Achieving Appropriate Software Security Levels with Agile Software Development

Abstract

Software security for agile methods is still a major concern. Security has become an integral component of software quality in today's world. This is influenced by the criticality and amount of data the software handles and the volatility of the environment of deployment, e.g. the cloud. In addressing this problem, this research proposes a secure agile software development framework that conforms to standard industry best practice in software security engineering. Agile methods have taken over the software development industry, mainly due to their ability to deliver timely and quality software. Research has also shown that most agile methods are not equipped to handle security and assurance in the developed software. A review of literature conducted in this thesis confirmed the lack of security practices in agile development methods. This research uses Design Science Research (DSR) to build, test and evaluate an agile Security engineering framework. It involved a rigorous process to design an agile security framework to solve the observed problems by ensuring that security is part of the development process from the beginning of the project to the end. It was modelled after standard security engineering models targeting the intended security goals. The security framework is agile, meaning it adheres to agile principles. A multiple-case study in an academic and industry setting is conducted to demonstrate and evaluate the utility of the methodology. The evaluation criterion for security capability was Systems Security Engineering Capability Maturity Model (SSE-CMM) Appraisal Method (SSAM). The agility of the resulting process was evaluated using the four-dimensional analytical tool (4-DAT) and it showed satisfactory compliance of the methodology with agile principles. The main contributions in this thesis are: the secure framework, which entails description of the concepts, a pre-game risk analysis, security engineering stages, tasks, tools and techniques; generation of a quality theory on practices that promote quality in a software development environment. This research would be of value to researchers as it introduces standard security components of software quality into an agile software development environment, probing more research in the area. To software developers, the research has provided a secure agile framework that builds security and assurance into the product. This would be a first step towards standardisation of the developer's process model as a secure process.