The Second International Workshop on Agile Secure Software Development

to be held in conjunction with the 11th International Conference on Availability, Reliability and Security
(ARES 2016 – http://www.ares-conference.eu)

August 31 – September 2, 2016
Salzburg, Austria

Most organizations use the agile software development methods, such as Scrum and XP for developing their software. The agile software development methods support controlling software changes and incorporating lessons learned from previous experiences. Thus, they, for example, allow for change of requirements, prefer frequent deliveries, and use lightweight documentation. These characteristics, among others, are associated with challenges for developing secure software using the agile methods. On the positive side, they allow for efficient and effective use of resources (money and time) to address the greatest security risks for the software.

The goal of the workshop is to bring together security and software development researchers to share their finding, experiences, and positions about developing secure software using the agile methods. The workshop aims to encourage the use of scientific methods to investigate the challenges related to the use of the agile approach to develop secure software. It aims also to increase the communication between security researchers and software development researchers to enable the development of techniques and best practices for developing secure software using the agile methods.

Invited Speaker: (more information below)

Hasan Yasar, Carnegie Mellon University, US 
How to include Security into Software Lifecycle: Secure DevOps!

Topics of interest comprise but are not limited to:

Important Dates

Workshop Chairs

Juha Röning
University of Oulu
juha[.]roning[at]oulu.fi

Lotfi ben Othmane
Fraunhofer SIT, Germany
lotfi[.]ben[.]othmane[at]sit.fraunhofer.de

Program Committee

Benjamin Aziz, University of Portsmouth, UK
Achim Brucker, University of Sheffield, UK
Bengt Carlsson, Uppsala University, Sweden
Daniela Cruzes, SINTEF, Norway
Andrey Hoursanov, SAP AG, Germany
Martin Jaatun, SINTEF ICT, Norway
Joern Eichler, Fraunhofer AISEC
Khaled Khan, Qatar University, Qatar
Lotfi ben Othmane, Fraunhofer SIT, Germany
Juha Röning, University of Oulu, Finland
Gerald Quirchmayr, University of Vienna, Austria
Antti Vähä-Sipilä, F-Secure, Finland
Michael Waidner, Fraunhofer SIT, Germany
Edgar Weippl, SBA Research, Austria

Submission

The proceedings of ARES (including workshops) have been published by Conference Publishing Services (CPS). The submission guidelines valid for the ASSD workshop are the same as for the ARES conference. They can be found >>here<<.

Authors of selected papers that are accepted by and presented at the workshop will be invited to submit an extended version to special issues of international journals.

Invited Speaker

Hasan Yasar, Carnegie Mellon University, US

How to include Security into Software Lifecycle: Secure DevOps!

Abstract: As general thought, “Software security” often evokes negative feelings among software developers since this term is associated with additional programming effort, uncertainty and road  blocker activity on fast development and release cycle. To secure software, developers must follow a lot of guidelines that, while intended to satisfy some regulation or other, can be very restricting and hard to understand. As a result a lot of fear, uncertainty, and doubt can surround software security. This talk describes how the Secure DevOps movement attempts to combat the toxic environment surrounding software security by shifting the paradigm from following rules and guidelines to creatively determining solutions for tough security problems. Emphasizing a set of DevOps principles enables developers to learn more about what they are developing and how it can be exploited. Rather than just blindly following the required security practices and identified security controls, developers can understand how to think about making their applications secure. As a result, they can derive their own creative ways to solve security problems as part of understanding the challenges associated with secure software development.  Rather than reacting to new attacks, secure software should be proactively focused on surviving by providing reliable software with a reduced attack surface that is quick both to deploy and restore. In other words, developers worry less about being hacked and more about preventing predictable attacks and quickly recovering from cyber incident. In the past, software security focused on anticipating where and how the attacks would come and putting up barriers to prevent those attacks. However, most attacks–especially sophisticated attacks–can’t be anticipated, which means that fixes are bolted on as new attacks are discovered. The inability to anticipate attacks is why we often see patches coming out in response to new 0-day vulnerabilities. Secure DevOps developers would rather their software absorb the attacks and continue to function. In other words, it should bend but not break. This shift in thinking from a prevent to a bend-don’t-break mindset allows for a lot more flexibility when it comes to dealing with attacks. Becoming secured lifecycle requires the development team to focus on continuous integration, infrastructure as code, eliminating denial of service (DOS), and limiting the attack surface. A look at how DevOps principles can be applied to software development process on regardless of size or industry types. The burgeoning concepts of DevOps include a number of concepts that can be applied to increasing the security of developed applications. These include adding automated security testing techniques such as fuzz testing, software penetration testing to the software development cycle or the system integration cycle. Other techniques include standardizing the integration cycle in order to reduce the possibility of the introduction of faults and introducing security concerns and constraints to software and system development teams at the inception of projects rather than applying them after the fact. Applying these and other DevOps principles can have a big impact on creating an environment that is resilient and secure. Examples of how DevOps principles were applied on projects will be discussed along with lessons learned and some ideas on how to apply them to development and acquisition. Specifically in this talk, I will clearly explain on how to address security concern at early development lifecycle and the way of addressing these threads  at many  decisions point. And share a reference architecture to have automation security analysis during integration or in deployment and delivery phases.

Hasan Yasar is the technical manager of the Secure Lifecycle Solutions group in the CERT Division of the Software Engineering Institute, Carnegie Mellon University. Hasan leads an engineering group on software development processes and methodologies, specifically on DevOps and development; and researches advanced image analysis, cloud technologies, and big data problems while providing expertise and guidance to SEI’s clients. Hasan has more than 25 years’ experience as senior security engineer, software engineer, software architect and manager in all phases of secure software development and information modeling processes. He has an extensive knowledge of current software tools and techniques. He is also specialized on secure software solutions design and development experience in the cybersecurity domain including data-driven investigation and collaborative incident management, network security assessment, automated, large-scale malware triage/analysis, medical records management, accounting, simulation systems and document management. He is also Adjunct Faculty member in CMU Heinz Collage and Institute of Software Research where he currently teaches “Software and Security” and “DevOps – Modern Deployment”.

His current areas of professional interests focus on:

Secure Software Development including threat modeling, risk management framework and software assurance model
Secure DevOps process, methodologies and implementation
Software Development Methodologies (Agile, SAFe, DevOps)
Cloud based application development, deployment and operations
Software Architecture, Design, Develop and Management of large-scale enterprise systems