Reframing Security in Contemporary Software Development Life Cycle

摘要

The purpose of the current paper is to gain insight in the manner in which security is taken into account when building information systems. In particular by comparing the concepts of Agile Scrum and DevOps, along the phases of the Software Development Life Cycle (SDLC), using Open Software Assurance Maturity Model as a measure, and the Lucky Clover Model to address the soft- and hard factors, in terms of Content, Process, Relation and Culture, which lead to a new framework. The initial results based on desk research confirm the general notion of there is limited coverage of security in such frameworks. There is only partial coverage of security in the DevOps approach and does so primarily in the later stages of the SDLC, and it also embraces cultural aspects more. Cultural aspects relating to shared value and behavioral aspects are not operationalized. Given the impact of security in the ever digitalizing society nowadays, the recommendation is that security is not just a feature but should be an inherent part of the iterative software development approach starting with the Minimal Viable Product version. Hence security by design is embraced by the team. Secondly, security is not only a technical nor procedural issue. Hence it is not only the hard controls (Content and Process) that should be taken into account. Also, soft controls (Relations and Culture) should be in managerially addressed in a balanced manner.