The workshop was an opportunity to share experiences and ideas about developing secure software using the agile processes. Hasan Yasar from the Software Engineering Institute (SEI), CMU opened the sessions with a keynote talk on the experience of SEI in integrating security to DevOps for its clients. He talked about on how DevOps principles were applied to develop secure applications, from idea to delivery of a completed application to production environment, also including operational support and incident response. He explained how to address application security concerns at early development lifecycle and how to address threats at different decisions point using integrated DevOps platforms. He emphasized the value of reference architecture, team collaboration, organization’s culture, considering security through development lifecycle, and continuous feedback.
The keynote was followed by a talk given by Vaishnavi Mohan, who discussed the aspects that SecDevOps authors have been discussing in the literature. Tosin Daniel Oyetoyan reported, in the second session, about his study on the relationships between software security skills, usage and training needs in Agile settings in two Norwegian companies. They observed that there is a positive linear relationship between the practice of security activities in software development projects and the skills and knowledge of the participating developers about software security. This suggests, if confirmed with more studies, that training developers on developing secure software leads to the production of secure software. Next Kalle Rindell gave an overview about the experience he has with his colleagues in building secure identity management system in an agile environment for the Finnish government. Lotfi ben Othmane discussed in the third talk the study they had on incremental security assurance for the e-commerce software, Zen Cart.
In the afternoon session Chad Heitzenrater discussed the application of economic utility functions within the negative use case development process to help development managers decide on the alternatives to mitigate the abuse cases. The presentation was followed by the talk of Daniela S. Cruzes, who reported about a study they performed to identify the factors that influence testing of nonfunctional requirements in agile teams, which are priority, culture, awareness, time pressure, cost, and technical issues.
The full ARES program, including the workshop program is available here