An Empirical Study on the Relationship between Software Security Skills, Usage and Training needs in Agile Settings
Protecting organizations assets from malicious attackers is critical in today’s highly threatened environment. The threats landscape is continuously changing. Unfortunately, many organizations still lack an overview regarding what there developers and the rest of the stakeholders are doing to protect their assets. The agile paradigm adds a layer of complexity to software security. Critics have argued that security engineering process does not fit the agile process because it is very heavy. Proposed approaches to integrate security activities into agile have also been criticised to look similar to the traditional versions in terms of workload. As a result, ‘agile’ organizations have approached software security in a way that fits their process and practices. Statistics show that more than 70% of reported vulnerabilities are in the application layer and not the network. Thus, regardless of whether agile is incompatible with secure software development, the major discussion we should have is how to improve security within the agile context. To improve software security practices to “adequate” level for an organization requires that we know what we are doing well and understand what the gap areas are.
What are the factors influencing testing of non-functional requirements in agile teams?
Non-functional requirements define the overall qualities or attributes of a system. Although important, they are often neglected for many reasons, such as pressure of time and budget...
JiraSecPlugin - JIRA plugin is a simple to use plugin for classifying recorded issues as security related or not. It is based on artificial intelligence algorithms. By default, the plugin comes with a trained model built on a comprehensive set of security terms that we divided into four categories: 1. Personally Identifiable Information (PII), 2. Direct (terms related to attacks and vulnerabilities), 3. Control (terms related to implemented security controls), and 4. Indirect (terms that are indirectly related to security and not in the above 3 categories).Terms are extracted from different sources such as the CWE, OWASP, CVE, RFC 4949, and industrial issue tracking databases.
Continuous Deployment and Security
Continuous Deployment has many advantages and challenges, Laurie Williams an Associate Department Head of Computer Science and a Professor in the Computer Science Department at North Carolina State University (NCSU) visited us at SINTEF talked about some challenges that companies are facing with continuous deployment at a Dataforeningen/SINTEF meeting at DIGS.
Protection Poker - a playful approach to software security
Taking the time to think about security in an agile development process can be difficult - but perhaps playing a game can help?
Going back to the roots: Guiding Principles for Software Security