Agile Software Development
Williams L., Meneely A., Shipley G., Protection Poker: The New Software Security “Game” in IEEE Privacy & Security 2010, to appear
Tracking organizations such as the US CERT show a continuing rise in security vulnerabilities in software, increasing awareness of insecure coding practices. Not all discovered vulnerabilities are equal – some have the potential to cause much more damage to organizations and individuals than others. In the inevitable absence of infinite resources, software development teams need to prioritize security fortification efforts to prevent the most damaging attacks. We propose the Protection Poker “game” as a collaborative means of guiding this prioritization. A case study of a Red Hat IT software maintenance team demonstrated the potential of Protection Poker for improving software security practices and team software security knowledge.
Williams, L., Gegick, M., and Meneely, A., Protection Poker: Structuring Software Security Risk Assessment and Knowledge Transfer, International Symposium on Engineering Secure Software and Systems (ESSoS) 2009, Leuven, Belgium, to appear.
Discovery of security vulnerabilities is on the rise. As a result, software development teams must place a higher priority on preventing the injection of vulnerabilities in software as it is developed. Because the focus on software secu- rity has increased only recently, software development teams often do not have expertise in techniques for identifying security risk, understanding the impact of a vulnerability, or knowing the best mitigation strategy. We propose the Protection Poker activity as a collaborative and informal form of misuse case development and threat modeling that plays off the diversity of knowledge and perspective of the participants. An excellent outcome of Protection Poker is that security knowl- edge passed around the team. Students in an advanced undergraduate software engineering course at North Carolina State University participated in a Protection Poker session conducted as a laboratory exercise. Students actively shared misuse cases, threat models, and their limited software security expertise as they dis- cussed vulnerabilities in their course project. We observed students relating vul- nerabilities to the business impacts of the system. Protection Poker lead to a more effective software security learning experience than in prior semesters. A pilot of the use of Protection Poker with an industrial partner began in October 2008. The first security discussion structured via Protection Poker caused two requirements to be revised for added security fortification; led to the immediate identification of one vulnerability in the system; initiated a meeting on the prioritization of security defects; and instigated a call for an education session on preventing cross site scripting vulnerabilities.
Ho, Chih-wei, Johnson, Michael, Williams, L., Maximilien, E. M., On Agile Performance Requirements Specification and Testing, Agile 2006, Minneapolis, ISBN 0-7695-2562-8/06, electronic proceedings, 6 pages.
Underspecified performance requirements can cause performance issues in a software system. However, a complete, upfront analysis of a software system is difficult, and usually not desirable. We propose an evolutionary model for performance requirements specifications and corresponding validation testing. The principles of the model can be integrated into agile development methods. Using this approach, the performance requirements and test cases can be specified incrementally, without big upfront analysis. We also provide a post hoc examination of a development effort at IBM that had a high focus on performance requirements. The examination indicates that our evolutionary model can be used to specify performance requirements such that the level of detail is commensurate with the nature of the project. Additionally, the IBM experience indicates that test driven development-type validation testing corresponding to the model can be used to determine if performance objectives have been met.
Sanchez, J., Williams, L., and Maximilien, M., A Longtitudinal Study of the Test-driven Development Practice in Industry, Agile 2007, Washington, DC. pp. 5-14.
Williams, L., On the Stickiness of Agility in Software Development, Cutter Benchmark Review, Vol. 7, No. 7, pp. 5-12, July 2007.
Layman, L., Williams, L., Damian, D., Bures, H., Essential Communication Practices for Extreme Programming in a Global Software Development Team , Information and Software Technology, Vol. 48, No., 9, pp. 781-794, September 2006.