Christoph Pohl und Prof. Dr. Hans-Joachim Hof stellten im August auf der Konferenz “The Ninth International Conference on Emerging Security Information, Systems and Technologies (SECURWARE 2015)” aktuelle Forschungsergebnisse zur Entwicklung von sicherer Software mit Hilfe des agilen Softwareentwicklungsprozesses Scrum vor. Heute wurde die Veröffentlichung “Secure Scrum: Development of Secure Software with Scrum” mit dem Best Paper Award der Konferenz ausgezeichnet. Das Team der MuSe – Munich IT Security Research Group freut sich sehr über diese Würdigung der Arbeit der letzten drei Jahre. Besonderer Dank gilt dem Bayerischen Staatsministerium für Wissenschaft, Forschung und Kunst für die Förderung dieser Forschungsarbeit.
Das Paper ist hier als PDF erhältlich: PDF-Downoad.
Abstract:
Nowadays, the use of agile software development methods like Scrum is common in industry and academia. Considering the current attacking landscape, it is clear that developing secure software should be a main concern in all software development projects. In traditional software projects, security issues require detailed planning in an initial planning phase, typically resulting in a detailed security analysis (e.g. threat and risk analysis), a security architecture and instructions for security implementation (e.g. specification of key sizes and cryptographic algorithms to use). Agile software development methods like Scrum are known for reducing the initial planning phases (e.g. sprint 0 in Scrum) and focusing more on producing running code. Scrum is also known for allowing fast adaption of the emerging software to changes of customer wishes. For security, this means that it is likely that there is no detailed security architecture and no security implementation instructions from the start of the project. It also means that a lot of design decisions will be made during the runtime of the project. Hence, to address security in Scrum, it is necessary to consider security issues throughout the whole software development process.
Secure Scrum is a variation of the Scrum framework with special focus on the development of secure software. It puts emphasis on how to implement security related issues without the need of changing the underlying Scrum process or influencing team dynamics. Secure Scrum allows even non-security experts to spot security issues, to implement security features, and to verify implementations. A field test of Secure Scrum shows that the security level of software developed using Secure Scrum is higher then the security level of software developed pure Scrum.