Abstract
Agile methodologies have gained recognition in recent years as being efficient development processes through their quick delivery of software, even under time constraints. Agile methodologies consist of a few process models that have their own criteria in helping different types of projects. However, agile methods such as Scrum, Feature-Driven Development (FDD), and eXtreme Programming (XP) have been criticized due to the lack of availability of security elements in their various phases, resulting in the development of unsecure software. Thus, the authors propose the idea of a set of security-focused elements to enhance the existing agile models. In this chapter, the findings of the related research and the highlights of improved agile models after the integration of security are presented.
Top1. Agile Models
1.1. Scrum
Scrum (Schwaber & Beedle, 2002) is an iterative, incremental software process, which is by far the most popular agile developmental process (Version one, 2006). Scrum can assist with small to medium size projects consisting of many sub-tasks that need to be done. In relation to the idea of iteration, decomposition to small tasks that group them in backlogs and daily meetings; scrum ensures that the process is simple and effective in delivering small and working software packages.
Figure 1 shows the processes of Scrum within a project. It starts with collecting the user stories (requirements) in product backlog; from this product backlog, a sprint backlog is then created. Each sprint will undergo development process while a daily scrum meeting will be held to evaluate the progress and hold discussions about any problems that may have arisen with the current sprint. After concluding the sprints, the finished sprint will become the potentially shippable product to the customer.
1.2. FDD
Even though people have always maintained that iterative processes do not require much planning (Hunt,2006), FDD has proven otherwise. By planning the building of the list of feature processes and subsequent planning by these feature processes, FDD has become well-known for its efficient project management processes. FDD is deemed suitable for small to large scale projects respectively.
Figure 2 shows the existing FDD process model that consists of 5 main phases. In the first phase, Develop an Overall model, the architect will seek to draw out the whole design of the system. The second phase is the creation of a Building a Feature list. This phase will identify a list of features for the whole set of systems. After acquiring a set of features, the project manager will then, specifically: plan the features based on the due dates; assign the feature to class owners and rank the features based on priority. The design of the feature sets will then be started in the Design by Feature phase. Lastly, the feature will be built incrementally by features designed in the Build by Features’ phase.
Figure 2. Existing FDD process model
1.3. eXtreme Programming (XP)
eXtreme Programming (XP) methodology consists of a variety of practices and roles. However, in its original form or so called traditional XP method does not clearly defines that which role should adopt which practice. This confuses the XP team. In order to overcome this confusion, we have mapped the roles and XP practices, which we call role-based XP (Figure 3).
Figure 3. XP practices and their mapping with the roles
The XP practices are used by developers in creating the required software. XP developed the system in a more ‘loose’ fashion since XP does not have any specific standards processes that the development team should follow.
2. Software Security
Security principles (Julia at al., 2008) are the primary concepts which are used to determine appropriate levels of security in software. They are universal guidelines adopted by developers, project planners, practitioners and experts in the security field in order to mitigate risks in the phases of requirement, architecture, design, implementation, testing and maintenance. As illustrated in Table 1, research has been conducted proposing solutions that satisfy some or all of the security principles. The ‘X’ symbol is used when researchers have not mentioned the security principle; while the‘√’ symbol is used when it has been mentioned in their work. For more information about security principles, see (Julia at al., 2008).
Key Terms in this Chapter
Agile Software Development: A software management and development approach that helps to create software quickly while addressing the issue of requirement change.
Security Master: A team member in an agile team who ensures that security has been implemented throughout the development lifecycle from requirement, design, implementation, testing to maintenance.
Secure Software Development: A software management and development approach that focuses on software security throughout the development lifecycle from requirement, design, implementation, testing to maintenance.
DSDM: This process model is also phase-based, which is normally used in resource constraints project.
FDD: This process model consists of 5 main phases.
XP: This methodology consists of a variety of practices. These practices are used by developers in creating the required software.
Scrum: This is an iterative, incremental software process, which is by far the most popular agile developmental process.