Towards the Integration of Security Practices in Agile Software Development: A Systematic Mapping Review
Abstract
:1. Introduction
2. Background
- Secure Software Development Life Cycle (S-SDLC), this model is based on verifying security requirements throughout the different phases of software construction [23,24]. The advantage of adopting an S-SDLC approach is the identification of coding and design errors in the early stages of development [24].The research paper by Mohino [23] proposes a new Secure Software Development Life Cycle (S-SDLC) that addresses security issues in software development. The S-SDLC includes six phases: requirements, design, implementation, testing, deployment, and maintenance, and integrates specific security activities into each phase. The author emphasizes the importance of incorporating security early in the SDLC process, beginning with the requirements phase. Developing security requirements is derived from business requirements and security policies to achieve this. During the design phase, the focus is on creating a secure software architecture that aligns with the security requirements. The implementation phase includes secure coding practices that aim to prevent security vulnerabilities. Security testing is carried out during the testing phase to identify and remedy security issues. The deployment phase involves secure deployment and configuration of the software to ensure the software remains secure. The maintenance phase focuses on ensuring the software continues to be secure through ongoing monitoring, vulnerability management, and incident response. The proposed S-SDLC provides a comprehensive approach to integrating security into the SDLC process to develop secure software from the outset. With S-SDLC, several additional security practices and activities can be enriched. These practices include a security specification language, a security requirements engineering process, a secure design specification language, a set of secure design guidelines, a secure design pattern, a secure coding standard, and a software security assurance method, which may comprise penetration testing, static analysis for security, and code reviews for security [23].
- Security Assurance Maturity Model (SAMM), the goal of the OWASP SAMM is to be the leading maturity model for software assurance that provides a practical and measurable way for all types of organizations to analyze and improve their software security posture [25]. This model supports the entire software lifecycle, including development and acquisition, and is independent of technology and processes. The Software Security Maturity Model (SAMM) is an open methodology that allows organizations to design and implement a strategy to improve software security [26]. This model addresses the specific software security risks faced by each organization. The Security Assurance Maturity Model (SAMM) is a framework designed to help organizations to improve their software security processes. SAMM has four domains: Governance, Construction, Verification, and Deployment. Each domain has three maturity levels, ranging from ad-hoc to optimized processes. The Governance domain covers policy and strategy, which provides direction and guidance for the security program. The Construction domain includes software design, development, and testing. The Verification domain covers testing and analysis to ensure the software is secure. The Deployment domain includes release management, operations, and incident management. SAMM also includes a measurement model, which assesses an organization’s maturity level for each domain. The model evaluates the organization’s practices, policies, and procedures against the SAMM framework. The results provide a roadmap for improvement. SAMM is a flexible and adaptable framework that allows organizations to tailor the model to their needs. It provides guidance and best practices to improve software security and helps organizations to mature their software security processes over time [26].
- McGraw’s Secure Software Development Life Cycle Process, in his article “Security Software Building Security in Seven Touchpoints for Software Security,” McGraw’s proposal focuses on integrating security into the software development life cycle (SDLC) through seven touchpoints [27]. The seven touchpoints include (i) Requirements: Define the software security requirements and establish the basis for the rest of the development process. (ii) Design: Design a secure software architecture considering the previously established security requirements. (iii) Implementation: Write lines of code and apply secure coding practices. (iv) Testing: Perform security tests to ensure compliance with previously established security requirements. (v) Integration: Ensure proper software integration with other systems and maintain security. (vi) Deployment: Implement the software securely and configure it properly. (vii) Maintenance: Implement safe maintenance practices to ensure the continued software security and quickly address security issues. This approach focuses on integrating security into all stages of the software development lifecycle to ensure the resulting software is secure and reliable [27].
3. Security Practices in Agile Software Development
- Correctness by Construction (CbyC), is a highly effective method for developing software that requires critical levels of safety and provability. The main objectives of this methodology are to minimize the defect rate and increase resilience to change, achieved through two fundamental principles: making it very difficult to introduce bugs and ensuring that bugs are identified and eliminated as early as possible. To achieve these goals, CbyC seeks to ensure that software is correct from the start through rigorous safety requirements, a detailed definition of system behavior, and a robust and verifiable design [31,32].
- ViewNext, model proposed by [33] is an agile adaptation of the S-SDLC [24], which incorporates security best practices from known models along with other security tasks, based on the spiral model, is integrated into normal software engineering life cycles. The model corrects weaknesses present in previous models and follows a preventive approach, making it an effective alternative for secure software development. Known as Agile and Secure Software Development Life, this model has been the subject of study in [34].
- Microsoft SDL Agile, it is an adaptation of the SDL Methodology (Security Development Lifecycle) that was developed by Microsoft to integrate security into agile software development processes [35]. The Agile SDL methodology focuses on integrating security into each iteration of the agile software development process. Rather than following a “wait until the end” approach to integrating security, the Agile SDL methodology promotes the inclusion of security activities in all phases of the agile development process. Security activities include early risk identification, defining secure user stories, performing security testing in each iteration, and implementing security best practices in the agile development process. The Agile SDL methodology is based on the agile software development lifecycle, which includes planning, analysis, design, implementation, testing, and maintenance. By integrating security into each stage of this lifecycle, it is possible to ensure that the software developed is secure and complies with security requirements.
- Building Security In Maturity Model (BSIMM), is a security maturity model used to describe the practices and processes used by leading software security organizations to develop, improve and maintain effective software security programs [36]. BSIMM focuses on assessing organizations’ software security programs by measuring their maturity in 12 common security practices. This model helps organizations develop their own software security program and provides a tool for ongoing assessment of software security maturity over time. The latest version of the model, BSIMM10, released in 2020, addresses agile properties of software development. It includes practices and processes relevant to agile approaches, such as continuous integration and continuous delivery, security automation, security management in the product backlog, and security collaboration between development teams. In addition, BSIMM10 focuses on the importance of security in the context of agile frameworks, such as Scrum and DevOps.
4. Related Work
5. Methodology
5.1. Goal and Research Questions
5.2. Generating the Search String
5.3. Data Extraction
5.4. Inclusion and Exclusion Criteria
5.5. Search Execution
5.6. Selection of Articles
5.7. Classification Scheme
6. Main Results
6.1. Overall Analysis by Characteristics
- Articles that use security in the SDLC phases (see Figure 6),
- Articles that use a methodology or propose a process,
- Articles that evaluate security after applying the proposed method.
6.2. Systematic Mapping
6.3. Analysis of Individual Articles
6.3.1. Theoretical Proposals
6.3.2. Implementation
6.3.3. Review and/or Analysis
6.3.4. Uses
6.4. Response to Research Questions
- RQ1: How many articles are related to secure software development?
- RQ2: How many articles study security practices for agile software development?
- RQ3: What is the context/setting where the articles take place?
- RQ4: What are the SDLC phases that have most addressed security in software development?
- RQ5: Which particular phase of SDLC has been least discussed and addressed in the literature?
- RQ6: What results have the new methods or models yielded to ensure security in the development of secure software?
7. Discussion
7.1. Analysis
7.2. Research Gaps
8. Proposals
9. Limitations of the Study
9.1. Construct Validity
9.2. Internal Validity
9.3. External Validity
9.4. Conclusión Validity
10. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Acknowledgments
Conflicts of Interest
Abbreviations
SDLC | Systems Development Life Cycle |
Appendix A
Number | Article | Cite | Brief Description |
---|---|---|---|
1 | Capturing Software Security Practices using CBR: Three Case Studies | [80] | The original goal is to investigate how to change the software engineering team’s attitude towards security and how to help them practice security throughout the software development lifecycle. |
2 | Engineering Security Vulnerability Prevention, Detection, and Response | [81] | This article indicates that providing tools to help with software security is not enough. Students and practitioners need to be trained on the importance and practices for designing and developing secure systems. |
3 | A Framework for Teaching Security Design Analysis Using Case Studies and the Hybrid Flipped Classroom | [82] | The first part of this article examines the security design analysis techniques described in the literature. The second part of this section focuses on the methods used to teach software development. |
4 | A hierarchical model for quantifying software security based on static analysis alerts and software metrics | [78] | The proposed SAM model is based exclusively on static analysis. This allows the SAM model to be applied regularly during the software development process. Software from the earliest stages of implementation in a fully automated manner, as static analysis does not require the running of the software product being tested |
5 | What are the critical security flaws in my system? | [83] | A static analysis is proposed to determine the severity of a vulnerability |
6 | Hazard Analysis Methods for Software Safety Requirements Engineering | [84] | The document proposes and reviews three different hazard analysis methods (STPA, FHA, and SFMEA) used in software requirements engineering to develop software security requirements. Each method has been used in practice in various security programs. |
7 | Aligning security objectives with agile software development | [68] | A framework is proposed to align software engineering with security engineering. For them, it proposes security activities directly in each phase of the agile SDLC. |
8 | Closing the Feedback Loop Between UX Design, Software Development, Security Engineering, and Operations | [85] | The new TDLC model introduces one more circle in the infinite loop where the four phases of the model are included at the beginning DoubleDiamond. The design phases lead to the development phases, then to the operations phases, and then back to the beginning. |
9 | An Empirical Investigation of Agile Information Systems Development for Cybersecurity | [75] | In this exploratory study, we empirically explore agile security practices adopted by software developers and security professionals. |
10 | Secure SDLC Using Security Patterns 2.0 | [86] | The proposed framework integrates security concerns from the early stage to the removal stage and, thus, software security vulnerabilities are found and mitigated at early stages of SDLC and save a lot of re-engineering costs for vulnerabilities. post implementation. |
11 | Validation of the smbc framework of security testing using analytic hierarchy process | [87] | The SMBC framework addresses the issue of security testing in the design phase of SDLC |
12 | Security requirements specification: A formal method perspective | [88] | In this article, a framework for the specification of security requirements by formal methods is proposed. The goal of the proposed framework is to specify security requirements formally and integrate them with SDLC |
13 | Secure modules for undergraduate software engineering courses | [74] | This document presents a series of modules that are designed to be integrated into undergraduate software engineering courses from a security perspective. The objective of the modules is to teach the creation of strong software security requirements, design, and development of secure software, and verification of secure software through a secure software development life cycle. |
14 | Security and software engineering | [73] | In this article, we first provide an introduction to the principles and concepts of software security from a software engineering point of view. We then provide an overview of four categories of approaches to achieving security in software systems, namely static and dynamic analysis, formal methods, and adaptive mechanisms. |
15 | MDA approach for application security integration with automatic code generation from communication diagram | [89] | In this work, a new contribution to the generation of secure applications is proposed with its security mechanisms based on the MDA approach to address the functional and non-functional aspects during the software engineering process. |
16 | Automated Risk Management based Software Security Vulnerabilities Management | [70] | This work presents a quantitative threat modeling as part of a comprehensive software security management system |
17 | Security Assurance Model of Software Development for Global Software Development Vendors | [69] | Proposed model to be used by global software developer (GSD) providers. The evaluation process of this model called Software Development SAM is based on the Motorola evaluation tool. |
18 | A Preventive Secure Software Development Model for a Software Factory: A Case Study | [34] | This work proposes the Emerging Secure Software Development Model called Viewnext-Uex, preventive and flexible. His findings after being empirically evaluated show that methodologically improves software security with the application of the proposed model. The security and quality of the software are increased, as well as development productivity. |
19 | A Readiness Model for Security Requirements Engineering | [90] | The goal of this document is to develop a Security Requirements Engineering Readiness Model (SRERM) to enable organizations to assess their security requirements engineering readiness levels. |
20 | A Novel Lightweight Solo Software Development Methodology With Optimum Security Practices | [71] | The purpose of this document is to introduce the Secure-SSDM model to individual software developers. The study has successfully demonstrated the usefulness of Secure-SSDM in building high-quality and secure software applications in the fields of Education, Health, Government, and Business. |
21 | Agile Approaches for Cybersecurity Systems, IoT and Intelligent Transportation | [72] | This document presents a complete and detailed review of agile software development in the context of IoT, ITS, and its cybersecurity and risk challenges. |
22 | A Hybrid Model of Hesitant Fuzzy Decision-Making Analysis for Estimating Usable-Security of Software | [91] | The main objective of this work is to evaluate the safety of use of a software that focuses on its two features. The evaluation of usable security would also be helpful in improving security and ease of use for end-user satisfaction and privacy. |
23 | Fuzzy Expert System of Information Security Risk Assessment on the Example of Analysis Learning Management Systems | [92] | Proposes a new hierarchical structured model for information security risk assessment using fuzzy logic. This methodology can be used to assess the information security risks of any complex automated management system (socially significant ERP system) used in other areas. |
24 | Text Categorization Approach for Secure Design Pattern Selection Using Software Requirement Specification | [93] | This paper proposes to use a repository of secure design patterns as a dataset and a repository of requirements artifacts in the form of a software requirements specification (SRS). |
25 | Prioritization Based Taxonomy of DevOps Security Challenges Using PROMETHEE | [94] | The objective of this study is to identify and develop a taxonomy based on the prioritization of DevOps security challenges. A total of 18 DevOps security challenges were extracted using a systematic literature review approach and further evaluated with experts using a questionnaire survey study. Finally, the PROMETHEE-II multi-criteria decision-making approach was used to prioritize and develop the taxonomy of the identified factors and their categories. |
26 | A Crisis Situations Decision-Making Systems Software Development Process With Rescue Experiences | [95] | In this article, a customized version of XP called Crisis Decision Systems Software Development Process (CSDP) is proposed. CSDP is the result of the authors’ experiences while participating in the rescue agent simulation division of the RoboCup competitions from 2006 to 2010. CSDP is an agile and fast process that makes the development team able to respond to changes suddenly in the shortest possible time. |
27 | Automatic Classification Method for Software Vulnerability Based on Deep Neural Network | [96] | In this article, a new automatic vulnerability classification model called TFI-DNN has been proposed. To better analyze and manage vulnerabilities according to their membership classes, improve system security performance, and reduce the risk of the system being attacked and damaged, this paper applied a deep neural network to vulnerability classification. of software. The results show that the proposed TFI-DNN model outperforms others in accuracy, accuracy, and score and works well on the rate of Recovery. |
28 | Reusable Security Requirements Repository Implementation Based on Application/System Components | [97] | In this article, a repository model has been proposed that addresses the issue of reusing security requirements. The repository has a structure that guides the user on what type of information should be reused. Flexibility is an advantage of the proposed model. The model allows the definition of requirements at any level of precision. The proposed model does not include risk factors, risk analysis, and risk management. This activity has not been included in the model on purpose to achieve simplicity and allow the model to be used in conjunction with existing risk analysis techniques in an organization. |
29 | GMSA: Gathering Multiple Signatures Approach to Defend Against Code Injection Attacks | [98] | In this paper, we introduce a tool called GMSA, developed to detect a variety of CIA, for example, Cross-Site Scripting (XSS) attack, SQL injection attack, shell injection attack (command injection attack) and file inclusion attack. The latter consists of local file inclusion and remote file inclusion. |
30 | A Survey on Blockchain Acquainted Software Requirements Engineering: Model, Opportunities, Challenges, and Future Directions | [99] | In this article, we provide a novel comprehensive review of blockchain-related aspects of SRE requirements engineering practices. We introduce SRE-based quality improvement factors and describe the need for blockchain technology in this domain. Additionally, they have classified SRE practices based on blockchain engineering. |
31 | Integrating Model Checking With SySML in Complex System Safety Analysis | [100] | In this paper here, we propose the integration of model checking with the systems modeling language to analyze the security of complex systems. Systems Modeling Language (SySML) is introduced to establish a unified system model that can describe a hybrid system of hardware and software but cannot be directly applied to security analysis. Using SySML makes it easy for designers, analysts, and vendors to use the unified model. The semi-formal SySML model is then transformed into the formal NuSMV model, which is used to perform security analysis and verification. |
32 | A Novel Key Agreement Protocol Based on RET Gadget Chains for Preventing Reused Code Attacks | [101] | This paper proposes a new key agreement protocol based on the RET device chain. The novel protocol not only considers cryptographic security techniques and control flow integrity when executing programs, but it can also prevent vulnerability attacks during implementation at the source code level. |
33 | An Evaluation of Quantitative Non-Functional Requirements Assurance Using ArchiMate | [102] | This document introduces a system architecture assessment method that can perform a quantitative NFR assurance assessment for the system architecture through ArchiMate. The document also proposes an algorithm to automate the quantitative evaluation process. A questionnaire survey among software engineers and a case study on a vehicle safety monitoring system were conducted to verify the necessity of the method. Additionally, an experimental design with 18 samples divided into 2 groups was presented to compare how the independent variables affect the dependent variables. The results of the experiment demonstrate that the proposed method achieves a better NFR evaluation effect than the traditional approach. The proposed method is expected to be used in the early stage of software development projects for system NFR development, such as requirements analysis, system architecture design, and system modeling. |
34 | Self-Service Cybersecurity Monitoring as Enabler for DevSecOps | [103] | This document focuses on self-service cybersecurity monitoring as an enabler to introduce security practices in a DevOps environment. The case study provides evidence of how this cybersecurity monitoring infrastructure enabled threats to be detected, such as denial attacks, and helped better anticipate phishing problems. |
35 | Automatically Patching Vulnerabilities of Binary Programs via Code Transfer From Correct Versions | [104] | This document presents BINPATCH, an algorithm for automatically patching known vulnerabilities in binary programs. It first locates the faulty function, which contains the vulnerability, through a comparison of similar codes. It then reuses the corresponding code from the correct version of the faulty function as patch code and inserts it into the faulty function using binary rewrite. BINPATCH is tested on eight real-world vulnerabilities, and experimental results show that it is capable of not only locating faulty code effectively but also patching code correctly. |
36 | Classifying Software Vulnerabilities by Using the Bugs Framework | [105] | In this paper, data mining techniques are used to identify software vulnerabilities, classify them into different categories using the bug framework proposed by the National Institute of Standards and Technology (NIST) and design a model to predict the weakness of future vulnerabilities. |
37 | Metrics-driven devsecops | [77] | In this paper, a unique metrics-based approach is proposed to help improve software engineering processes by increasing software quality, adaptability, and security, and decreasing costs, and time to market. |
38 | The Impact of Software Security Practices on Development Effort: An Initial Survey | [106] | The objective of this study is to obtain an overview of the application of software security practices in the industry and to identify the impact of introducing such activities on software development projects in terms of effort/cost. |
39 | Context-Sensitive Case-Based Software Security Management System | [107] | In this paper, we highlight the need to include application context-sensitive modeling within the case-based software security management system proposed by the authors. This article expands on previous work to include application context modeling. The proposed idea builds software security models using an application context. |
References
- Faheem, M.; Shah, S.B.H.; Butt, R.A.; Raza, B.; Anwar, M.; Ashraf, M.W.; Ngadi, M.A.; Gungor, V.C. Smart grid communication and information technologies in the perspective of Industry 4.0: Opportunities and challenges. Comput. Sci. Rev. 2018, 30, 1–30. [Google Scholar] [CrossRef]
- Lee, M.; Yun, J.J.; Pyka, A.; Won, D.; Kodama, F.; Schiuma, G.; Park, H.; Jeon, J.; Park, K.; Jung, K.; et al. How to respond to the fourth industrial revolution, or the second information technology revolution? Dynamic new combinations between technology, market, and society through open innovation. J. Open Innov. Technol. Mark. Complex. 2018, 4, 21. [Google Scholar] [CrossRef] [Green Version]
- Liou, J.C.; Duclervil, S.R. A survey on the effectiveness of the secure software development life cycle models. In Innovations in Cybersecurity Education; Springer: Berlin/Heidelberg, Germany, 2020; pp. 213–229. [Google Scholar]
- McGraw, G. From the ground up: The DIMACS software security workshop. Secur. Privacy IEEE 2003, 1, 59–66. [Google Scholar] [CrossRef]
- Castellaro, M.; Romaniz, S.; Ramos, J.C.; Feck, C.; Gaspoz, I. Aplicar el Modelo de Amenazas para incluir la Seguridad en el Modelado de Sistemas. In Proceedings of the V Congreso Iberoamericano de Seguridad Informática—CIBSI, Bogota, Colombia, 22–24 January 2016; Volume 16. [Google Scholar]
- Hernández Yeja, A.; Porven Rubier, J. Procedimiento para la seguridad del proceso de despliegue de aplicaciones web. Rev. Cuba. Cienc. Inform. 2016, 10, 42–56. [Google Scholar]
- Pecka, N.S. Making Secure Software Insecure without Changing Its Code: The Possibilities and Impacts of Attacks on the DevOps Pipeline. Ph.D. Thesis, Iowa State University, Ames, IA, USA, 2022. [Google Scholar]
- Konstantinidou, C.A.; Lang, W.; Papadopoulos, A.M.; Santamouris, M. Life cycle and life cycle cost implications of integrated phase change materials in office buildings. Int. J. Energy Res. 2019, 43, 150–166. [Google Scholar] [CrossRef] [Green Version]
- Symantec. Symantec. Internet Security Threat Report. Available online: https://www.symantec.com/security-center/threatreport (accessed on 23 February 2023).
- Diéguez, M.; Cares, C. Anticipation models (anti-models) for a proactive cyber defence. In Proceedings of the IX Congreso Internacional de Computación y Telecomunicaciones, Lima, Peru, 11–13 October 2017; pp. 247–254. [Google Scholar]
- ISO. ISO/IEC27001. Information Security Management. Available online: https://www.iso.org/standard/82875.html (accessed on 23 February 2023).
- ISO. NIST, Cybersecurity. Available online: http://www.iso.org/iso/catalogue_detail?csnumber=54533 (accessed on 20 February 2023).
- ISACA. Control Objectives for Information and Related Technologies (Cobit). Available online: http://www.isaca.org/KnowledgeCenter/cobit/Pages/Products.aspx (accessed on 21 February 2023).
- Ključnikov, A.; Mura, L.; Sklenár, D. Information security management in SMEs: Factors of success. Entrep. Sustain. Issues 2019, 6, 2081. [Google Scholar] [CrossRef]
- Meridji, K.; Al-Sarayreh, K.T.; Abran, A.; Trudel, S. System security requirements: A framework for early identification, specification and measurement of related software requirements. Comput. Stand. Interfaces 2019, 66, 103346. [Google Scholar] [CrossRef]
- Ansari, M.T.J.; Pandey, D.; Alenezi, M. STORE: Security threat oriented requirements engineering methodology. J. King Saud Univ.-Comput. Inf. Sci. 2022, 34, 191–203. [Google Scholar] [CrossRef]
- Mishra, N.; Pandya, S. Internet of things applications, security challenges, attacks, intrusion detection, and future visions: A systematic review. IEEE Access 2021, 9, 59353–59377. [Google Scholar] [CrossRef]
- López-Rodríguez, S.A.; García-Peña, V.R. Metodologías de desarrollo de software seguro con propiedades agiles. Polo Conoc. 2021, 5, 1027–1046. [Google Scholar]
- Filus, K.; Domańska, J. Software vulnerabilities in TensorFlow-based deep learning applications. Comput. Secur. 2023, 124, 102948. [Google Scholar] [CrossRef]
- Kumar, R.; Goyal, R. On cloud security requirements, threats, vulnerabilities and countermeasures: A survey. Comput. Sci. Rev. 2019, 33, 1–48. [Google Scholar] [CrossRef]
- Von Solms, S.; Futcher, L.A. Adaption of a secure software development methodology for secure engineering design. IEEE Access 2020, 8, 125630–125637. [Google Scholar] [CrossRef]
- García-Peñalvo, F. Proyecto Docente e Investigador. Catedrático de Universidad. Perfil Docente: Ingeniería del Software y Gobierno de Tecnologías de la Información. Perfil Investigador: Tecnologías del Aprendizaje. Área de Ciencia de la Computación e Inteligencia Artificial; Technical Report; Grupo GRIAL: Salamanca, Spain, 2018. [Google Scholar]
- De Vicente Mohino, J.; Bermejo Higuera, J.; Bermejo Higuera, J.R.; Sicilia Montalvo, J.A. The application of a new secure software development life cycle (S-SDLC) with agile methodologies. Electronics 2019, 8, 1218. [Google Scholar] [CrossRef] [Green Version]
- Hudaib, A.; AlShraideh, M.; Surakhi, O.; Khanafseh, M. A survey on design methods for secure software development. Int. J. Comput. Technol. 2017, 16, 7047–7064. [Google Scholar]
- Ramirez, A.; Aiello, A.; Lincke, S.J. A survey and comparison of secure software development standards. In Proceedings of the 2020 13th CMI Conference on Cybersecurity and Privacy (CMI)—Digital Transformation-Potentials and Challenges (51275), Copenhagen, Denmark, 26–27 November 2020; pp. 1–6. [Google Scholar]
- Rindell, K.; Hyrynsalmi, S.; Leppänen, V. Fitting security into agile software development. In Research Anthology on Recent Trends, Tools, and Implications of Computer Programming; IGI Global: Hershey, PA, USA, 2021; pp. 1026–1045. [Google Scholar]
- McGraw, G. Security Software Building Security in Seven Touchpoints for Software Security. 2023. Available online: http://www.swsec.com/resources/touchpoints/ (accessed on 22 February 2023).
- Sinha, A.; Das, P. Agile methodology vs. traditional waterfall SDLC: A case study on quality assurance process in software industry. In Proceedings of the 2021 5th International Conference on Electronics, Materials Engineering & Nano-Technology (IEMENTech), Kolkata, India, 4–5 May 2021; pp. 1–4. [Google Scholar]
- Futcher, L.; von Solms, R. SecSDM: A usable tool to support IT undergraduate students in secure software development. In Proceedings of the HAISA, Crete, Greece, 6–8 June 2012; pp. 86–96. [Google Scholar]
- Fowler, M.; Highsmith, J. The agile manifesto. Softw. Dev. 2001, 9, 28–35. [Google Scholar]
- Croxford, M.; Chapman, R. Correctness by construction: A manifesto for high-integrity software. J. Def. Soft. Eng. 2005, 5–8. [Google Scholar]
- Abundis, C.J.B. Metodologías para desarrollar software seguro. Recibe. Rev. Electron. Comput. Inform. Biomed. Electron. 2013, 3, 1–6. [Google Scholar]
- Lindo, A.C. AC Modelos de Desarrollo Seguro del Software. 2023. Available online: https://web.fdi.ucm.es/posgrado/conferencias/AndresCaroLindo-slides.pdf (accessed on 23 February 2023).
- Núñez, J.C.S.; Lindo, A.C.; Rodríguez, P.G. A preventive secure software development model for a software factory: A case study. IEEE Access 2020, 8, 77653–77665. [Google Scholar] [CrossRef]
- Microsoft. SDL—Agile Requirements. 2023. Available online: https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ee790620(v=msdn.10)?redirectedfrom=MSDN (accessed on 27 February 2023).
- BSIMM. BSIMM Frameworks. 2023. Available online: https://www.bsimm.com/ (accessed on 27 February 2023).
- Chechik, M.; Salay, R.; Viger, T.; Kokaly, S.; Rahimi, M. Software assurance in an uncertain world. In Proceedings of the Fundamental Approaches to Software Engineering: 22nd International Conference, FASE 2019, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2019, Prague, Czech Republic, 6–11 April 2019; pp. 3–21. [Google Scholar]
- Tawalbeh, L.; Muheidat, F.; Tawalbeh, M.; Quwaider, M. IoT Privacy and security: Challenges and solutions. Appl. Sci. 2020, 10, 4102. [Google Scholar] [CrossRef]
- Beznosov, K.; Kruchten, P. Towards agile security assurance. In Proceedings of the 2004 Workshop on New Security Paradigms, Virtual, 20–23 September 2004; pp. 47–54. [Google Scholar]
- Tøndel, I.A.; Jaatun, M.G.; Cruzes, D.S.; Williams, L. Collaborative security risk estimation in agile software development. Inf. Comput. Secur. 2019, 27, 508–535. [Google Scholar] [CrossRef] [Green Version]
- Oueslati, H.; Rahman, M.M.; ben Othmane, L. Literature review of the challenges of developing secure software using the agile approach. In Proceedings of the 2015 10th International Conference on Availability, Reliability and Security, Toulouse, France, 24–28 August 2015; pp. 540–547. [Google Scholar]
- Bhasin, S. Quality assurance in agile: A study towards achieving excellence. In Proceedings of the 2012 Agile India, Bengaluru, India, 17–19 February 2012; pp. 64–67. [Google Scholar]
- Newton, N.; Anslow, C.; Drechsler, A. Information security in agile software development projects: A critical success factor perspective. In Proceedings of the 27th European Conference on Information Systems (ECIS), Uppsala, Sweden, 8–14 June 2019. [Google Scholar]
- Rindell, K.; Ruohonen, J.; Holvitie, J.; Hyrynsalmi, S.; Leppänen, V. Security in agile software development: A practitioner survey. Inf. Softw. Technol. 2021, 131, 106488. [Google Scholar] [CrossRef]
- Kramer, J.D. Developmental test and requirements: Best practices of successful information systems using agile methods. Def. AR J. 2019, 26, 128–150. [Google Scholar]
- Villamizar, H.; Kalinowski, M.; Garcia, A.; Mendez, D. An efficient approach for reviewing security-related aspects in agile requirements specifications of web applications. Requir. Eng. 2020, 25, 439–468. [Google Scholar] [CrossRef]
- Sharma, A.; Bawa, R. Identification and integration of security activities for secure agile development. Int. J. Inf. Technol. 2020, 14, 1117–1130. [Google Scholar] [CrossRef]
- Bodden, E. State of the systems security. In Proceedings of the 40th International Conference on Software Engineering: Companion Proceeedings, New York, NY, USA, 27 May–3 June 2018; pp. 550–551. [Google Scholar]
- Ancán Bastías, O.; Díaz, J.; López Fenner, J. Exploring the Intersection between Software Maintenance and Machine Learning—A Systematic Mapping Study. Appl. Sci. 2023, 13, 1710. [Google Scholar] [CrossRef]
- Astías, O.A.; Díaz, J.; Rodríguez, C.O. Evaluation of critical thinking in online software engineering teaching: A systematic mapping study. IEEE Access 2021, 9, 167015–167026. [Google Scholar]
- Alenezi, M.; Agrawal, A.; Kumar, R.; Khan, R.A. Evaluating performance of Web application security through a fuzzy based hybrid multi-criteria decision-making approach: Design tactics perspective. IEEE Access 2020, 8, 25543–25556. [Google Scholar] [CrossRef]
- Fernandez, E.B.; Astudillo, H.; Pedraza-García, G. Revisiting architectural tactics for security. In Proceedings of the Software Architecture: 9th European Conference, ECSA 2015, Dubrovnik/Cavtat, Croatia, 7–11 September 2015; pp. 55–69. [Google Scholar]
- Abeyrathna, A.; Samarage, C.; Dahanayake, B.; Wijesiriwardana, C.; Wimalaratne, P. A security specific knowledge modelling approach for secure software engineering. J. Natl. Sci. Found. Sri Lanka 2020, 48, 93–98. [Google Scholar] [CrossRef]
- Nguyen-Duc, A.; Do, M.V.; Hong, Q.L.; Khac, K.N.; Quang, A.N. On the adoption of static analysis for software security assessment–A case study of an open-source e-government project. Comput. Secur. 2021, 111, 102470. [Google Scholar] [CrossRef]
- Croft, R.; Xie, Y.; Zahedi, M.; Babar, M.A.; Treude, C. An empirical study of developers’ discussions about security challenges of different programming languages. Empir. Softw. Eng. 2022, 27, 1–52. [Google Scholar] [CrossRef]
- Antal, G.; Keleti, M.; Hegedŭs, P. Exploring the security awareness of the python and javascript open source communities. In Proceedings of the 17th International Conference on Mining Software Repositories, Seoul, Republic of Korea, 29–30 June 2020; pp. 16–20. [Google Scholar]
- Correa, R.; Bermejo Higuera, J.R.; Higuera, J.B.; Sicilia Montalvo, J.A.; Rubio, M.S.; Magreñán, Á.A. Hybrid Security Assessment Methodology for Web Applications. Comput. Model. Eng. Sci. 2021, 126, 89–124. [Google Scholar]
- Bernsmed, K.; Cruzes, D.S.; Jaatun, M.G.; Iovan, M. Adopting threat modelling in agile software development projects. J. Syst. Softw. 2022, 183, 111090. [Google Scholar] [CrossRef]
- Villamizar, H.; Kalinowski, M.; Viana, M.; Fernández, D.M. A systematic mapping study on security in agile requirements engineering. In Proceedings of the 2018 44th Euromicro conference on software engineering and advanced applications (SEAA), Prague, Czech Republic, 29–31 August 2018; pp. 454–461. [Google Scholar]
- Weir, C.; Becker, I.; Noble, J.; Blair, L.; Sasse, M.A.; Rashid, A. Interventions for long-term software security: Creating a lightweight program of assurance techniques for developers. Software: Pract. Exp. 2020, 50, 275–298. [Google Scholar] [CrossRef] [Green Version]
- Butler, N. Security in Agile Software Development: A Simple Guide: Bigger Impact. 2022. Available online: https://www.boost.co.nz/blog/2022/02/security-in-agile-software-development#who-the-guide-is-for (accessed on 27 February 2023).
- Veracode. Agile Security. 2023. Available online: https://www.boost.co.nz/blog/2022/02/security-in-agile-software-development#who-the-guide-is-for (accessed on 27 February 2023).
- Security, L. 10 Agile Software Development Security Concerns You Need to Know. 2023. Available online: https://www.legitsecurity.com/blog/10-agile-software-development-security-concerns-you-need-to-know (accessed on 27 February 2023).
- OWASP. OWASP Top Ten. 2023. Available online: https://owasp.org/www-project-top-ten/ (accessed on 27 February 2023).
- SANS. Web Application Security Awareness Training. 2023. Available online: https://www.sans.org/security-awareness-training/products/specialized-training/developer/?msc=ssa-main-nav (accessed on 27 February 2023).
- Moher, D.; Liberati, A.; Tetzlaff, J.; Altman, D.G.; PRISMA Group. Preferred reporting items for systematic reviews and meta-analyses: The PRISMA statement. Ann. Intern. Med. 2009, 151, 264–269. [Google Scholar] [CrossRef] [Green Version]
- Petersen, K.; Vakkalanka, S.; Kuzniarz, L. Guidelines for conducting systematic mapping studies in software engineering: An update. Inf. Softw. Technol. 2015, 64, 1–18. [Google Scholar] [CrossRef]
- Rindell, K.; Hyrynsalmi, S.; Leppänen, V. Aligning Security Objectives With Agile Software Development. In Proceedings of the 19th International Conference on Agile Software Development: Companion, Porto, Portugal, 21–25 May 2018; pp. 1–9. [Google Scholar] [CrossRef]
- Khan, R.A.; Khan, S.U.; Alzahrani, M.; Ilyas, M. Security Assurance Model of Software Development for Global Software Development Vendors. IEEE Access 2022, 10, 58458–58487. [Google Scholar] [CrossRef]
- Althar, R.R.; Samanta, D.; Kaur, M.; Singh, D.; Lee, H.N. Automated Risk Management Based Software Security Vulnerabilities Management. IEEE Access 2022, 10, 90597–90608. [Google Scholar] [CrossRef]
- Moyo, S.; Mnkandla, E. A novel lightweight solo software development methodology with optimum security practices. IEEE Access 2020, 8, 33735–33747. [Google Scholar] [CrossRef]
- Tashtoush, Y.M.; Darweesh, D.A.; Husari, G.; Darwish, O.A.; Darwish, Y.; Issa, L.B.; Ashqar, H.I. Agile Approaches for Cybersecurity Systems, IoT and Intelligent Transportation. IEEE Access 2021, 10, 1360–1375. [Google Scholar] [CrossRef]
- Malek, S.; Bagheri, H.; Garcia, J.; Sadeghi, A. Security and software engineering. In Handbook of Software Engineering; Springer: Berlin/Heidelberg, Germany, 2019; pp. 445–489. [Google Scholar]
- Yang, J.; Lodgher, A.; Lee, Y. Secure modules for undergraduate software engineering courses. In Proceedings of the 2018 IEEE Frontiers in Education Conference (FIE), San Jose, CA, USA, 3–6 October 2018; pp. 1–5. [Google Scholar]
- Ardo, A.A.; Bass, J.M.; Gaber, T. An empirical investigation of agile information systems development for cybersecurity. In Proceedings of the European, Mediterranean, and Middle Eastern Conference on Information Systems, Dubai, United Arab Emirates, 25–26 November 2021; pp. 567–581. [Google Scholar]
- Cico, O.; Jaccheri, L.; Nguyen-Duc, A.; Zhang, H. Exploring the intersection between software industry and Software Engineering education-A systematic mapping of Software Engineering Trends. J. Syst. Softw. 2021, 172, 110736. [Google Scholar] [CrossRef]
- Mallouli, W.; Cavalli, A.R.; Bagnato, A.; De Oca, E.M. Metrics-driven DevSecOps. In Proceedings of the ICSOFT, Paris, France, 7–9 July 2020; pp. 228–233. [Google Scholar]
- Siavvas, M.; Kehagias, D.; Tzovaras, D.; Gelenbe, E. A hierarchical model for quantifying software security based on static analysis alerts and software metrics. Softw. Qual. J. 2021, 29, 431–507. [Google Scholar] [CrossRef]
- Kraemer, H.C. Kappa coefficient. In Wiley StatsRef: Statistics Reference Online; Wiley: Hoboken, NJ, USA, 2014; pp. 1–4. [Google Scholar]
- Elrhaffari, I.; Roudies, O. Capturing Software Security Practices using CBR: Three Case Studies. Int. J. Adv. Comput. Sci. Appl. 2019, 10. [Google Scholar] [CrossRef] [Green Version]
- Williams, L.; McGraw, G.; Migues, S. Engineering Security Vulnerability Prevention, Detection, and Response. IEEE Softw. 2018, 35, 76–80. [Google Scholar] [CrossRef]
- Luburiç, N.; Sladic, G.; Slivka, J.; Milosavljevic, B. A Framework for Teaching Security Design Analysis Using Case Studies and the Hybrid Flipped Classroom. ACM Trans. Comput. Educ. 2019, 19, 1–19. [Google Scholar] [CrossRef]
- Thai, M.; Sen, A.; Das, A. ACM SIGMETRICS International Workshop on Critical Infrastructure Network Security. ACM SIGMETRICS Perform. Eval. Rev. 2019, 46, 48–49. [Google Scholar] [CrossRef]
- Oveisi, S.; Farsi, M.; Moeini, A. Software Safety Design in requirement analysis phase for a control systems. In Proceedings of the 12th International Conference on Engineering & Technology, Athens, Greece, 28–30 August 2019. [Google Scholar]
- Nguyen, J.; Dupuis, M. Closing the Feedback Loop Between UX Design, Software Development, Security Engineering, and Operations. In Proceedings of the SIGITE ’19: Proceedings of the 20th Annual SIG Conference on Information Technology Education, Tacoma, WA, USA, 3–5 October 2019. [CrossRef]
- Aruna, E.; Rama Mohan Reddy, A.; Sunitha, K. Secure SDLC Using Security Patterns 2.0. In IOT with Smart Systems; Springer: Berlin/Heidelberg, Germany, 2022; pp. 699–708. [Google Scholar]
- Mahendra, N.; Muqeem, M. Validation of the SMBC Framework of Security Testing Using Analytic Hierarchy Process. ICIC Express Lett. Part B Appl. Int. J. Res. Surv. 2021, 12, 383–393. [Google Scholar]
- Mishra, A.D.; Mustafa, K. Security requirements specification: A formal method perspective. In Proceedings of the 2020 7th International Conference on Computing for Sustainable Global Development (INDIACom), New Delhi, India, 12–14 March 2020; pp. 113–117. [Google Scholar]
- Abdellatif, L.; Chhiba, M.; Tabyaoui, A.; Mjihil, O. MDA Approach for Application Security Integration with Automatic Code Generation from Communication Diagram. In Proceedings of the International Conference on Information Technology and Communication Systems, Khouribga, Morocco, 28–29 March 2017; pp. 297–310. [Google Scholar]
- Mufti, Y.; Niazi, M.; Alshayeb, M.; Mahmood, S. A readiness model for security requirements engineering. IEEE Access 2018, 6, 28611–28631. [Google Scholar] [CrossRef]
- Kumar, R.; Baz, A.; Alhakami, H.; Alhakami, W.; Baz, M.; Agrawal, A.; Khan, R.A. A hybrid model of hesitant fuzzy decision-making analysis for estimating usable-security of software. IEEE Access 2020, 8, 72694–72712. [Google Scholar] [CrossRef]
- Abdymanapov, S.; Muratbekov, M.; Altynbek, S.; Barlybayev, A. Fuzzy Expert System of Information Security Risk Assessment on the Example of Analysis Learning Management Systems. IEEE Access 2021, 9, 156556–156565. [Google Scholar] [CrossRef]
- Ali, I.; Asif, M.; Shahbaz, M.; Khalid, A.; Rehman, M.; Guergachi, A. Text categorization approach for secure design pattern selection using software requirement specification. IEEE Access 2018, 6, 73928–73939. [Google Scholar] [CrossRef]
- Rafi, S.; Yu, W.; Akbar, M.A.; Alsanad, A.; Gumaei, A. Prioritization based taxonomy of DevOps security challenges using PROMETHEE. IEEE Access 2020, 8, 105426–105446. [Google Scholar] [CrossRef]
- Nowroozi, A.; Teymoori, P.; Ramezanifarkhani, T.; Besharati, M.R.; Izadi, M. A Crisis Situations Decision-Making Systems Software Development Process With Rescue Experiences. IEEE Access 2020, 8, 59599–59617. [Google Scholar] [CrossRef]
- Huang, G.; Li, Y.; Wang, Q.; Ren, J.; Cheng, Y.; Zhao, X. Automatic classification method for software vulnerability based on deep neural network. IEEE Access 2019, 7, 28291–28298. [Google Scholar] [CrossRef]
- Sönmez, F.Ö.; Kiliç, B.G. Reusable Security Requirements Repository Implementation Based on Application/System Components. IEEE Access 2021, 9, 165966–165988. [Google Scholar] [CrossRef]
- Alnabulsi, H.; Islam, R.; Talukder, M. GMSA: Gathering multiple signatures approach to defend against code injection attacks. IEEE Access 2018, 6, 77829–77840. [Google Scholar] [CrossRef]
- Farooq, M.S.; Ahmed, M.; Emran, M. A Survey on Blockchain Acquainted Software Requirements Engineering: Model, Opportunities, Challenges, and Future Directions. IEEE Access 2022, 10, 48193–48228. [Google Scholar] [CrossRef]
- Wang, H.; Zhong, D.; Zhao, T.; Ren, F. Integrating model checking with SysML in complex system safety analysis. IEEE Access 2019, 7, 16561–16571. [Google Scholar] [CrossRef]
- Fusheng, W.; Huanguo, Z.; Mingtao, N.; Jun, W.; Zhaoxu, J. A Novel Key Agreement Protocol Based on RET Gadget Chains for Preventing Reused Code Attacks. IEEE Access 2018, 6, 70820–70830. [Google Scholar] [CrossRef]
- Zhou, Z.; Zhi, Q.; Morisaki, S.; Yamamoto, S. An evaluation of quantitative non-functional requirements assurance using ArchiMate. IEEE Access 2020, 8, 72395–72410. [Google Scholar] [CrossRef]
- Díaz, J.; Pérez, J.E.; Lopez-Peña, M.A.; Mena, G.A.; Yagüe, A. Self-service cybersecurity monitoring as enabler for devsecops. IEEE Access 2019, 7, 100283–100295. [Google Scholar] [CrossRef]
- Hu, Y.; Zhang, Y.; Gu, D. Automatically patching vulnerabilities of binary programs via code transfer from correct versions. IEEE Access 2019, 7, 28170–28184. [Google Scholar] [CrossRef]
- Adhikari, T.M.; Wu, Y. Classifying software vulnerabilities by using the bugs framework. In Proceedings of the 2020 8th International Symposium on Digital Forensics and Security (ISDFS), Beirut, Lebanon, 1–2 June 2020; pp. 1–6. [Google Scholar]
- Venson, E.; Alfayez, R.; Gomes, M.M.; Figueiredo, R.M.; Boehm, B. The impact of software security practices on development effort: An initial survey. In Proceedings of the 2019 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM), Recife, Brazil, 19–20 September 2019; pp. 1–12. [Google Scholar]
- Alenezi, M.; Khan, F.I. Context-Sensitive Case-Based Software Security Management System. In Intelligent Systems Applications in Software Engineering; Silhavy, R., Silhavy, P., Prokopova, Z., Eds.; Springer International Publishing: Cham, Switzerland, 2019; pp. 135–141. [Google Scholar]
Research Question | Motivation |
---|---|
RQ1: How many articles are related to secure software development? | Recognize the documents that present proposals related to the initiatives for secure software. This is the first step to be able to answer the following questions. |
RQ2: How many articles study security practices for agile software development? | Software development must be based on something more than the experience of its programmers. Recognizing the number of works related to security practices in agile software development helps to categorize the different levels of support from comparison studies to proposals for secure development. |
RQ3: What is the context/setting where of the articles take place? | Ascertain the scenarios where the selected investigations are carried out, enables the analysis of the proposals for the use of security controls in software development. |
RQ4: What are the SDLC phases that have most addressed security in software development? | Recognize articles that present proposals related to the integration of security controls in one or some of the software construction phases |
RQ5: Which particular phase of SDLC has been least discussed and addressed in the literature? | Know which are the phases of software construction that are least addressed in the literature and that can be part of a valuable contribution in subsequent studies |
RQ6: What results have the new methods or models yielded to ensure security in developing secure software? | Know the results of previous proposals and determine research gaps for future work in secure development engineering |
Main Concepts | Software security, software secure, software privacy, software safety, software engineering, software development life cycle, SDLC, software security model, software security process, software security methodology |
Groups of terms | (“Software security” or “software secure” or “software privacy” or “software safety”) |
(“software engineering” or “software development lifecycle” or “SDLC” or “Software security model” or “software security process” or “software security methodology”) | |
Search String | (“Software security” or “software secure” or “software privacy” or “software safety”) AND (“software engineering” or “software development lifecycle” or “SDLC” or “software security model” or “software security process” or “software security methodology”) |
Data Source | Abstract Selection | Limited to 5 Years |
---|---|---|
Web of Science | 29 | 20 |
ACM Digital Library | 34 | 16 |
Science Direct | 0 | 0 |
Scopus | 241 | 79 |
IEEE Xplore | 9506 | 253 |
Total | 9810 | 368 |
Classification | Total |
---|---|
Health | 1 |
Organizations | 7 |
Vulnerabilities | 16 |
Cybersecurity Education | 2 |
Critical Infraestructure | 7 |
Software Security | 25 |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Valdés-Rodríguez, Y.; Hochstetter-Diez, J.; Díaz-Arancibia, J.; Cadena-Martínez, R. Towards the Integration of Security Practices in Agile Software Development: A Systematic Mapping Review. Appl. Sci. 2023, 13, 4578. https://doi.org/10.3390/app13074578
Valdés-Rodríguez Y, Hochstetter-Diez J, Díaz-Arancibia J, Cadena-Martínez R. Towards the Integration of Security Practices in Agile Software Development: A Systematic Mapping Review. Applied Sciences. 2023; 13(7):4578. https://doi.org/10.3390/app13074578
Chicago/Turabian StyleValdés-Rodríguez, Yolanda, Jorge Hochstetter-Diez, Jaime Díaz-Arancibia, and Rodrigo Cadena-Martínez. 2023. "Towards the Integration of Security Practices in Agile Software Development: A Systematic Mapping Review" Applied Sciences 13, no. 7: 4578. https://doi.org/10.3390/app13074578
APA StyleValdés-Rodríguez, Y., Hochstetter-Diez, J., Díaz-Arancibia, J., & Cadena-Martínez, R. (2023). Towards the Integration of Security Practices in Agile Software Development: A Systematic Mapping Review. Applied Sciences, 13(7), 4578. https://doi.org/10.3390/app13074578