Article

Agile development of secure web applications

Authors:

Richard F. Paige,

Fiona A.C. Polack,

Howard Chivers, and

Phillip J. BrookeAuthors Info & Claims

ICWE '06: Proceedings of the 6th international conference on Web engineering

July 2006

Pages 305 - 312

https://doi.org/10.1145/1145581.1145641

Published: 11 July 2006 Publication History

Abstract

A secure system is one that is protected against specific undesired outcomes.Delivering a secure system, and particularly a secure web application, is not easy.Integrating general-purpose information systems development methods withsecurity development activities could be a useful means to surmount thesedifficulties Agile processes, such as Extreme Programming, are of increasing interest insoftware development. Most significantly for web applications, agile processesencourage and embrace requirements change, which is a desirable characteristicfor web application development.In this paper, we present an agile process to deliver secure web applications.The contribution of the research is not the development of a new method or processthat addresses security concerns. Rather, we investigate general-purpose informationsystemdevelopment methods (e.g., Feature-Driven Development (FDD)) and mature security methods, namely risk analysis, and integrate them to address the development of secure web applications. The key features of our approach are(1) a process capable of dealing with the key challenges of web applicationsdevelopment, namely decreasing life-cycle times and frequently changing requirements; and (2) an iterative approach to risk analysis that integrates security design throughout the development process.

References

[1]

Agile Manifesto. http://agilemanifesto.org.

[2]

SSADM-CRAMM subject guide for SSADM version 3 and CRAMM version 2. Technical report, Central Computer and Telecommunications Agency, IT Security and Privacy Group., 1991.

[3]

CRAMM. Technical Report http://www.cramm.com, Insight Consulting Limited, 2003.

[4]

E. Aydal. Extreme programming and refactoring for building secure web-based applications and web services. MSc in Software Engineering Thesis, Computer Science Department, University of York, 2005.

[5]

L. Baresi, F. Garzotto, and P. Paolini. Extending UML for modeling web applications. In Proceeding of 34th Annual Hawaii International Conference on System Sciences (HICSS-34)-Volume 3, Maui, Hawaii, USA, January 2001. IEEE.

Digital Library

[6]

R. Baskerville. Information systems security design methods: Implications for information systems development. ACM Computing Surveys, 25(4):375--414, 1993.

Digital Library

[7]

K. Beznosov. eXtreme Security Engineering. In Proceeding of First ACM BizSec Workshop, Fairfax VA, USA, October 2003.

[8]

CERT Coordination Centre. Operationally critical threat, asset, and vulnerability evaluation (OCTAVE). Technical Report http://www.cert.org/octave/, Software Engineering Institute, CERT Coordination Centre, 2003.

[9]

H. Chivers. Security and systems engineering. Technical Report YCS378, Department of Computer Science, University of York, June 1994.

[10]

H. Chivers, R. Paige, and X. Ge. Agile security using an incremental security architecture. In Proceeding of the Sixth International Conference on eXtreme Programming and Agile Processes in Software Engineering (XP2005), Spring-Verlag LNCS 3556, pages 57--65, Sheffield, UK, 2005.

Digital Library

[11]

F. Garzotto, P. Paolini, and D. Schwabe. HDM --- model-based approach to hypertext application design. ACM Trans. Inf. Syst., 11(1):1--26, 1993.

Digital Library

[12]

M. Goodland and C. Slater. SSADM Version 4: A Practical Approach. McGRAW-HILL Book Company Europe, 1995.

[13]

T. Grance, J. Hash, and M. Stevens. Security considerations in the information system development life cycle. Technical report, National Institute of Standards and Technology (NIST), Special Publication 800-64, October 2003. (revision 1 released June 2004).

[14]

B. S. Institution. Information security mangement part 2: Specification for information security management systems. Technical report, BS 7799-2:1999, 1999.

[15]

P. Kruchten. The Rational Unified Process: an Introduction. Addison-Wesley, 2003.

Digital Library

[16]

G. R. Lifia, H. Schmid, and F. Lyardet. Engineering business processes in web applications: Modeling and navigation issues. In Proceeding of 3ird International Workshop on Web-Oriented Software Technologies, IWWOST'03, July 2003.

[17]

A. McDonald and R. Welland. Agile web engineering (AWE) process. Technical report, Department of Computer Science, University of Glasgow, UK, December 2001.

[18]

R. Paige, J. Cakic, X. Ge, and H. Chivers. Towards agile reengineering of dependable grid applications. In Proceeding of 17th International Conference of Software and System Engineering and Their Applications (ICSSEA), CNAM, Paris, November 2004.

[19]

S. R. Palmer and J. M. Felsing. A Practical Guide to Feature-Driven Development. Prentice Hall, 2002.

Digital Library

[20]

B. Schenier. Beyond Fear: Thinking Sensibly About Security in an Uncertain World. Copernicus Books, 2003.

Digital Library

[21]

G. Stoneburner, A. Goguen, and A. Feringa. Risk management guide for information technology systems. Technical report, National Institute of Standards and Technology (NIST), Special Publication 800-30, July 2002.

Digital Library

Cited By

Thool ABrown C(2024)Securing Agile: Assessing the Impact of Security Activities on Agile DevelopmentProceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering10.1145/3661167.3661280(668-678)Online publication date: 18-Jun-2024
https://dl.acm.org/doi/10.1145/3661167.3661280
Priyalakshmi GNithin RTharanitaran N(2022)Heuristic Approach to Sustainable Agile Development with Secure IndicatorsIntelligent Sustainable Systems10.1007/978-981-16-6309-3_42(443-451)Online publication date: 3-Jan-2022
https://doi.org/10.1007/978-981-16-6309-3_42
Jabangwe RKuusinen KRiisom KHubel MAlradhi HNielsen N(2021)Challenges and Solutions for Addressing Software Security in Agile Software DevelopmentResearch Anthology on Recent Trends, Tools, and Implications of Computer Programming10.4018/978-1-7998-3016-0.ch085(1875-1888)Online publication date: 2021
https://doi.org/10.4018/978-1-7998-3016-0.ch085
Show More Cited By

Index Terms

Agile development of secure web applications

Recommendations

Towards a Secure SCRUM Process for Agile Web Application Development
ARES '17: Proceedings of the 12th International Conference on Availability, Reliability and Security

Agile development such as Scrum and Extreme Programming deliver software in short iterations for quick response to rapid business requirement and market changes. However, established secure software development methodologies are mostly based on linear ...
Read More
Agile trends in Chinese global software development industry: Fuzzy AHP based conceptual mapping
Abstract
Global Software Development (GSD) has gained great attention during the past decade or so, and it is also being adopted by most of the software development organizations. The GSD approach is practiced by the software development ...
Highlights
- Explore the factors that could positively impact the agile scaling process in Chinese global software development (GSD) industry.
Read More
Software Engineering Practices and Methods in the Game Development Industry
CHI PLAY '19 Extended Abstracts: Extended Abstracts of the Annual Symposium on Computer-Human Interaction in Play Companion Extended Abstracts

Applying current software engineering practices in the game development industry is a rapidly growing but under researched area. Whether game development studios align to traditional software engineering practices such as agile methodologies to develop ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ICWE '06: Proceedings of the 6th international conference on Web engineering

July 2006

384 pages

ISBN:1595933522

DOI:10.1145/1145581

General Chairs:
Dave Wolber
University of San Francisco, USA
,
Neil Calder
SLAC, USA
,
Program Chairs:
Chris Brooks
University of San Francisco, USA
,
Athula Ginige
University of Western Sydney, Australia

Copyright © 2006 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACM: Association for Computing Machinery

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 July 2006

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

34
Total Citations
View Citations
2,980
Total Downloads

Downloads (Last 12 months)34
Downloads (Last 6 weeks)1

Other Metrics

View Author Metrics

Citations

Cited By

Thool ABrown C(2024)Securing Agile: Assessing the Impact of Security Activities on Agile DevelopmentProceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering10.1145/3661167.3661280(668-678)Online publication date: 18-Jun-2024
https://dl.acm.org/doi/10.1145/3661167.3661280
Priyalakshmi GNithin RTharanitaran N(2022)Heuristic Approach to Sustainable Agile Development with Secure IndicatorsIntelligent Sustainable Systems10.1007/978-981-16-6309-3_42(443-451)Online publication date: 3-Jan-2022
https://doi.org/10.1007/978-981-16-6309-3_42
Jabangwe RKuusinen KRiisom KHubel MAlradhi HNielsen N(2021)Challenges and Solutions for Addressing Software Security in Agile Software DevelopmentResearch Anthology on Recent Trends, Tools, and Implications of Computer Programming10.4018/978-1-7998-3016-0.ch085(1875-1888)Online publication date: 2021
https://doi.org/10.4018/978-1-7998-3016-0.ch085
Agh HRamsin R(2021)Scrum metaprocess: a process line approach for customizing ScrumSoftware Quality Journal10.1007/s11219-021-09551-4Online publication date: 7-Apr-2021
https://doi.org/10.1007/s11219-021-09551-4
Alhazmi AHuang S(2020)Survey on Differences of Requirements Engineering for Traditional and Agile Development Processes2020 SoutheastCon10.1109/SoutheastCon44009.2020.9397492(1-9)Online publication date: 28-Mar-2020
https://doi.org/10.1109/SoutheastCon44009.2020.9397492
Jabangwe RKuusinen KRiisom KHubel MAlradhi HNielsen N(2018)Challenges and Solutions for Addressing Software Security in Agile Software DevelopmentInternational Journal of Systems and Software Security and Protection10.4018/IJSSSP.20180101019:1(1-17)Online publication date: Jan-2018
https://doi.org/10.4018/IJSSSP.2018010101
Efe AMühürdaroğlu N(2018)Secure Software Development in Agile Development Processes of E-Government ApplicationsE-Devlet Uygulamalarının Çevik Geliştirme Süreçlerinde Güvenli YazılımThe Journal of International Scientific Researches10.23834/isrjournal.3967353:1(73-84)Online publication date: 5-Apr-2018
https://doi.org/10.23834/isrjournal.396735
Maleki NRamsin R(2017)Agile Web Development Methodologies: A Survey and EvaluationSoftware Engineering Research, Management and Applications10.1007/978-3-319-61388-8_1(1-25)Online publication date: 9-Jun-2017
https://doi.org/10.1007/978-3-319-61388-8_1
Ghani IArbain AOueslati HRahman Mben Othmane L(2016)Evaluation of the Challenges of Developing Secure Software Using the Agile ApproachInternational Journal of Secure Software Engineering10.4018/IJSSE.20160101027:1(17-37)Online publication date: 1-Jan-2016
https://dl.acm.org/doi/10.4018/IJSSE.2016010102
Rafique SHumayun MGul ZAbbas AJaved H(2015)Systematic Review of Web Application Security Vulnerabilities Detection MethodsJournal of Computer and Communications10.4236/jcc.2015.3900403:09(28-40)Online publication date: 2015
https://doi.org/10.4236/jcc.2015.39004
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents