Security testing in agile web application development - A case study using the EAST methodology

Lecture Notes in Business Information Processing

Volumn 48 LNBIP, Issue , 2010, Pages 14-27

  Erdogan, Gencer ^a   Meland, Per Håkon ^b   Mathieson, Derek ^a  

^a CERN   (Switzerland)

^b SINTEF ICT   (Norway)

Author keywords

Scrum; Security testing; Web applications

Indexed keywords

SOFTWARE ENGINEERING; WORLD WIDE WEB;

AD HOC APPROACH; AGILE DEVELOPMENT ENVIRONMENTS; SCRUM; SECURITY TESTING; WEB APPLICATION; WEB APPLICATION DEVELOPMENT; WEB APPLICATION SECURITY; WEB APPLICATION VULNERABILITY;

SECURITY OF DATA;

EID: 80455177539     PISSN: 18651348     EISSN: None     Source Type: Book Series    
DOI: 10.1007/978-3-642-13054-0_2     Document Type: Conference Paper

References (37)

1. Jazayeri, M.: Some trends in Web application development. In: International Conference on Software Engineering, pp. 199-213. IEEE Computer Society, Washington (2007) (Pubitemid 47484926)
2. McDonald, A., Welland, R.: Agile web engineering (AWE) process. Technical report, Department of Computer Science, University of Glasgow, UK (December 2001)
3. Kongsli, V.: Towards agile security in web applications. In: Companion to the 21st ACM SIGPLAN symposium on Object-oriented programming systems, languages, and applications (2006)
4. Ge, X., Paige, R.F., Polack, F.A.C., Chivers, H., Brooke, P.J.: Agile development of secure web applications. In: Proceedings of the 6th international conference on Web engineering. ACM, New York (2006)
5. Chivers, H., Paige, R.F., Ge, X.: Agile security using an incremental security architecture. In: Baumeister, H., Marchesi, M., Holcombe, M. (eds.) XP 2005. LNCS, vol. 3556, pp. 57-65. Springer, Heidelberg (2005) (Pubitemid 41424950)
6. Siponen, M., Baskerville, R., Kuivalainen, T.: Integrating security into agile development methods. In: Proceedings of the 38th Annual Hawaii International Conference on System Sciences, vol. 7, p. 185a (2005)
7. Wayrynen, J., Bodén, M., Bostrom, G.: Security Engineering and eXtreme Programming: An Impossible Marriage? In: Zannier, C., Erdogmus, H., Lindstrom, L. (eds.) XP/Agile Universe 2004. LNCS, vol. 3134, pp. 117-128. Springer, Heidelberg (2004)
8. Beznosov, K.: Extreme Security Engineering: On Employing XP Practices to Achieve "Good Enough Security" without Defining It. In: First ACM Workshop on Business Driven Security Engineering (BizSec), Fairfax, VA (2003)
9. Agile Manifesto, http://agilemanifesto.org/ (Last date accessed 2009-12-10)
10. Hieatt, E., Mee, R.: Going Faster: Testing TheWeb Application. IEEE Software 19, 60-65 (2002) (Pubitemid 34249427)
11. Di Lucca, G.A., Fasolino, A.R., Faralli, F., De Carlini, U.: Testing Web applications. In: Proceedings of International Conference on Software Maintenance, pp. 310-319 (2002) (Pubitemid 35406598)
12. Di Lucca, G.A., Fasolino, A.R.: Testing Web-based applications: The state of the art and future trends. Information and Software Technology 48, 1172-1186 (2006) (Pubitemid 44693351)
13. Turner, D., Fossi, M., Johnson, E., Mack, T., Blackbird, J., Entwisle, S., Low, M.K., McKinney, D., Wueest, C.: Symantec Internet Security Threat Report: Trends for July-December 2007. Technical report, Symantec Corporation, Vol. XIII (2008)
14. Thompson, H.H.: Why Security Testing Is Hard. IEEE Security & Privacy 1, 83-86 (2003)
15. Tappenden, A., Beatty, P., Miller, J., Geras, A., Smith, M.: Agile security testing of Web-based systems via HTTP Unit. In: Proceedings of Agile Conference, pp. 29-38 (2005) (Pubitemid 46379839)
16. Peeters, J.: Agile Security Requirements Engineering. In: Symposium on Requirements Engineering for Information Security (2005)
17. McGraw, G.: Software Security: Building Security. Addison-Wesley, Reading (2006)
18. Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. Requirements Engineering 10, 34-44 (2005)
19. Røstad, L.: An extended misuse case notation: Including vulnerabilities and the insider threat. In: The Twelfth Working Conference on Requirements Engineering: Foundation for Software Quality (2006)
20. Arkin, B., Stender, S., McGraw, G.: Software penetration testing. IEEE Security & Privacy 3, 84-87 (2005) (Pubitemid 40325588)
21. Thompson, H.H.: Application penetration testing. IEEE Security & Privacy 3, 66-69 (2005) (Pubitemid 40325585)
22. The Open Web Application Security Project. OWASP Testing Guide V3.0, http://www.owasp.org/index.php/Category:OWASP-Testing-Project (Last date accessed 2009-11-13)
23. Rus, I., Lindvall, M.: Knowledge management in software engineering. IEEE Software 19, 26-38 (2002) (Pubitemid 34631149)
24. Davidson, M.: Survey: Agile interest high, but waterfall still used by many. Agile Trends Survey (2008), http://searchsoftwarequality.techtarget.com/ news/article/0,289142,sid92-gci1318992,00.html (Last date accessed 2009-11-26)
25. Wysopal, C., Nelson, L., Dustin, E., Nelson, L., Zovi, D.D.: The Art of Software Security Testing. Addison-Wesley, Reading (2006)
26. Erdogan, G., Baadshaug, E.T.: Extending SeaMonster to support vulnerability inspection modeling. Technical report, NTNU, Department of computer and information science (2008)
27. BugTraq mailing list, http://www.securityfocus.com/archive/1 (Last date accessed 2009-11-13)
28. Common Vulnerabilities and Exposures, http://cve.mitre.org/ (Last date accessed 2009-11-13)
29. Computer Emergency Readiness Team (CERT), http://www.cert.org/ (Last date accessed 2009-11-13)
30. OWASP Top 10 vulnerabilities, http://www.owasp.org/index.php/Top-10-2007 (Last date accessed 2009-11-13)
31. Hope, P.,Walther, B.:Web Security Testing Cookbook. O'Reilly, Sebastopol (2008)
32. The OpenWeb Application Security Project. OWASP Testing Guide V3.0, http://www.owasp.org/index.php/Category:OWASP-Testing-Project (Last date accessed 2009-12-02)
33. Andrews, M.: Guest Editor's Introduction: The State of Web Security. IEEE Security and Privacy 4, 14-15 (2006)
34. PMD - Java source code scanner (Static Analysis Tool), http://pmd.sourceforge.net/ (Last date accessed 2009-11-14)
35. Acunetix Web Vulnerability Scanner, http://www.acunetix.com/ (Last date accessed 2009-11-14)
36. SeaMonster V3.0, http://sourceforge.net/projects/seamonster/ (Last date accessed 2009-11-14)
37. Baca, D., Petersen, K., Carlsson, B., Lundberg, L.: Static Code Analysis to Detect Software Security Vulnerabilities - Does Experience Matter? In: IEEE International Conference on Availability, Reliability and Security, pp. 804-810 (2009)