This chapter presented the methodology employed in this study. Specifically, there was a review and comparison of the available philosophical and methodological approaches to achieve the aims of the study and a consideration and justification for adopted methods. There was consideration of the different methods that could be employed to achieve the aims of the study, including interviews and focus groups, and while these were shown to have advantages for eliciting perspectives and opinons, the associated disadvantges were discussed including that they were highly impractical given the number of participants. The chapter showed how the selected method, questionnaires, were justified and how they formed part of the overall experimentation research and assisted in deriving data about its success or otherwise in terms of the inclusion of UMLsec and the Security Owner role. The development and administration of the select method was also presented. Additionally, the population and sampling methods were also explained. The core contribution of the present study which is the integration of UMLsec and the Security Owner role within an agile process is presented in the following chapter.
This chapter has presented the methodology to show how it is appropriate for achieving the aims and objectives of the study and specifically, how the development of the research instruments considered the hypotheses that they are developed to verify. An overview of the research design provided a visual illustration of how the adopted methods are applied to achieve the study objectives.
108
These methods, the questionnaires and the experimentation are applied for analysis in chapter six. The experimentation of the proposed framework is to extend and improve agile process in term of security requirements consideration, modelling and management. This framework will now be presented in the following chapter.
109
CHAPTER FOUR
FRAMEWORK OF INTEGRATING UMLSEC IN
AGILE DEVELOPMENT METHODS
Objectives
Illustrating proposal of extending Scrum.
Integration of misuse case analysis and agile security analysis techniques. Adopting UMLsec in the extended Scrum framework.
110
4. Framework of Integrating UMLsec in Agile Development
Methods
4.1 Introduction
The literature (chapter two) reviewed some studies and researchers' attempts at integrating security activities with agile software development methods (Martin, 2003), and motivated the need to integrate security into these methods. The following sections describe the core contributions of this thesis which are to integrate UMLsec as a security requirements technique and a Security Owner role to facilitate UMLsec in an agile development method. The discussion concentrates on how to apply UMLsec and its facilitation by the Security Owner in software projects that are controlled by the Scrum management framework.
The Scrum framework is the most popular for organisations that consider transitioning to agile development due to its rapid requirements change (Eliza et al., 2010, Jakobsen and Sutherland, 2009). The Scrum framework was chosen as an agile development method primarily because all processes within the framework involve communication, interaction, discussion and planning within a team working environment and the study aims to assess the impact of a Security Owner role on teamwork (chapter two; sections 2.6.1 and 2.6.2) The backlog refinement in Scrum allows team members to discuss thoughts and concerns as well as understanding workflow. Sprint planning meetings involve a team discussion to prioristise stories and how these stories can be broken down into tasks. The daily Scrum meeting is designed to ensure effective communication and that all members are on the same page and there is an explanation of progress, tasks to be completed and obstacles to process by each team member. The Sprint review meeting involves the
111
team presenting the product to the Product Owner and finally, during there is a Sprint retrospective meeting where the team meet with the Scrum Master about what went well, what went wrong and how improvements can be made in the future. In the following the role of Security Owner is described and linked to the artifacts and processes of the Scrum framework reviewed in chapter two; section 2.8. Therefore, all of these processes involve the human factor, the framework depends entirely on human interaction, so in terms of security and improving security requirements through the introduction of UMLsec this would require a human solution to facilitate security requirements consideration.
One of the objectives of this study is to determine how the Scrum team can use UMLsec to prioritise and apply their security requirements. The Scrum framework defines three main actors/ roles that should be available in Scrum. The Product Owner makes a decision of what the development team will build next, whereas the Scrum Master facilitates the development team’s work. The development team are professionals who actually build the product (Schwaber and Beedle, 2002, Schwaber, 2004). Normally, the responsibility of securing the product lies with the development team. The prioritisation and identification of security relevant stories is a negotiation between the Product Owner and the development team. This thesis proposes the addition of a specific Security Owner role who is tasked with helping the Scrum team to apply best security practices and influence the build in order to create a more secure product through the use of UMLsec.
112