Skip to main content
SpringerLink
Log in

Security Engineering and eXtreme Programming: An Impossible Marriage?

  • Conference paper
Extreme Programming and Agile Methods - XP/Agile Universe 2004 (XP/Agile Universe 2004)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 3134))

Included in the following conference series:

Abstract

Agile methods, such as eXtreme Programming (XP), have been criticised for being inadequate for the development of secure software. In this paper, we analyse XP from a security engineering standpoint, to assess to what extent the method can be used for development of security critical software. This is done by analysing XP in the light of two security engineering standards; the Systems Security Engineering-Capability Maturity Model (SSE-CMM) and the Common Criteria (CC). The result is that XP is more aligned with security engineering than one might think at first. However, XP also needs to be tailored to better support and to more explicitly deal with security engineering issues. Tailoring XP for secure software development, without removing the agility that is the trademark of agile methods, may be a solution that would make XP more compatible with current security engineering practices.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Agile Alliance, Agile Alliance , www.agilealliance.com (accessed in February 2004)

  2. Amey, P., Chapman, R.: Static Verification and Extreme Programming. In: Proceedings of the ACM SIGAda Annual International Conference (2003)

    Google Scholar 

  3. Beck, K.: Extreme Programming Explained: Embrace Change. Addison-Wesley, Reading (2000)

    Google Scholar 

  4. Bishop, M.: Computer Security: Art and Science. Addison-Wesley, Reading (2003)

    Google Scholar 

  5. Boehm, B.: Get Ready for Agile Methods, with Care. IEEE Computer 35(1) (2002)

    Google Scholar 

  6. Boehm, B., Turner, R.: Balancing Agility and Discipline. Addison-Wesley, Reading (2004)

    Google Scholar 

  7. CC, ISO 15408 Common Criteria for Information Technology Security Evaluation Version 2.1 (August 1999)

    Google Scholar 

  8. Charette, R.: The Decision is in: Agile versus Heavy Methodologies. Agile development and Project Management, Cutter Consortium 2(19) , www.cutter.com/freestuff/epmu0119.html (accessed in February 2004)

  9. Crispin, L., House, T.: Testing Extreme Programming. Addison-Wesley, Reading (2002)

    Google Scholar 

  10. Evertsson, U., Örthberg, U., Yngström, L.: Integrating Security into Systems Development. In: Proceedings of IFIP TC11 Eighteenth International Conference on Information Security (2003)

    Google Scholar 

  11. Extreme Programming, Extreme Programming: A Gentle Introduction , www.extremeprogramming.org (accessed in January 2004)

  12. Jeffries, R., Anderson, A., Hendrickson, C.: Extreme Programming Installed. Addison- Wesley, Reading (2001)

    Google Scholar 

  13. Lindvall, M., et al.: Empirical Findings in Agile Methods (2002) , http://www.cebase.org accessed in (March 2003)

  14. McBreen, P.: Questioning eXtreme Programming. Addison-Wesley, Reading (2003)

    Google Scholar 

  15. McGraw, G.: On Bricks and Walls: Why Building Secure Software is Hard. Computers & Security 21(3), 229–238 (2002)

    Article  Google Scholar 

  16. Murro, O., Deias, R., Mugheddo, G., Assessing, X.P.: at a European Internet Company. IEEE Software 20(3) (2003)

    Google Scholar 

  17. Paulk, M.: Extreme Programming from a CMM Perspective. IEEE Software 18(6) (2001)

    Google Scholar 

  18. Rasmussen, J., Introducing, X.P.: into Greenfield Projects. IEEE Software 20(3) (2003)

    Google Scholar 

  19. RFC 2828, Internet Security Glossary, www.ietf.org/rfc/rfc2828.txt?number=2828 (accessed in February 2004)

  20. Shore, J.: Continuous Design. IEEE Software 21(1) (2004)

    Google Scholar 

  21. Siponen, M.: An Analysis of the Recent IS Security Development Approaches: Descriptive and Prescriptive Implications. Information Security Management – Global Challenges in the Next Millennium, Idea Group (2001)

    Google Scholar 

  22. SSE-CMM, Systems Security Engineering Capability Maturity Model, Model Description Document Version 3.0, www.sse-cmm.org/model/ssecmmv2final.pdf. (accessed in January 2004)

  23. Theunissen Morkel, W.H., et al.: Standards and Agile Software Development. In: Proceedings of SAICSIT, pp. 178-188 (2003)

    Google Scholar 

  24. Turk, D., France, R., Rumpe, B.: Limitations of Agile Software Development. In: Third International Conference on eXtreme Programming and Agile Processes in Software Engineering (2002)

    Google Scholar 

  25. Viega, J., McGraw, G.: Building Secure Software: How to Avoid Security Problems the Right Way. Addison-Wesley, Reading (2002)

    Google Scholar 

  26. Yahoo Groups, Yahoo Groups/ExtremeProgramming , http://groups.yahoo.com/group/extremeprogramming/message/90285 (accessed in April 2004)

Download references

Author information

Authors and Affiliations

  1. Communications Security Lab, Ericsson Research, Torshamnsgatan 23, SE-164 80, Stockholm, Sweden

    Marine Bodén

  2. Department of Applied IT, Electrum 213, 16440, Kista, Sweden

    Gustav Boström

  3. Department of Computer and Systems Science, Stockholm University/Royal Institute of Technology, Forum 100, SE-164 40, Kista, Sweden

    Jaana Wäyrynen

Authors
  1. Jaana Wäyrynen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Marine Bodén
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Gustav Boström
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, University of Calgary, 2500 University Drive NW, T2N 1N4, Calgary, AB, Canada

    Carmen Zannier

  2. Software Engineering Group, Institute for Information Technology, National Research Council of Canada, Montreal Road, Building M50, K1A 0R6, Ottawa, Ontario, Canada

    Hakan Erdogmus

  3. Object Mentor, Inc., 501 North Riverside Drive, Suite 206, 60031, Gurnee, IL, USA

    Lowell Lindstrom

Rights and permissions

Reprints and permissions

Copyright information

© 2004 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Wäyrynen, J., Bodén, M., Boström, G. (2004). Security Engineering and eXtreme Programming: An Impossible Marriage?. In: Zannier, C., Erdogmus, H., Lindstrom, L. (eds) Extreme Programming and Agile Methods - XP/Agile Universe 2004. XP/Agile Universe 2004. Lecture Notes in Computer Science, vol 3134. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-27777-4_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-27777-4_12

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-22839-4

  • Online ISBN: 978-3-540-27777-4

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation