2015 03-04 presentation1

Towards Secure Agile Agent-Oriented System Design

4, Mar. 20151


Hassan Adelyar, PhD Student, Tallinn University

Supervisor: Alexander Norta PhD., Senior Researcher of Tallinn University of Technology

March 2015


4, Mar. 20152 Aim of this Research

To enhance agile software development approaches for developing secure digital services using agent-oriented modelling techniques.

Our main objectives are: To identifying security challenges / benefits of agile

during changes to software. To isolate security challenges from agile practices. To integrate security benefits into agile practices.

(See agile practices in appendix A)


4, Mar. 20153 Agenda

Introduction Agile Software Development Approach Software Security

Advancements of the State of the Art Analysis of the Literature

Our Proposed Approach Relationship between changes-to-software, agile and security Methodology

Conclusion Bibliography Appendices


4, Mar. 20154

Introduction


4, Mar. 20155 Agile Software Development Approach

Software Development Approaches: Plan-driven (Waterfall) Incremental (Agile)

Agile is a common software development approach. Focus on delivering working software to customers. Incremental development method, each increment

contain new functionality. Adaptive to support continuous changes at any stage of

software development.


4, Mar. 20156

Agile Manifesto Individuals and interactions over processes and

tools Working software over comprehensive

documentation Customer collaboration over contract

negotiation Responding to change over following a plan


4, Mar. 20157 Software Security

Describes techniques that control who may use, modify or access the software.

Secure system is able to prevent all unauthorized use, modification and access of software.


4, Mar. 20158 Security Attributes [1]:

• Un-exposure of software execution to unauthorized.• Un-exposure of code to unauthorized.Confidentiality

• Software work accordance to its designer desire• Adversaries should not be able to tamper with a

program and cause sub-sequent execution to produce incorrect output.

Integrity

• Be available when needed• Execute in a predictable way• Deliver results in a predictable time frame

Availability


4, Mar. 20159

Importance of Security Software is a critical component for all systems. Cloud based systems. Agile is suitable for cloud based systems. The Internet of Things (IoT) is also governed by cloud

based systems [15]. Sociotechnical systems and service oriented computing

mostly depend on secure digital services. Absence of security in these systems can be

catastrophic.


4, Mar. 201510

On the other hand, agility in the digital services development process does not embrace security practices [2].

Security is difficult to achieve in a software system because of a wide range of security properties and continuous changes of security threats.

Regardless, it is possible to enhance the agile software development process for secure software production.


4, Mar. 201511

Advancements for the State of the Art


4, Mar. 201512

Many researchers contribute in various ways to secure agile software development processes.

Their studies and methods differ with respect to where and how to integrate security into agile software development approaches.


4, Mar. 201513 Analysis of the Previous Researches

Categories (From 21 articles): Studying / Examining / Analyzing / Explaining XP

(Extreme Programming) for security (9 articles) [3], [20], [13], [4], [21], [26], [12], [24],[25].

Integrating Security into a Specific Practice of XP (4 articles) [7], [14], [19], [9].

Integrating Security in all Lifecycle of Software Development (2 articles) [23], [6].

Framework and Model for Security Guidelines (4 articles) [11], 17], [8], [10].

Other Agile Method (2 article) [27], [28].


4, Mar. 201514

The relevant papers lack a holistic review of security challenges and benefits in XP’s practices.

Since security is an emergent system property [30] which means properties of the system as a whole, depend on both the system components and the relationships between them and can only be evaluated once the system has been assembled.

Therefore it is not a good idea to apply security mechanisms only at some practices.

The Microsoft SDL from agile viewpoint is heavyweight because it was design to secure very large product such as Windows and Office with long development cycles.


4, Mar. 201515

Our Proposed Approach


4, Mar. 201516

The aim of our PhD research is to: To Enhance agile software development

approaches for secure digital services using agent-oriented modelling techniques.

The enhancement we study through the adaptation of extreme programming (XP) practices for the development of secure digital services.


4, Mar. 201517

The angle of our research is the analysis of the relationship between: Software and changes Need to changes Agile and changes Security attributes and changes ? Security principles and changes? Agile practices and changes ?


4, Mar. 201518

Agent-oriented models allow to attach quality goals to goal model and constraints to role model.

For our research we use goal model, knowledge model, role model and behavior scenario of agent-oriented modelling technique.

We link security attributes to goal model and security principles to knowledge model. We also benefit from role model and behavior scenarios to identify challenges and benefits and then properly relate them to XP practices.


4, Mar. 201519 Relationship

Changes

Need for Changes

Software

Agile

Security Attribute

s

Security Principle

s

XP Practices


4, Mar. 201520p


4, Mar. 201521 Research Question

The main objective of our research is to enhance agile software development approaches for digital services security.

We identify the security challenges and benefits of XP-practices that relate to the “embrace-changes” principle of agile. Then the challenges can be isolated from XP practices and benefits can be integrated into XP practices.

Our objective is refined into the following main research question:


4, Mar. 201522

“How to enhance / improve XP practices for holistically integrating the security of digital services”.

The main research question is divided into the following sub-questions: Q1) How to identify security challenges / benefits

during the changes to software? Q2) How to isolate / avoid security challenges from XP

practices? Q3) How to incorporate security benefits into XP

practices?


4, Mar. 201523

q.1: What are security challenges for the response-to-changes?

q.2: What are security benefits for response-to-changes? q.3: Which security attributes are affected by these

challenges and benefits?


4, Mar. 201524

For answering these question we conduct a case-study research approach [10].

During the case study we intend to evaluate, and analyze the relative roles of the following aspects in an agile software-development process: Software security attributes General security principles Agile “embrace-changes” challenges Agile “embrace-changes” benefits XP practices


4, Mar. 201525 Data Collection

Our case studies focus on practical software projects for universities in Afghanistan.

Assets for our case study are student data, passwords and software code that need to be secure.

During the case study, we conduct qualitative interviews and brainstorming sessions for identifying and discussing intangible assets with the management.


4, Mar. 201526

The main steps in our case study: 1) We study the negative and positive effects of

changes on the security-attributes based on the security principles.

From the observation of the “changes-to-software”, we deduce hypotheses for security challenges and benefits. When a hypothesis is confirmed either as a security-challenge or security-benefits, we categorize it based on the security attributes.


4, Mar. 201527

The result of this step is two separate sets of challenges and benefits in the form of theories. At the same time these two opposite sets of theories support theory triangulation that is necessary for qualitative case study research.


4, Mar. 201528

2) The confirmed challenges are new hypotheses and through the observation process they are related to a specific XP practice(s). At this point, we are able to isolate these challenges from XP practices.

3) The confirmed benefits are also treated as new hypotheses and through the observation process they are related to a specific XP practice(s). At this point, we are able to incorporate them into XP practices.


4, Mar. 201529 Data Analysis

Since we conduct qualitative case studies, therefore, a qualitative data analysis method is used for all the above three cases.

We categorize the challenges and benefits based on the security attributes and our decision is based on security principles.

During the analysis we try to derive conclusions based on the chains of evidence.


4, Mar. 201530

The cases for our study: Identifying security challenges and benefits, Isolation of challenges from XP practices, Incorporation of benefits into XP practices.

Unit of analysis: Confidentiality Integrity Availability


4, Mar. 201531

We employ Nvivo as tool support for the analysis.

(Detail in case study protocol)


4, Mar. 201532 Conclusion

Agile is a very flexible software development approach and we seek to use agile for satisfying security as a quality goal.

By identifying security challenges and benefits of XP’s practices, in the real-world context, we believe that agile security improve the development of secure digital services.

Our initial findings show that changes to software are an important factor for both security challenges- and benefits. Identifying security challenges and benefits for the “embrace-changes” can explore new security insights in the context of XP’s practices.


4, Mar. 201533

We do have a contribution of understanding in that we can integrate security features into the novel agile agent-oriented modelling (AAOM) technique and then use this method for security-aware change management in XP practices [14].


4, Mar. 201534 REFERENCES

1. Algirdas A., Jean-Claude Laprie, Brian Randell, and Carl Landwehr, (2004). Basic Concepts and Taxonomy of Dependable and Secure Computing. IEEE Transaction on Dependable and Secure Computing.

2. Bejan Baca. (2011). Agile Development with Security Engineering Activities. ACM, USA.

3. Beznosov K., (2003). Extreme Security Engineering: On Employing XP Practices to Achieve “Good Enough Security” without defining it, ACM Press.

4. Chandrabose A. and Alagarsamy K., (2011). Security Requirements Engineering – A Strategic Approach. International Journal of Computer Applications, Madurai, India.

5. Charette R., the Decision is in: Agile versus Heavy Methodologies. Agile development and Project Management, Cutter Consortium, Vol. 2 (19), February 2004.

p


4, Mar. 201535

6. Daniel Owens, Integrating Software Security into the Software Development Lifecycle System Securities. San Diego, CA 92123, USA.

7. Emine G. Aydal, and Richard F., (2006). Security Planning and Refactoring in Extreme Programming. Department of Computer Science, University of York, UK.

8. Eystein Mathisen, and Terje Fallmyr, Using business process modelling to reduce the effects of requirements changes in software projects.

9. Gustav Boström, and Beznosov K., Extending XP Practices to Support Security Requirements Engineering. University of British Columbia, Canada.

10. Haley C. B., Laney R., (2008). Security Requirements Engineering: A Framework for Representation and Analysis.

11. Imran Daud. (2010). Secure Software Development Model: A Guide for Secure Software Life Cycle. Proceeding of the International MultiConference of Engineers and Computer Scientists, IMECS Hong Kong.

p


4, Mar. 201536

12. Imran Ghani and Adila Firdaus, (2013). Role-based Extreme Programming (XP) for Secure Software Development. University Teknologi Malaysia, Skudai, Malaysia.

13. Imran Ghani and Izzaty Yasin, (2013). Software Security Engineering in Extreme Programming Methodology: A Systematic Literature Review. Universiti Teknologi Malaysia, Skudai, Johor, Malaysia.

14. Johan Peeters, Agile Security Requirements Engineering.

15. Ovidiu Vermesan & Peter Friess Internet of Things – From Research and Innovation to Market Deployment, River Publishers, Chicago, USA, 2014.

16. Per Runeson, Martin Host, and Austen Rainer, (2012), Case Study Research in Software Engineering. John Wiley & Sons, Inc., Hoboken, New Jersey, USA.

17. Salini P. and Kanmani S., (2010). A Model Based Security Requirements Engineering Framework. International Journal of Computer Engineering and Technology (IJCET). Volume 1, Number 1

p


4, Mar. 201537

18. Saltzer, Jerome H. & Schroeder, (1975). The Protection of Information in Computer Systems. 1278-1308. in Proceedings of the IEEE.

19. Sonia Archana Singhal, Jyoti Balwani, (2014). Analysing Security and Software Requirements using Multi-Layered Iterative Model. Delhi, India.

20. Steffen Bartsch. Practitioners’ Perspectives on Security in Agile Development. TZI, University of Bremen, Bremen, Germany.

21. Stephen Wood, and Chris Thomson, (2014). Successful extreme programming: Fidelity to the methodology or good team working? University of Leicester, Leicester, UK.

22. Tanel Tenso and Kuldar Taveter, Requirements Engineering With Agent-Oriented Models, Department of Informatics, Tallinn University of Technology.

23. Security Development Lifecycle for Agile Development, 2009 Microsoft Corporation.

p


4, Mar. 201538

24. Christopher Wood & Gregory Knox, (Guidelines for Agile Security Requirements Engineering.

25. George Grispos & William Bradley Glisson, Rethinking Security Incident Response: The Integration of Agile Principles, AMCIS 2014.

26. J. Wäyrynen, M. Bodén, and G. Boström, "Security Engineering and eXtreme Programming: an Impossible marriage?," in Extreme programming and agile methodsXP/Agile Universe 2004, C. Zannier, H. Erdogmus, and L. Lindstrom, Eds. LNSC3134, Berlin: Springer-Verlag, 2004, pp. 117-128.

27. Adila Firdaus, Imran Ghani, and Nor Izzaty Mohd Yasin, Developing Secure Websites Using Feature Driven Development (FDD): A Case Study. Journal of Clean Energy Technologies, Vol. 1, No. 4, October 2013.

28. Abdullahi Sani, Adila Firdaus, Seung Ryul Jeong, Imran Ghani, A Review on Software Development Security Engineering using Dynamic System Method (DSDM). International Journal of Computer Applications (0975 – 8887) Volume 69– No.25, May 2013.

29. Ian Sommerville, SOFTWARE ENGINEERING Ninth Edition, Addison-Wesley, USA, 2011.

p


4, Mar. 201539 Appendix A: XP Practices

XP carries out agile principles through its own practices. There are 12 related practices and works best for small teams of 5 to 15 developers. The following is the list for XP practices: Small release Simple Design Planning game Continuous integration On-site customer

p


4, Mar. 201540

Codding standard Refactoring Pair programming Testing Metaphor Collective ownership 40-hour weeks

p

Thank You

Education

2015 03-04 presentation1