ǂA ǂdelegation-based lightweight agile approach for secure software development in small and medium enterprises
Abstract
The software development workflow is typically defined by a specific development methodology and then further organized by distinct phases for more effective software production. Secure software development aims to integrate security measures throughout this process to create a more secure end product. However, agile methodologies face challenges incorporating security features due to their characteristics like adaptability, rapid release cycles, and continuous feedback. Existing solutions within the literature propose embedding permanent security roles, processes, and artifacts into agile methods. These solutions, however, are constrained by their lack of adaptability to situational factors and their method-specific designs, such as for Scrum or Extreme Programming (XP), limiting their applicability in different development methods. In this dissertation, we introduce two novel approaches: the "ATTRACT Approach" for secure software development and an approach for evaluating existing software development methods from a security perspective. Unlike existing solutions, the ATTRACT Approach is not tied to any particular software development methodology. It is designed to incrementally build security knowledge and awareness in a temporary and iterative manner, taking into account the unique circumstances of the development enterprise. It is particularly suited for small and medium-sized enterprises. Meanwhile, our evaluation approach assesses various development methods and their elements based on three core dimensions: enhanced security, cost-efficiency, and retained agility. Both approaches were evaluated in a real-world, longitudinal, multiple-case study. The findings suggest that adopting these approaches elevates the security knowledge and awareness of project teams, fosters security-focused problem-solving, enhances code quality and review processes, and encourages the implementation of customized security measures in the end products. While developers reported a learning curve in adapting these approaches, the teams overall found that their initial expectations were met.
Keywords
secure software development;software engineering;agile;lean;small and medium sized enterprises;software development management;security;computer science;doctoral dissertations;
Data
| Language: | English |
|---|---|
| Year of publishing: | 2024 |
| Typology: | 2.08 - Doctoral Dissertation |
| Organization: | UL FRI - Faculty of Computer and Information Science |
| Publisher: | [A. Mihelič] |
| UDC: | 004.411-026.131:334(043.3) |
| COBISS: |
185436163
|
| Views: | 37 |
| Downloads: | 5 |
| Average score: | 0 (0 votes) |
| Metadata: |
|
Other data
| Secondary language: | Slovenian |
|---|---|
| Secondary title: | Na delegiranju zasnovan agilni pristop k razvoju varne programske opreme za mala in srednje velika podjetja |
| Secondary abstract: | Delovni proces razvoja programske opreme je navadno določen z metodologijo razvoja, nato pa za učinkovitejše delo še organiziran v ločene faze. Da bi ustvarili varnejši končni izdelek, si razvoj varne programske opreme prizadeva vključevati varnostne ukrepe skozi celoten proces. Vendar pa se agilne metodologije soočajo z izzivi pri vključevanju varnostnih elementov zaradi svojih lastnosti, kot so prilagodljivost, kratki cikli in pogosto pridobivanje povratnih informacij. Obstoječe rešitve predstavljene v literaturi predlagajo trajno vključitev varnostnih vlog, procesov in artefaktov v agilne metode. Takšne rešitve so omejene zaradi svoje neprilagodljivosti situacijskim faktorjem in zaradi svoje prilagojenosti specifičnim metodam, kot npr. Scrum ali Extreme Programming (XP), kar omejuje njihovo uporabnost. V tej disertaciji predstavljamo dva nova pristopa: "ATTRACT pristop" za razvoj vare programske opreme in pristop za ocenjevanje obstoječih metod razvoja programske opreme z varnostnega vidika. Za razliko od obstoječih rešitev, pristop ATTRACT ni vezan na nobeno določeno metodo razvoja programske opreme. Zasnovan je tako, da postopoma izpopolnjuje znanje o v varnost usmerjenem razvoju in varnostno ozaveščenost na začasen in iterativen način, pri čemer upošteva edinstvene okoliščine razvojnega podjetja. Še posebej je primeren za mala in srednje velika podjetja. Medtem naš pristop za ocenjevanje pristopa k ocenjevanju različnih metod razvoja in njihovih elementov na podlagi treh osnovnih dimenzij: izboljšane varnosti, stroškovne učinkovitosti in ohranjanja agilnosti. Oba pristopa sta bila testirana v industrijskem okolju z longitudinalno študijo več primerov. Ugotovitve nakazujejo, da sprejetje teh pristopov dviga varnostno znanje in ozaveščenost projektnih skupin, spodbuja osredotočenost na reševanje varnostnih problemov, izboljša kakovost kode in procese pregledovanja kode ter spodbuja izvajanje prilagojenih varnostnih rešitev v končnih izdelkih. Čeprav so razvijalci poročali o krivulji učenja pri implementacijah teh pristopov, so skupine na splošno ugotovile, da so bila njihova začetna pričakovanja izpolnjena. |
| Secondary keywords: | razvoj varne programske opreme;inženiring programske opreme;agilno;vitko;menedžment razvoja programske opreme;varnost;doktorske disertacije;Agilni razvoj programske opreme;Mala in srednja podjetja;Računalništvo;Univerzitetna in visokošolska dela; |
| Type (COBISS): | Doctoral dissertation |
| Study programme: | 1000474 |
| Thesis comment: | Univ. v Ljubljani, Fak. za računalništvo in informatiko |
| Pages: | XVI, 174 str. |
| ID: | 22910880 |
Recommended works:
ǂA ǂdelegation-based lightweight agile approach for secure software development in small and medium enterprises
2024,
no subtitle data available
Agile development of secure software for small and medium-sized enterprises
2023,
no subtitle data available
Situacijski pristop k oblikovanju agilne metode razvoja programske opreme
2022,
diplomsko delo
Prepoznavanje in upravljanje talentov v malih in srednje velikih podjetjih v Sloveniji
2023,
magistrsko delo
Analiza priložnosti zelo-zmogljivega računalništva za mala in srednja podjetja
2019,
organizacija in management informacijskih sistemov