AgileSec – Agile Development of Security Critical Software

AgileSec – Agile Development of Security Critical Software

Project status

Ongoing

Project Manager

Category/Area

Computer science and engineering

Today, the software industry is moving to agile development processes. One of the main ideas is that an agile team has sufficient skills to get the job done, and does not have to rely on external experts. In traditional software development, security issues are handled by experts. However, in agile development, security issues should be handled by the team. The agile process must, therefore, be extended with security related quality control and support. Rigorous quality control may, however, reduce productivity. The level of security expertise may differ significantly from one agile team to another, and it is, therefore, important to adapt security related quality control to the security maturity level of the team. In this application, we argue that an accurate estimate of a team's security maturity would be helpful in many ways.

The goal of this project is to define a security maturity index for agile teams, and develop models that can estimate the security maturity level of a team based on the education and background of the team members. Our models will also make it possible to estimate the security level and development cost of a software module by considering the security maturity level of the team developing the module. Our models will support management in software development organizations in a number of ways, e.g., make it possible to do cost-benefit analysis of educational activities, as well as to estimate how different ways of grouping developers into teams affect the cost and quality of the software. Our prediction models will use techniques from machine learning. The result of the project will be applied and evaluated in two industry settings: a large software development organization, and a small company. Both companies are developing security critical applications using agile processes, and both companies have worked with Blekinge Institute of Technology (BTH) in previous research projects.

The project team, consisting of three senior professors, one additional researchers with a Ph.D., two experienced developers, and a Ph.D. student, has competence in security issues, software development, machine learning, and agile processes. The project leader has led a number of successful research projects in the past. Software security is a key area at BTH, and several educational programs specialize in this area. The security research group is very active and has produced high quality results in the form of publications, text books, and Ph.D. exams for many years.

This three year project is divided into six periods of six months each. Each period has clearly defined goals and a clear division of tasks between the involved partners. The project builds on results and  experiences from previous research projects and relates in a symbiotic way to other ongoing research projects; in particular, AgileSec has clear synergies with the KKS research profile in Scalable resourceefficient systems for big data analytics.

Facts

Duration

2016-2019

Budget

3,3 msek

Contact Person

Participants