978-1-5386-4315-0/18/$31.00 ©2018 IEEE Reframing Security in Contemporary Software Development Life Cycle Dr. Pieter Frijns Bureau Gateway Ministry of Interior The Hague, The Netherlands pieter.frijns@minbzk.nl Robert Bierwolf, MScEng. SMIEE MBBI bv, IEEE TEMS Utrecht, The Netherlands robert.bierwolf@xs4all.nl; robert.bierwolf@ieee.org Tom Zijderhand, BSc. Deloitte Risk Advisory B.V Deloitte Touche Tohmatsu Limited Amsterdam, The Netherlands tzijderhand@deloitte.nl Abstract— The purpose of the current paper is to gain insight in the manner in which security is taken into account when building information systems. In particular by comparing the concepts of Agile Scrum and DevOps, along the phases of the Software Development Life Cycle (SDLC), using Open Software Assurance Maturity Model as a measure, and the Lucky Clover Model to address the soft- and hard factors, in terms of Content, Process, Relation and Culture, which lead to a new framework. The initial results based on desk research confirm the general notion of there is limited coverage of security in such frameworks. There is only partial coverage of security in the DevOps approach and does so primarily in the later stages of the SDLC, and it also embraces cultural aspects more. Cultural aspects relating to shared value and behavioral aspects are not operationalized. Given the impact of security in the ever digitalizing society nowadays, the recommendation is that security is not just a feature but should be an inherent part of the iterative software development approach starting with the Minimal Viable Product version. Hence security by design is embraced by the team. Secondly, security is not only a technical nor procedural issue. Hence it is not only the hard controls (Content and Process) that should be taken into account. Also, soft controls (Relations and Culture) should be in managerially addressed in a balanced manner. Keywords— Software Development Life Cycle (SDLC), Project Management, DevOps, Agile, Scrum, OpenSAMM, Security, Lucky Glover, Behavior I. INTRODUCTION The digital transformation of society is continuing at a faster pace than ever, exponentially, where information technology (IT) has become the business, enabled by technology and triggered by the ongoing disruptive innovation, impacting organizations in their technology management and operations [1]. Ever more organizations are dependent on each other for realizing their goals, eco-systems emerge from structural partnerships (e.g., joint ventures, tier 1 supplier) to more often as temporary collaborations for the duration of the intended joint result (e.g., consortia). Hence, an increased dynamically networking society is emerging, the volatile-uncertain- complex-ambiguous (VUCA) world, requiring adapted approaches [2]. Resilience becomes essential, e.g., in a just-in- time supply chain network [3], demanding flexibility from people and organizations. Agility in the organizational perspective, is described as: “an agile organization (designed for both stability and dynamism) is a network of teams within a people-centered culture that operates in rapid learning and fast decision cycles which are enabled by technology, and that is guided by a powerful common purpose to co-create value for all stakeholders.” [4]. Which impacts IT development and management processes to fit these needs and dynamics, e.g., using Agile Scrum [5], [6] and DevOps [7], [8] in the software development life cycle (SDLC) [9], [10]. With the increasing digitization rate, fast-growing digital data, and communication links between systems and organizations, the number of security risks is also increasing [11]. Author experiences in and from IT Audit reveal that security aspects are not as frequently taken into account as it should be in these digitalizing organizations, e.g., as imposed by such standards as ISO 27000 series [12]. Questions that emerge are to what extent: [a] is or should and could this feature of security be embraced by the product owners and addressed in the approaches such as Agile and DevOps and how could it be managed? ; [b] is the noted insufficient adoption due to the behavior professional or an inherent limitation of the approaches?; [c] the general question is to what extent these new approaches of Agile and DevOps support, at all or by design, the needs due to the ongoing digitalization as well as the increasing demands on security? In the first section of the paper, presents the concepts of Agile Scrum and DevOps and security. The second section, reports the findings of the initial desk research. The desk research comprised a comparing the concepts of Agile and DevOps, along the phases of the SDLC, using the Open Software Assurance Maturity Model [13] as a measure, and the Lucky Clover Model [14] to address the soft- and hard factors, in terms of Content, Process, Relation and Culture, which lead to a new framework. II. THE CONCEPTS The desk research used some existing concepts or frameworks, such as the Software Development Life Cycle, Agile Scrum, DevOps and Security based on OpenSAMM. 230 Authorized licensed use limited to: PES Institute of Technology. Downloaded on September 04,2020 at 09:36:52 UTC from IEEE Xplore. Restrictions apply.