Martin Tomanek,Jan Juricek

DOI: https://doi.org/10.48550/arXiv.1502.03595

2015-02-12

Software Engineering

Abstract:There is a lack of formal risk management techniques in agile software development methods Scrum. The need to manage risks in agile project management is also identified by various authors. Authors of this paper conducted a survey to find out the current practices in agile project management. Furthermore authors discuss the new integrated framework of Scrum and PRINCE2 with focus on risk management. Enrichment of Scrum with selected practices from the heavy-weight project management framework PRINCE2 promises better results in delivering software products especially in global development projects.

Chiem Trieu Phong,Wei Qi Yan

DOI: https://doi.org/10.4018/ijdcf.2014100104

2014-01-01

International Journal of Digital Crime and Forensics

Abstract:Penetration testing is an effort to attack a system using similar techniques and tools adopted by real hackers. The ultimate goal of penetration testing is to call to light as many existing vulnerabilities as possible, then come up with practical solutions to remediate the problems; thus, enhance the system security as a whole. The paper introduces concepts and definitions related to penetration testing, together with different models and methodologies to conduct a penetration test. A wide range of penetration testing state-of-the-art, as well as related tools (both commercial and free open source available on the market) are also presented in relatively rich details.

Martin Tomanek,Radim Cermak,Zdenek Smutny

DOI: https://doi.org/10.13140/2.1.1262.4165

2015-02-15

Abstract:Companies implement different frameworks and best practices with the objective to improve the project management success rate and improve the business adaptability to the changing business environment. Project management framework (PRINCE2) and agile development framework (Scrum) proved in many cases that they can meet these objectives. However, both frameworks are based on different principles and the use of both frameworks together should be carefully considered. A large amount of money and effort has been invested by companies into establishing their project management environment and processes that follow the classical phased approach where requirements are defined upfront and fixed. But companies want to react more quickly to new global challenges and to the changing business environment. These business requirements then result in the failure of many running projects. Therefore there is a need to enhance the current project management environment so that it is more agile and adoptive to changes. The objective of this paper is to create a conceptual framework that aggregates principles and processes from both frameworks (PRINCE2 and Scrum) with emphasis on their use in web development projects. This paper will discuss the advantages and disadvantages of using the two abovementioned frameworks. Different groups of readers can benefit from the results of this paper. It will help corporate management to decide how a company should set up its own specific framework for managing agile product development projects. Project managers will have a better understanding of agile development principles and how it fits in the classic project management framework. Last but not least, it will help product developers to work in more agile ways and survive in the controlled and complex project environment.

Software Engineering

Michal Kuciapski,Bartosz Marcinkowski

DOI: https://doi.org/10.12821/ijispm110402

2023-12-27

International Journal of Information Systems and Project Management

Abstract:Restrictive Scrum assumptions make the effectiveness of this approach debatable in projects deviating from typical execution conditions. This article delivers a comprehensive software development approach for both academic and commercial Information Technology (IT) projects effectuated by teams that are hampered by significantly unsystematic participation of project members and mercurial internal communication. The nature of ‘ad-hoc’ projects imposes another level of difficulty in terms of both managing the conduct of such a project and ensuring the quality of the end product. Multicyclic action research enabled a gradual adaptation of the Scrum approach to support such project conditions. This study introduces major alterations to Sprint implementation and minor enhancements within the documentation process to streamline knowledge sharing among Development Team members. Proposed key alterations include the evolution of Daily Scrum towards Weekly Scrum, the possibility of extending Sprints length, the eventuality to switch team members during Sprint due to substantial failure to meet deadlines, having at least two team members responsible for a single Product Backlog Item (PBI) at all times, as well as exclusion of Burndown Chart in favor for Development Team members updating their working time. Positive validation of enhancements in mixed settings confirms that the generic Scrum framework can be adapted to support highly volatile projects. The proposed approach is suitable not only for carrying out software development initiatives that rely heavily on the skills of external experts and/or volunteers. It also supports traditional Scrum teams that seek to reduce their exposure to risk arising from organizational changes.

Daniel Dalalana Bertoglio,Arthur Gil,Juan Acosta,Julia Godoy,Roben Castagna Lunardi,Avelino Francisco Zorzo

2023-11-22

Abstract:With the increasing number of internet-based resources and applications, the amount of attacks faced by companies has increased significantly in the past years. Likewise, the techniques to test security and emulate attacks need to be constantly improved and, as a consequence, help to mitigate attacks. Among these techniques, penetration test (Pentest) provides methods to assess the security posture of assets, using different tools and methodologies applied in specific scenarios. Therefore, this study aims to present current methodologies, tools, and potential challenges applied to Pentest from an updated systematic literature review. As a result, this work provides a new perspective on the scenarios where penetration tests are performed. Also, it presents new challenges such as automation of techniques, management of costs associated with offensive security, and the difficulty in hiring qualified professionals to perform Pentest.

Cryptography and Security

Jeremy Straub

2023-06-07

Abstract:Penetration testing increases the security of systems through tasking testers to 'think like the adversary' and attempt to find the ways that an attacker would break into the system. For many systems, this can be conducted in a safe and controlled way; however, some systems are so critical to human life and safety that the risk of their failure or disablement due to active penetration testing cannot be assumed. These systems are also critical to evaluate the security of, to prevent attackers from disabling them or causing their maloperation; however, this must be done in a manner that doesn't risk the very malady that testing seeks to avoid through the testing process itself. This paper presents P2SCP, a paradigm for penetration testing of systems that cannot be subjected to the risk of penetration testing. It discusses how data collection, the creation of digital twins and cousins and evaluative analysis can be utilized to conduct virtual penetration tests on critical infrastructure systems. This proposed paradigm is analyzed through the use of several case studies.

Cryptography and Security

S. Altayaran,Wael Elmedany

DOI: https://doi.org/10.1109/ICDABI53623.2021.9655950

2021-10-25

Abstract:The rising of technology in the 21st century grows in a way that we never thought of before. The COVID-19 pandemic shifted many organizations in different sizes, specialties, and sectors to work online, resulting in a critical need to secure their software, applications, and web-based applications. Furthermore, Organizations that do not implement security in the Software Development Life Cycle (SDLC) process often discover that their applications suffer from security flaws and security bugs, thus exposing their applications to attacks. Applying security measures to the SDLC will ensure that applications are secure from the early planning stages until release. Penetration testing is an essential security measure and is counted as one of the best security practices applied to applications because it focuses on the technical part of application security. Each kind of application the organization uses, in-house developed applications or on-the-shelf applications, has its method for penetration testing. This paper is a systematic literature review that examines the web application security measures and the penetration testing methods and tools to detect vulnerabilities on web applications. Moreover, it gives a general view of adapting penetration testing as a security approach to the SDLC.

Engineering,Medicine,Computer Science

Yang Wang,Jasmin Ramadani,Stefan Wagner

DOI: https://doi.org/10.48550/arXiv.1703.05375

2017-03-15

Software Engineering

Abstract:Agile techniques recently have received attention in developing safety-critical systems. However, a lack of empirical knowledge of performing safety assurance techniques in practice, especially safety analysis into agile development processes prevents further steps. In this article, we aim at investigating the feasibility and the effects of our S-Scrum development process, and stepwise improving and proposing an Optimized S-Scrum development process for safety-critical systems in a real environment. We conducted an exploratory case study in a one-year student project "Smart Home" at the University of Stuttgart, Germany. We participated in the project and collected quantitative and qualitative data from questionnaire, interviews, participant observation, physical artifacts, and documentation review. Furthermore, we evaluated the Optimized S-Scrum in industry by conducting interviews. The first-stage results showed that by integrating STPA (System-Theoretic Process Analysis) can ensure the safety during each sprint and enhance the safety of delivered products, while the agility of S-Scrum is slightly worse than the original Scrum. Six challenges have been explored: Management changes the team's priorities during an iteration; Disturbed safety-related communication; Non-functional requirements are determined too late; Insufficient upfront planning; Insufficient well-defined completion criteria; Excessive time to perform upfront planning. We investigated further the causalities and optimizations. The second-stage results revealed that the safety and agility have been improved after the optimizations. We have gained a positive assessment and suggestions from industry. The optimized S-Scrum is feasible for developing safety-critical systems concerning the capability to ensure safety and the acceptable agility in a student project. Further attempt is still needed in industrial projects.

Suresh Kannan Duraisamy,Bryce Bass,Sai Mukkavilli

DOI: https://doi.org/10.5121/ijsea.2021.12601

2021-11-30

Abstract:In the last couple of decades, the software development process has evolved drastically, starting from Big Bang to Waterfall to Agile. The primary driver for the evolution of the software was the “Speed of Delivery” of the Software Product which has significantly accelerated from months to less than weeks and days. For IT (Information Technology) Organizations to be successful, they inevitably need a strong technology presence to roll out new software and features as quickly as possible to their customer base. The current user generation tends to use technology to maximum potential and is always striving to keep up with the new trends. The main subject is for the organizations to be ready with their Speed of Delivery strategy adapting to all technology modernization initiatives like CICD (Continuous Integration and Continuous Deployment), Agile, DevOps, and Cloud so that there are negligible customer friction and no risks to their Market shares,. The aim of this paper is to compare the performance testing in every stage of the agile model to the traditional end testing. The results of the corresponding testing phases are presented in this paper.

Yunfei Ge,Quanyan Zhu

2024-09-22

Abstract:Penetration testing is an essential means of proactive defense in the face of escalating cybersecurity incidents. Traditional manual penetration testing methods are time-consuming, resource-intensive, and prone to human errors. Current trends in automated penetration testing are also impractical, facing significant challenges such as the curse of dimensionality, scalability issues, and lack of adaptability to network changes. To address these issues, we propose MEGA-PT, a meta-game penetration testing framework, featuring micro tactic games for node-level local interactions and a macro strategy process for network-wide attack chains. The micro- and macro-level modeling enables distributed, adaptive, collaborative, and fast penetration testing. MEGA-PT offers agile solutions for various security schemes, including optimal local penetration plans, purple teaming solutions, and risk assessment, providing fundamental principles to guide future automated penetration testing. Our experiments demonstrate the effectiveness and agility of our model by providing improved defense strategies and adaptability to changes at both local and network levels.

Cryptography and Security,Artificial Intelligence,Computer Science and Game Theory

Christoph Matthies,Thomas Kowark,Keven Richly,Matthias Uflacker,Hasso Plattner

DOI: https://doi.org/10.48550/arXiv.1809.00650

2018-09-03

Software Engineering

Abstract:Agile methods are best taught in a hands-on fashion in realistic projects. The main challenge in doing so is to assess whether students apply the methods correctly without requiring complete supervision throughout the entire project. This paper presents experiences from a classroom project where 38 students developed a single system using a scaled version of Scrum. Surveys helped us to identify which elements of Scrum correlated most with student satisfaction or posed the biggest challenges. These insights were augmented by a team of tutors, which accompanied main meetings throughout the project to provide feedback to the teams, and captured impressions of method application in practice. Finally, we performed a post-hoc, tool-supported analysis of collaboration artifacts to detect concrete indicators for anti-patterns in Scrum adoption. Through the combination of these techniques we were able to understand how students implemented Scrum in this course and which elements require further lecturing and tutoring in future iterations. Automated analysis of collaboration artifacts proved to be a promising addition to the development process that could potentially reduce manual efforts in future courses and allow for more concrete and targeted feedback, as well as more objective assessment.

Santosh B. Rane,Yahya Abdul Majid Narvel,Bhaskar M. Bhandarkar

DOI: https://doi.org/10.1108/bpmj-07-2017-0196

2019-09-02

Business Process Management Journal

Abstract:Purpose The ability of an organization to observe varying demands and efficiently meet them can be described as agility. Project procurement management (PPM) in the past was stable as things did not change very often and were very predictable. Due to hyper-competition, less predictable market and exponential innovation, the existing PPM becomes very unstable which marks the requirement of an agile model to manage procurement projects effectively. The paper aims to discuss this issue. Design/methodology/approach For achieving the improvements, various barriers to improving agility in PPM were identified from the literature and experts’ review, followed by obtaining quantified impacts of identified barriers from the experts using the Delphi technique. Finally, interpretive structural modeling along with Matrice d’ Impacts Croises Multiplication Appliqué an Classement analysis was used to analyze the interactions among barriers to prioritize and strategize their mitigation. Findings As per the analysis, the lack of top management alignment and commitment, lack of digital strategy, lack of new technology competencies and inefficiencies of financial factors were the most critical barriers that would come across while improving agility in PPM for any organization. Industries should have a stable, well-established and supportive top management that has a vision for digital transformation along with upgrading the companies’ technology layer for automating most of the manual processes to have intelligent decision-making capability. Originality/value Industries need to be agile in their operations for being more competitive and responsive to the market. PPM being the most critical part of the entire value chain needs to be agile in the first place. The strategies developed as an output of this research can be utilized by industries for improving agility in their business processes.

management,business

Hugo Villamizar,Marcos Kalinowski,Marx Viana,Daniel Méndez Fernández,Daniel Mendez Fernandez

DOI: https://doi.org/10.1109/seaa.2018.00080

2018-08-01

Abstract:[Background] The rapidly changing business environments in which many companies operate is challenging traditional Requirements Engineering (RE) approaches. This gave rise to agile approaches for RE. Security, at the same time, is an essential non-functional requirement that still tends to be difficult to address in agile development contexts. Given the fuzzy notion of “agile” in context of RE and the difficulties of appropriately handling security requirements, the overall understanding of how to handle security requirements in agile RE is still vague. [Objective] Our goal is to characterize the publication landscape of approaches that handle security requirements in agile software projects. [Method] We conducted a systematic mapping to outline relevant work and contemporary gaps for future research. [Results] In total, we identified 21 studies that met our inclusion criteria, dated from 2005 to 2017. We found that the approaches typically involve modifying agile methods, introducing new artifacts (e.g., extending the concept of user story to abuser story), or introducing guidelines to handle security issues. We also identified limitations of using these approaches related to environment, people, effort and resources. [Conclusion] Our analysis suggests that more effort needs to be invested into empirically evaluating the existing approaches and that there is an avenue for future research in the direction of mitigating the identified limitations.

Stefan Wagner

DOI: https://doi.org/10.48550/arXiv.1611.07067

2016-11-21

Software Engineering

Abstract:Software development needs continuous quality control for a timely detection and removal of quality problems. This includes frequent quality assessments, which need to be automated as far as possible to be feasible. One way of automation in assessing the security of software are application scanners that test an executing software for vulnerabilities. At present, common quality assessments do not integrate such scanners for giving an overall quality statement. This paper presents an integration of application scanners into a general quality assessment method based on explicit quality models and Bayesian nets. Its applicability and the detection capabilities of common scanners are investigated in a case study with two open-source web shops.

George Grispos,William Bradley Glisson,Tim Storer

DOI: https://doi.org/10.48550/arXiv.1408.2431

2014-08-11

Cryptography and Security

Abstract:In today's globally networked environment, information security incidents can inflict staggering financial losses on organizations. Industry reports indicate that fundamental problems exist with the application of current linear plan-driven security incident response approaches being applied in many organizations. Researchers argue that traditional approaches value containment and eradication over incident learning. While previous security incident response research focused on best practice development, linear plan-driven approaches and the technical aspects of security incident response, very little research investigates the integration of agile principles and practices into the security incident response process. This paper proposes that the integration of disciplined agile principles and practices into the security incident response process is a practical solution to strengthening an organization's security incident response posture.

Stefan Wagner

DOI: https://doi.org/10.1145/2593812.2593819

2017-03-20

Abstract:Agile development processes and especially Scrum are changing the state of the practice in software development. Many companies in the classical IT sector have adopted them to successfully tackle various challenges from the rapidly changing environments and increasingly complex software systems. Companies developing software for embedded or cyber-physical systems, however, are still hesitant to adopt such processes. Despite successful applications of Scrum and other agile methods for cyber-physical systems, there is still no complete process that maps their specific challenges to practices in Scrum. We propose to fill this gap by treating all design artefacts in such a development in the same way: In software development, the final design is already the product, in hardware and mechanics it is the starting point of production. We sketch the Scrum extension Scrum CPS by showing how Scrum could be used to develop all design artefacts for a cyber physical system. Hardware and mechanical parts that might not be available yet are simulated. With this approach, we can directly and iteratively build the final software and produce detailed models for the hardware and mechanics production in parallel. We plan to further detail Scrum CPS and apply it first in a series of student projects to gather more experience before testing it in an industrial case study.

Software Engineering,Systems and Control

H. Villamizar,A. A. Neto,M. Kalinowski,A. Garcia,D. Mendez Fernández

DOI: https://doi.org/10.48550/arXiv.1906.11432

2019-06-27

Abstract:Defects in requirements specifications can have severe consequences during the software development lifecycle. Some of them result in overall project failure due to incorrect or missing quality characteristics such as security. There are several concerns that make security difficult to deal with; for instance, (1) when stakeholders discuss general requirements in (review) meetings, they are often not aware that they should also discuss security-related topics, and (2) they typically do not have enough security expertise. These concerns become even more challenging in agile development contexts, where lightweight documentation is typically involved. The goal of this paper is to design and evaluate an approach to support reviewing security-related aspects in agile requirements specifications of web applications. The designed approach considers user stories and security specifications as input and relates those user stories to security properties via Natural Language Processing (NLP) techniques. Based on the related security properties, our approach then identifies high-level security requirements from the Open Web Application Security Project (OWASP) to be verified and generates a focused reading techniques to support reviewers in detecting detects. We evaluate our approach via two controlled experiment trials, comparing the effectiveness and efficiency of novice inspectors verifying security aspects in agile requirements using our reading technique against using the complete list of OWASP high-level security requirements. The (statistically significant) results indicate that using the reading technique has a positive impact (with very large effect size) on the performance of inspectors in terms of effectiveness and efficiency.

Software Engineering

Sandra Smyth

2023-12-18

Abstract:As per Adusumilli (2015),'70% of corporate business systems today are legacy applications. Recent statistics prove that over 60% of IT budget is spent on maintaining these Legacy systems, showing the rigidity and the fragile nature of these systems.' Usually, testing is included during the software development cycle, using testing techniques such as unit testing, integration testing, and system testing before releasing the product. After the software product is released to production, no additional testing is done; the testing process is back to the table only when modifications are made. Techniques such as regression testing are included to ensure the changes do not affect existing functionality, but testing nonfunctional features that are rarely included in such regression tests' scope. Schrader (2021) affirms that 'legacy systems are often maintained only to ensure function,' and IT organizations may fail to consider the cybersecurity perspective to remain secure. Legacy systems are a high-risk component for the organization that must be carefully considered when structuring a cyber security strategy. This paper aims to help the reader understand some measures that can be taken to secure legacy systems, explaining what penetration testing is and how this testing technique can help secure legacy systems. Keywords: Testing, legacy, security, risks, prevention, mitigation, pentesting.

Software Engineering

Valpadasu Hema,Sravanthi Thota,S Naresh Kumar,Ch Padmaja,C. Bala Rama Krishna,K Mahender

DOI: https://doi.org/10.1088/1757-899X/981/2/022060

2020-12-05

IOP Conference Series: Materials Science and Engineering

Abstract:Present days the world is surviving with respect to the software products. The development of the software product is a challenging issue and to run with the competitive world rapid development of software products are necessary. It is not enough to go with the traditional software development products like waterfall model, spiral model and all. Here we proposed the SCRUM TOOL, one of the effective techniques of Agile Methodology. Agile is an incremental and timeframe iterative approach. It supplies the software developers with a working framework for traditional software development practices like waterfall model. Although the traditional models are best suited for small products where there is no changing requirements but not suitable for the products which have rapidly changing requirements and thus here we recommend SCRUM methodology. In this approach we can develop the software product by taking the regular feedback from the customer through review meetings. So whenever the customer requests the changes we can upgrade the product with respect to those changes and can also develop the product more efficiently and rapidly.