) "A. Risk-Driven Security Metrics in Agile Software Development – An Industrial Pilot Study", Journal of Universal computer Science, volume 18( 12) , pp.1679–1702. [29] M. I. Daud, (2010 ) "Secure Software Development Model : A Guide for Secure Software Life Cycle.", International Multiconference of Engineers and computer scientist volume No.1. pp. 17-19. [30] D. Mougouei, N. Fazlida, M. Sani, & M. M. Almasi, (2013) "S-Scrum : a Secure Methodology for Agile Development of Web Services", world of computer science & Information Technology Journal volume No. 3 (1), pp. 15–19. [31] K. Beznosov, & P. Kruchten, (2005), "Towards Agile Security Assurance", Proceedings of the 2004 workshop on New security paradigms. ACM, pp. 47–54. [32] Boström, K. Beznosov, & P. Kruchten, (2006) "Extending XP Practices to Support Security Requirements Engineering", International workshop on software enginerring for secure system , ACM pp. 11–18. [33] E. G., Aydal, R. F. Paige, H. Chivers, & P. J. Brooke, (2006) "Security Planning and Refactoring in Extreme Programming", Springer Berlin Heidelberg, pp. 154–163. [34] Z. Azham, (2011) "Security Backlog in Scrum Security Practices" 5th Malaysian Conference on IEEE, pp. 414–417 [35] M. Siponen, R. Baskerville & T. Kuivalainen, 2005 “Integrating Security into Agile Development Methods”, System Sciences, 2005. HICSS'05. Proceedings of the 38th Annual Hawaii International Conference on. IEEE, pp.185a-185a [36] Singhal, A. (2012). “Integration Analysis of Security Activities from the perspective of agility” Conference on IEEE http://doi.org/10.1109/AgileIndia.2012.9 [37] H. Keramati, (2008) "Integrating Software Development Security Activities with Agile Methodologies", Computer System & Application International conference on IEEE, pp 749-754. [38] L. Othmane, (2014) "Using Assurance Cases to Develop Iteratively Security Features Using Scrum",9th International Conference on IEEE http://doi.org/10.1109/ARES.2014.73. [39] A. Firdaus, I. Ghani, & S. Ryul, (2014) "Secure Feature Driven Development ( SFDD ) Model for Secure Software Development” 2nd International Conference on Innovation, Management and Technology Research Procedia - Social and Behavioral Sciences Elsevier, Volume No.129, pp. 546– 553. http://doi.org/10.1016/j.sbspro.2014.03.712. [40] C.Pohl, (n.dl.). ( 2015) "Secure Scrum : Development of Secure Software with Scrum" arXiv preprint arXiv: 1507.02992. [41] P, K & F Cannizzo, British, (2007) "The Creation of a Distributed Agile Team", In Agile Processes in Software Engineering and Extreme Programming, Springer Berlin Heidelberg pp. 235-239. [42] V. Kongsli, (2006) "Towards Agile Security in Web Applications", Companion to the 21st ACM SIGPLAN symposium on Object-oriented programming systems, languages, and applications. ACM, pp. 805-808. [43] Usman Rafi, Tasleem Mustafa, (2015) “US-Scrum: A Methodology for Developing Software with Enhanced Correctness, Usability and Security”. International Journal of Scientific & Engineering Research, Volume 6, (9), 377 ISSN 2229-5518. pp- 377-383. [44] A. A. Liza, M. G. Andrew, B.W. Gary, (2012)" Emergence of Agile Methods: Perceptions from Software” Practitioners in Malaysia, Conference of IEEE Agile India, pp. 30-39 [45] A. Tuli, et al. (2014), "Empirical investigation of agile software development: cloud perspective." ACM SIGSOFT Software Engineering Volume 39(4) pp. 1-6
  • 20. International Journal of Software Engineering & Applications (IJSEA), Vol.7, No.3, May 2016 68 Authors Raja Khaim Shahzad was born in Islamabad, Pakistan. He is research student, done BS (CS) from PMAS Arid Agriculture University Rawalpindi, Pakistan in 2012, now doing MS (CS) from same University. His research area is software engineering, agile software development, software Security, Information Security Saba Naz, research student, done MCS from International Islamic University Islamabad, Pakistan in 2013, now doing MS (CS) from PMAS Arid Agriculture University Rawalpindi, Pakistan. Her research area is image processing, software security, information security, data mining. Syed Fakhar Abbas, research student, done MCS from PMAS Arid Agriculture University Rawalpindi, Pakistan in 2009, now doing now doing MS (CS) from same University. His research area is software engineering and web development. Naila Iqbal research student, done BSCS from Fatimah Jinnah University Rawalpindi, Pakistan in 2013, now doing MS (CS) from PMAS Arid Agriculture University Rawalpindi, Pakistan. Her research area is software engineering, agile software development and requirement Engineering. Mamoona Humayun is Ph.D. in computer science by Harbin Institute of Technology, Harbin China, in 2014. She is assistant professor at University Institute of Information Technology, PMAS-Arid Agriculture University Rawalpindi. Her research interests are Global software development, requirement engineering, and knowledge management and web application security vulnerabilities.