Skip to main content
SpringerLink
Log in

A process for mastering security evolution in the development lifecycle

  • Introduction
  • Published:
International Journal on Software Tools for Technology Transfer Aims and scope Submit manuscript

Abstract

Continuous system evolution makes it challenging to keep software systems permanently secure as changes either in the system itself or its environment may cause new threats and vulnerabilities. Therefore, suitable activities aligned with the software development process are required to master security evolution. This introduction to the special section on eternal security evolution presents a process for handling security evolution throughout the software development lifecycle and uses this process to position the individual contributions. We first present the underlying security development process comprising the phases initialization, security analysis, security design, security implementation, security testing, and security deployment. On this basis, we define the security evolution process comprising the activities security requirements review, adaptation of design models, code fixing and patch development, regression testing as well as re-deployment. Finally, the defined security evolution activities are discussed in context of the four articles on eternal security evolution presented in this special section of the International Journal on Software Tools for Technology Transfer.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2

Similar content being viewed by others

References

  1. Lehman, M.: On understanding laws, evolution, and conservation in the large-program lifecycle. J. Syst. Softw. 1, 213–221 (1980)

    Article  Google Scholar 

  2. Lehman, M.: Software’s future: managing evolution. IEEE Softw 15(1), 40–44 (1998)

    Article  Google Scholar 

  3. Windmüller, S., Neubauer, J., Steffen, B., Howar, F., Bauer, O.: Active continuous quality control. In: Proceedings of the 16th international ACM sigsoft symposium on component-based software engineering, pp. 111–120. ACM (2013)

  4. Hein, D., Saiedian, H.: Secure software engineering: learning from the past to address future challenges. Inf. Secur. J.: Glob. Perspect. 18(1), 8–25 (2009)

    Google Scholar 

  5. De Win, B., Scandariato, R., Buyens, K., Grégoire, J., Joosen, W.: On the secure software development process: clasp, sdl and touchpoints compared. Inf. Softw. Technol. 51, 1152–1171 (2009)

    Article  Google Scholar 

  6. Gregoire, J., Buyens, K., Win, B.D., Scandariato, R., Joosen, W.: On the secure software development process: clasp and sdl compared. In: Proceedings of the 3rd international workshop on software engineering for secure systems, pp. 1. IEEE Computer Society (2007)

  7. Noopur, D.: Secure software development life cycle processes. Technical report, Technical report CMU/SEI-2005-TN-024, Software Engineering Institute (2006)

  8. McGraw, G.: Software security. Secur. Priv. IEEE 2(2), 80–83 (2004)

    Article  Google Scholar 

  9. Howard, M., Lipner, S.: The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software. Microsoft Press, Redmond (2006)

    Google Scholar 

  10. Kissel, R., Stine, K.M., Scholl, M.A., Rossman, H., Fahlsing, J., Gulick, J.: Sp 800–64 rev. 2. Security considerations in the system development life cycle. Technical report, Gaithersburg, MD, United States (2008)

  11. OWASP: Comprehensive, lightweight application security process. http://www.owasp.org (2006)

  12. Radatz, J., Geraci, A., Katki, F.: IEEE standard glossary of software engineering terminology. IEEE Stand 610121990, 121990 (1990)

    Google Scholar 

  13. Kissel, R., Stine, K.M., Scholl, M.A., Rossman, H., Fahlsing, J., Gulick, J.: Sp 800–64 rev. 2. Security considerations in the system development life cycle (2008)

  14. Felderer, M., Katt, B., Kalb, P., Jürjens, J., Ochoa, M., Paci, F., Tun, T.T., Yskout, K., Scandariato, R., Piessens, F., Vanoverberghe, D., Fourneret, E., Gander, M., Solhaug, B., Breu, R.: Evolution of security engineering artifacts: a state of the art survey. Int. J. Secur. Softw. Eng. (IJSSE) 5(4), 48–98 (2014)

    Article  Google Scholar 

  15. Howard, M.: Building more secure software with improved development processes. IEEE Secur. Priv. 2(6), 63–65 (2004)

    Article  Google Scholar 

  16. Viega, J.: Building security requirements with CLASP. ACM SIGSOFT Softw Eng Notes 30(4), 1–7 (2005)

    Article  Google Scholar 

  17. Mcgraw, G.: Software Security: Building Security In (Addison-Wesley Software Security Series). Addison-Wesley Professional, Boston (2006)

    Google Scholar 

  18. Davis, N., Humphrey, W., Redwine Jr, S.T., Zibulski, G., McGraw, G.: Processes for producing secure software. Secur. Priv. IEEE 2(3), 18–25 (2004)

    Article  Google Scholar 

  19. Redwine, T.S., Noopur, D.: Processes to produce secure software. National Cyber Security Summit-USA (2004)

  20. Felderer, M., Agreiter, B., Zech, P., Breu, R.: A classification for model-based security testing. In: VALID 2011, the 3rd international conference on advances in system testing and validation lifecycle, pp. 109–114 (2011)

  21. Byers, D., Shahmehri, N.: Design of a process for software security. In: Availability, reliability and security, 2007. ARES 2007. In: The 2nd international conference on, pp. 301–309. IEEE (2007)

  22. Refsdal, A., Solhaug, B., Stølen, K.: Security risk analysis of system changes exemplified within the oil and gas domain. Int J Softw Tools Technol Transfer (2015, in this issue). doi:10.1007/s10009-014-0351-0

  23. Vanoverberghe, D., Piessens, F.: Policy ignorant caller-side inline reference monitoring. Int J Softw Tools Technol Transfer (2015, in this issue). doi:10.1007/s10009-014-0348-8

  24. Bürger, J., Jürjens, J., Wenzel, S.: Restoring security of evolving software models using graph transformation. Int J Softw Tools Technol Transfer (2015, in this issue). doi:10.1007/s10009-014-0364-8

  25. Felderer, M., Fourneret, E.: A systematic classification of security regression testing approaches. Int J Softw Tools Technol Transfer (2015, in this issue). doi:10.1007/s10009-015-0365-2

  26. Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis: The CORAS Approach. Springer Science & Business Media, Berlin (2010)

    Google Scholar 

Download references

Acknowledgments

This research was partially funded by the research Projects QE LaB—Living Models for Open Systems (FFG 822740) and MOBSTECO (FWF P 26194-N15).

Author information

Authors and Affiliations

  1. University of Innsbruck, Innsbruck, Austria

    Michael Felderer & Basel Katt

Authors
  1. Michael Felderer
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Basel Katt
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Michael Felderer.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Felderer, M., Katt, B. A process for mastering security evolution in the development lifecycle. Int J Softw Tools Technol Transfer 17, 245–250 (2015). https://doi.org/10.1007/s10009-015-0371-4

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10009-015-0371-4

Keywords

Search

Navigation