SECURE SOFTWARE DEVELOPMENT BY INTEGRATING SECURITY ACTIVITIES WITH AGILE ACTIVITIES.

(1)

780

SECURE SOFTWARE DEVELOPMENT BY INTEGRATING SECURITY ACTIVITIES WITH AGILE ACTIVITIES.

Sushil Kumar ^1*, Ashish Jolly²

1Department of Computer Science & Engineering, Lovely Professional University,Punjab,India;

2Department of Computer Science, Government College, Kaithal, Haryana, India;

Abstract:

Agility among the software is looking for significance during the advancement stage, as it advances versatile arranging, gradual and transformative improvement with numerous different highlights that are lightweight in nature. The software developed with agile methodology are not secure, because of security is not the phase of in software development models. Therefore security has be inserted externally to the software development model to make the software secure. Security is one of the significant issues in the present profoundly coordinated programming improvement industry. More underscore is on to create a safe programming, in order to limit the measure of hazard and harm brought about by the product utilizing the lithe advancement approach. Creating secure programming with high deft qualities is constantly a hard undertaking to do in view of substantial weight nature of security exercises. In this postulation a novel methodology is proposed by which security exercises which are not the piece of programming improvement models, can be integrated with agile activities. The embodiment of the security activities and agile activities is based upon the fact that as the security activities are heavyweight which may reduce the agility i.e. the measure of rapidness, incremental delivery of the software etc. of the agile methodology is in such a manner that the agility of the agile activities are affected least. For this least impact in nimbleness this methodology the mean readiness estimation of the two exercises for example deft just as security are determined dependent on the different light-footed attributes. The different factors, for example, cost, time, repeat, benefits influencing the deftness of the action are additionally considered. Based upon the importance of these factors a Influencing Factor Value Table (IFVT) are also created for both the activities. By using fuzzy value compatibility table (FVCT), extend of compatibility of embodiment of both the activities is estimated based upon the observations of various software experts. For the filling of FVCT fuzzy value are used instead of binary value keeping in mind the fact that it’s not possible to decide the embodiment on binary value yes or no, true or false means embodiment is possible or not possible. The degree of embodiment is up to certain extend that can only be revealed with the help of fuzzy values not with the binary values. This whole approach for integration of securities activities with agile methodologies is monitored with the help of GUI based framework.

Keywords: Security, Optimization, Agile development

I. INTRODUCTION

In various software developments, theagile deals with the methodology that satisfies the need for elasticity and relates a level of practicality to the distribution of the complete product. Agile needs a educational and professional scenario in various companies because it concentrates on the final delivery of discrete fragments or software parts and not on the complete application.

(2)

781

Normally the agile software development deals with the methods or approaches which are break down the development of the work into small chunks that diminish the volume of planning and schemes.

Repetitionsare small time frames which are also well known by time boxes that characteristically last since one to four weeks. Each repetitionincludes a cross-functional crewemployed in all jobs such as planning, examination, design, development, implementation, and testing. When the repetitions end, the repetitionbased working product is verified to sponsors. This reduces overall danger and allows the invention to familiarize to changes rapidly. An iteration influencemay not add sufficient functionality to

permit a

marketannouncement, but the objective is to have an obtainable release with bug free environment at the termination of iteration. Numerousrepetitions might be compulsory to issuethe new features.

Fig 1: Life cycle based on agile development

There are various agile software development methods which are having great importance in the life cycle of the agile development

Agile software development approachescare a broad variety of the software growth life cycle.Certainmake attention on the observationssuch as XP, programming, modeling of the agile systems, while certainemphasis on handling the stream of work such as the scrum, kanban etc. Some deals with the activities for necessitiesand requirementwhich deals with the efficient development while some deals to shelter the full growth life cycle.

Some listed below are the efficient agile software development frameworks 1. Adaptive software development (ASD)

2. Agile unified process (AUP)

3. Dynamic systems development method (DSDM) 4. Extreme programming (XP)

5. Feature-driven development (FDD)

(3)

782

Fig 2: Agile Methodologies

II. RELATED WORKS

Nooper Davis et al. presented impressive data about traditional processes, morals, life-cycle models, backgrounds, and procedures that deals with the support to secure the software development. Dave Shackleford et al. have demonstrated security glitches affect operating system mechanisms, client requests, web requests or particular code that deals with the generation of power or other apparatus control schemes, the mainstream of well-publicized weaknesses are connected to coding problems and application subjects. Microsoft [4] described a way to hold unimportant software security observations by Agilesoftware development approaches, like Extreme Programming and Scrum procedure. The main objective was to achieve high Microsoft Security Development Lifecycle using Agile procedures in such a way that upholds the philosophies of both the Agile approaches and the SDL development procedures.

Nor Shahriza Abdul Karim, ArwaAlbuolayan, Tanzila Saba, AmjadRehman et al. proposed case study in which the practices being castoff in software growth in Saudi Arabia and defined a prototype for integrating safety into the SDLC environment. The objective was to classify the suitable means of presenting security actions in the SDLC environment.

III. PROPOSED WORK

This section deals with the results and discussions for the security of the agile development for the evaluation in the secure manner. The whole simulation is based on JAVA environment.

Fig 3: Main menu

(4)

783

The fig 3 shows the main GUI panel which is implemented in java for the implementation of the data. In this Graphical user interface there are various options for the agile activities and implementation.

Fig 3: Adding Security

The fig 3 shows the GUI panel to add the security activity for the evaluation with different attributes and also the pushbuttons to add such options, clear the options and exit from the process.

Fig 4: Added Activity

The fig 4 shows the GUI panel and shows that the secure activity is added which shows in the form of the message box with the applied security name in the GUI application.

(5)

784

Fig 5: List of securities

The fig 5 shows the GUI in which the list of securities are shown and also the attributes which are entered during the addition of the secure activity in the adding process. These are the list of total number of securities that are added for the secure agile development.

Fig 6 (a) Agile Activity process

(b) Agile activity addition

The fig 6 (a) and (b) shows the agile menu and also the agile activity addition with necessary attributes for the secure agile lifecycle development

(6)

785

Fig 7: Agile List

The fig 7 shows the addition of all the agile activities with the necessary attributes or we can the inputs for the evaluation of the agile development in the GUI panel.

Fig 8: Fuzzy Value Table

The fig 8 shows the fuzzy compatible table with the necessary attributes that how much security requirement is needed and risk analysis is there and also the threat modeling which is one of the main crucial step for the evaluation of the secure agile development cycle. The main structure of Fuzzy Logic deals with the capability and the compatibility among two proposals, in such a way that modeled process through the inference system is autonomous from the precise probability distributions involved.

IV. OUTCOME DISCUSSION 1. Proposed Algorithm

Step 1:Start

Let the security activity S1, S2, S3 … Sn such that the selection of the Sn has highest MAVsa.

Where Sn= Security Activity Step 2: Listing out the agile happeningsfrom the FCVT

Step 3: Evaluate the compatibility value (CV) greater than threshold value (TV) of 0.35

(7)

786

Step 4:Selection of the agile activity having lowest MAV

Step 5:Checking of the influencing factor for selected agile activity and selected security activity in IFV table. Select the highest IFV among both the activities.

Step 5:Start For

Remove the agile activity from the selected agility activity list.

Repeat the step until agile activities list is empty.

End For Step 6:Start For

Remove security movement based on security activity table. Repeat step until security activity table is not empty.

End For

Step 7: Evaluation of the security activity embodiment which measures the importance of security activity in particular agile development phase.

Step 8: Stop

2. Calculation of Mean Agility Value for activities

The security activities are assigned a value using the measure of 0 to 5 showing the level acceptability with nine agile features. More is the scale value more is the compatibility of the security actions with agile features, lesser is the value means the security activity is not agile in nature. So 5 mean that activity is very much agile in nature and 0 means least agile nature exhibited by the activity. Based upon these values for every security activity total agility value is calculated. Total agility value shows the overall agile nature of the security activity. The Total agility value is directly prepositional to the agile nature means more the total agility degree more is agile nature, less values shows less agile nature. Mean for every total agility value is taken to limit the values in a specific range[5,6]. The formula for the calculation of Mean Agility Value is shown in equation 1

MAVsa(i) (1)

Where, n deals with total characteristics of agile, X(i,j) security activity based on agile value ‘i’ deals with the agile features ‘j’, as calculated in Table 3

Table 1: MAV (Mean Agility Value) for secure activities

Agile Characteristi c Modularity Iterative Time Based Parsimony Adaptive Incremental Convergent People Oriented Collaborativ e Total agility value Mean agility value

Security Activities

Pre Phase Initial Training

3 5 5 5 5 5 5 5 4 42 4.6

(8)

787

Table 2: MAV (Mean Agility Value) for agile activities Requireme

nt Part

Security Necessity

4 4 4 5 4 3 3 4 4 35 3.8

Identify Trust Periphery

2 5 2 5 4 2 4 2 4 30 3.3

Role Matrix 3 4 3 4 3 3 2 4 4 30 3.3

Design Segment

Risk Study 2 5 2 5 4 3 4 2 3 30 3.3

Threat Molding

1 4 2 1 1 1 3 1 1 15 1.6

Implement ation Stage

Static code Study

5 5 5 4 5 2 5 5 4 40 4.4

Coding Instructions

3 4 4 2 5 3 4 2 3 30 3.3

Testing Point

Security Difficulty

1 5 3 3 5 2 4 4 3 28 3.2

Vulnerability Difficulty

0 5 3 3 5 2 4 4 3 29 3.1

Preparatio n

Operation Development

2 2 3 4 4 4 3 4 5 31 3.4

Agile Features Modularity Iterative Time Based Parsimony Adaptive Incremental Convergent People Oriented Collaborative Total agility value Mean agility value

Agile Activity

Planning 4 3 5 3 4 4 4 5 5 37 4.1

Coding 4 4 4 4 5 5 4 4 4 38 4.2

(9)

788

Table 1 and 2 shows the mean agility calculation for secure activities and agile activities to evaluate the agile nature of the secure activity which is one of the main and crucial steps in secure agile development cycle.

Significance of evaluating Fuzzy Value Table

Fuzzy Value Compatibility Table is the measure of level of security actions with agile actions. Values of Fuzzy Value Compatibility Table are calculated on the observation of the five software expert using the fuzzy value based upon fuzzy linguistic variables. In this approach the observation of five software expert are considered because of the fact that one security expert may or may not able to predict the exact fuzzy values whereas with the help of five security expert more precise value can be estimated for the embodiment. In this approach fuzzy value are used instead of binary value keeping in mind the fact that it’s not possible to decide the embodiment on binary value yes or no, true or false means embodiment is possible or not possible. The degree of embodiment is up to certain extend that can only be revealed with the help of fuzzy values not with the binary value.

For the high secure activities using agile procedure the proposed development provide a novel and secure approach. The collection of the security action for the embodiment is grounded upon the maximum Mean agility degree, which gives the surety of the security activity for the agile development cycle is maintained. The compatibility standards used to deal the fuzzy based value compatible table is not only based on the opinion of one security expert, but the average of opinion of five security specialists are measured which help in finding the more detailed value for the approximationof the embodiment.. Figure 9deals with the graphical depiction of agile activities using secure activities comparison which is totally based on the standards of FVCT.

Table 3 Fuzzy Value Compatibility Table Acceptance

Testing

2 4 3 2 5 2 4 4 4 30 3.3

Initial Education Security Requireme nt Identify Trust Boundary Role Matrix Risk Analysis Threat Modeling Static code Analysis Coding Rules Security Testing Vulnerabili ty Testing Operation Planning

Planning 0.68 0.80 0.83 0.83 0.87 0.62 0.2 0.08 0.5 0.53 0.57 Coding 0.44 0.5 0.5 0.44 0.50 0.50 0.80 0.86 0.77 0.71 0.50 Testing 0.5 0.5 0.5 0.45 0.45 0.83 0.5 0.77 0.86 0.86 0.38

(10)

789

Fig 9 Compatibility of agile with secure activities

It can be analyzed form fig 9 that security activity, initial education is most compatible with planning activity as compare to other agile activity, so initial education must be integrated with the planning. It deals in high estimation compatibility of secure activity with agile activity.From this FVCT only those agile activities are selected which possess minimum threshold value of 0.35.The threshold values 0f 0.35 means that at least the selected agile activity is 35% compatible for the embodiment. The list is formed with all the agile activities which possess the value greater than that of 0.35. From this list the agile activity having least MAV is selected. The least MAV means that selected agile activity is possess very less feature of agile methodology. The reason for selecting lowest MAV is to check the integration for the worst agile activity because of its lowest MAV.Out of selected agile and security activities, highest IFV is selected. Now if the value of combination of MAV of agile activity and IFV is more than that of Delta Value than the embodiment is possible of selected agile and security activity otherwise it is not possible to embodiment both activity. The DV deals with the priority of safemovement. This value is having high importance of safeactions in certain agile growth phase. The DV is heavily rely on project manager proficiency and deals with the development stage, organization to organizationliable upon additional factor like company environment, software distributionperiod, software safetyexcellence.

(11)

790

Fig 10 Proposed evaluation outcomes

It is shown in the fig 10 that in first phase security activity selected is Initial education having highest MAVsa i.e. 4.7 and the agile activity selected is Testing having least MAVaa i.e.3.3 after considering all the aspects the embodiment of these two activities are possible. Similarly all the selected security activities are checked with agile activities for the possibility of integration. Frame work show the message Integration is acceptable if it is possible to embodiment otherwise no compatible agile activity.

V. CONCLUSION AND FUTURE SCOPE

Software security is one of the main issues in the real world scenario. This paper deals with the developed method which deals with the secure agile software development and is computing MAV figures for both agile activities and also the security activities. The creation of FVCT deals with the measurement for approximating the compatibility of security actions with agile events grounded on the fuzzy standards.

The research considers numerous other influences that will disturb the embodiment of both activities which deals with the cost, time and reappearance on which the IFV is considered which is having great importance in terms of optimize solution.

The future scope deals with the simplification of diverse software atmosphere for attaining the IFV that disturbs the personification. The other attributes can also be considered such as time-cost instance which may also be measured while preserving the personification of secured software which are totally based on agile development.

REFERENCES

[1] N. Davis, “Secure software development life cycle processes: A technology scouting report”, No.

CMU/SEI-2005-TN-024.Carnegie-Mellon Univ Pittsburgh Pa Software Engineering Inst, 2005.

[2] D. Robel, "SANS Institute InfoSec Reading Room." (2015).

[3] N.A. Karim, , A. Albuolayan, T. Saba, and A. Rehman, "The practice of secure software development in SDLC: an investigation through existing model and a case study," Security and Communication Networks 9, no. 18, pp: 5333-5345, 2016.

[4] M. Howard and Steve Lipner, The security development lifecycle. Vol. 8. Redmond: Microsoft Press, 2006.

[5] C.T. Lin, H. Chiu, Y.H. Tseng, “Agility Evaluation Using Fuzzy Logic”, International Journal of Production Economics, Volume 101 (2), pp: 353–368, June 2006.

[6] “Comprehensive, Lightweight Application Security Process”, http://www.owasp.org, 2006.

[7] Beznosov and Kruchten, “Towards Agile Security Assurance’’ NSPW '04 Proceedings of the 2004 Workshop on New Security Paradigms, pp: 47-54, 2004.

[8] B. De Win, R. Scandariato, K. Buyens, J. Grégoire, and W. Joosen, ‘On the secure software development process: CLASP, SDL and Touchpoints compared’, Information and software technology, vol. 51, no. 7, pp. 1152–1171, 2009.

(12)

791

[9] D. Baca ‘Developing secure software in an agile process’, Computer Science Department, Blekinge Institute of Technology Sweden, pp. 129-149, 2012.

[10] D. Baca and B. Carlsson, ‘Agile development with security engineering activities’, in Proceeding of the 2nd workshop on Software engineering for sensor network applications, 2011, pp. 149–158.

[11] D. Mellado, E. Fernandez-Medina, and M. Piattini, ‘A comparison of the Common Criteria with proposals of information systems security requirements’, in Availability, Reliability and Security, 2006.

ARES 2006.The First International Conference on, 2006, p. 8–pp.

[12] G. G. Miller, “The Characteristics of Agile Software Processes”, Proceedings of the 39th International Conference. And Exhibition on Technology of Object-Oriented Languages and Systems (TOOLS’01)”, 1530-2067/01, IEEE 2001.

[13] J. Grégoire, K. Buyens, D. Win, R. Scandariato, W. Joosen, “On the Secure Software Development Process: CLASP and SDL Compared”. 29th International Conference on Software Engineering Workshops (ICSEW'07) 0-7695-2830-9/07, IEEE, 2007

[14] HosseinKeramati, Seyed-Hassan Mirian-Hosseinabadi, “Integrating Software Development Security Activities with Agile Methodologies”, IEEE/ACS International Conference on Computer Systems and Applications, AICCSA, 2008.

[15] M. Howard, S. Lipner, “The Security Development Lifecycle – SDL: A Process for Developing Demonstrably More Secure Software”, Microsoft Press, 2006.

[16] I. Flechais, M. A. Sasse, and S. Hailes, ‘Bringing security home: a process for developing secure and usable systems’, in Proceedings of the 2003 workshop on New security paradigms, 2003, pp. 49–57.

[17] J. Gregoire, K. Buyens, B. D. Win, R. Scandariato, and W. Joosen, ‘On the secure software development process: CLASP and SDL compared’, in Proceedings of the Third International Workshop on Software Engineering for Secure Systems, 2007, p. 1.

[18] L.A Zadeh, “Fuzzy Sets”, Information and Control, Volume 8 (3), pp: 338–353, 1965.

[19] L.A Zadeh, “The Concept of a Linguistic Variable and its Application to Approximate Reasoning- I”, Information Sciences Volume 8 (3), pp: 199–249, 1975.

[20] “Manifesto for Agile Software Development,” http://www.agilemanifesto.org [21]http://www.microsoft.com/security/sdl/default.aspx

[22] M. Siponen, R. Baskerville, T. Kuivalainen, “Integrating Security into Agile Development Methods”, In Proceedings of the 38th Annual Hawaii International, 2005.

[23] S. Sonia and S. Archana, ‘Integration Analysis of Security Activities from the Perspective of Agility’, IEEE, pp. 40–47, 2012.

[24] S. Goldman, R. Nagel, and K. Preiss, “Agile Competitors and Virtual Organizations”, Chapter 3, Van Nostrand Reinhold, 1995

[25] M. Zulkernine, I. A. Sheikh, "Software Security Engineering: Towards Unifying Software Engineering and Security Engineering". Copyright