Science of Security for Agile Software Development
Security breaches are happening all around us. Software systems have developed to the point that we use and depend upon them daily in the same way that we depend upon traditional infrastructures and utilities. The value of sensitive information in computer systems is constantly increasing, and the same can be said for the corresponding threats, but measures to reduce the resulting vulnerabilities are not developed at the same pace.
The fundamental way of solving the security problem is by building secure software, defending against exploitation from the earliest stages of development, with a consistent maintenance of the "security-push" throughout the whole development life-cycle. Today's software development business requires high-speed software delivery from the development team. In order to provide fast delivery of products, organizations have made transformations from their conventional development approach to agile development methods in an attempt to increase the effectiveness of their software development. Agile software development has a huge impact on how software is developed worldwide, and Norway is leading the research in this area, where almost all software companies use agile methods.
However, agile projects often focus on imme-diate business features and functionality over security requirements. There are no security engineering practices developed specifically for the agile processes. Furthermore, the suitability of traditional security engineering pro-cesses has rarely been empirically evaluated in industrial agile development settings. Thus, there is little evidence on how to implement security practices in agile software develop-ment. Science of Security (SoS) is an area of research that seeks to apply a scientific ap-proach to the study and design of secure and trustworthy information systems.
The security research area is a long way from establishing a science of security comparable to the traditional sciences, and even from other software en-gineering areas. The area suffers from a lack of credible empirical evaluation, a split between industry practice and academic research, and a huge number of methods and method variants, with differences little understood and artificially magnified. Empirical studies are a powerful approach to be used in security research.
The overall research problem to be addressed by the project is the general lack of a scientific approach to security research and the integration of software security and agile software development.
- Develop and apply innovative approaches, tools, and techniques for improving security in agile software development in Norway.
- Empirically understand how software systems can be elicited, designed, built, and maintained to systematically address security issues across an agile development lifecycle.
- Increase the maturity of the security of software developed in Norway.
- Foster collaboration within research and practice in order to advance the practice in secure software engineering.
- Disseminate new knowledge and approach-es to the international research community by publishing in internationally recognized scientific journals and conferences.
SINTEF is the host institution.
The project manager is Dr. Daniela Cruzes.
The main researchers are:
- Dr. Martin G. Jaatun;
- Dr. Karin Bernsmed.
The Norwegian University of Science and Technology (NTNU) is the national research partner, in collaboration with Prof. Dr. Pekka Abrahamson.
The case studies will be mainly performed in close collaboration with three of SINTEF's long-term partners:
- Telenor Digital;
As well as in other software companies that are interested in software security.
On the research we will also collaborate strongly with our partners in US (Prof. Dr. Laurie Williams, NCSU), Germany (Prof Dr. Michael Waidner and Dr. Lofti Ben Othmane - Fraunhofer) and Austria (Dr. Edgar R. Weippl, SBA Research).
The project will have a duration of five years.