Recent software development methodologies, as DevOps or Agile, are very popular and widely used, especially for the development of cloud services and applications. They dramatically reduce the time-to-market of developed software but, at the same time, they can be hardly integrated with security design and risk management methodologies. These cannot be easily automated and require big economic investments, due to the necessity of security experts in the development team and to the lack of automatic tools to evaluate risk and to assess security in the design and operation phases. This paper presents a novel Security-by-Design methodology based on Security Service Level Agreements (SLAs), which can be integrated within modern development processes and that is able to support the risk management life-cycle in an almost-completely automated way. In particular, it relies upon a guided risk analysis process and a completely automated security assessment phase, which enable to assess the security properties granted by a cloud application and to report them in a Security SLA. We validated the proposed methodology with respect to a real case study, which showed its effectiveness in improving the awareness of designer and developer teams on security aspects and in reducing the secure design process time.

A novel Security-by-Design methodology: Modeling and assessing security by SLAs with a quantitative approach

Villano U.
2020-01-01

Abstract

Recent software development methodologies, as DevOps or Agile, are very popular and widely used, especially for the development of cloud services and applications. They dramatically reduce the time-to-market of developed software but, at the same time, they can be hardly integrated with security design and risk management methodologies. These cannot be easily automated and require big economic investments, due to the necessity of security experts in the development team and to the lack of automatic tools to evaluate risk and to assess security in the design and operation phases. This paper presents a novel Security-by-Design methodology based on Security Service Level Agreements (SLAs), which can be integrated within modern development processes and that is able to support the risk management life-cycle in an almost-completely automated way. In particular, it relies upon a guided risk analysis process and a completely automated security assessment phase, which enable to assess the security properties granted by a cloud application and to report them in a Security SLA. We validated the proposed methodology with respect to a real case study, which showed its effectiveness in improving the awareness of designer and developer teams on security aspects and in reducing the secure design process time.
2020
Secure Cloud Application Development; Security Assessment; Security metrics; Security models; Security Service Level Agreement; Security-by-Design methodologies
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/20.500.12070/43945
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 51
  • ???jsp.display-item.citation.isi??? 34
social impact