Digital Security Seminar, Carleton University

Towards Agile Security Assurance

Dr. Konstantin Beznosov

ABSTRACT

Agile development methods are promising to become the next generation replacing water-fall development. They could eventually replace the plan-driven methodologies not only in pure software solutions in such benign domains as word processing and office automation but also in security-critical projects with both software and hardware parts developed or integrated together. At the same time, the accepted practices for security assurance appear to go totally contrary to agile approaches. Can and how security assurance be adopted by agile developers? What needs to be done for the adoption to happen? This work makes a first step towards answering these questions in a pursuit for agile security assurance. It re-examines the conventional practices of security assurance to find out how well they suite agile development methodologies. It classifies security assurance methods and techniques with regards to their clash with agile development. For those in conflict, ways of alleviating it are suggested. Paper available at: http://konstantin.beznosov.net/professional/papers/Towards_Agile_Security_Assurance.html

BIOGRAPHY

Konstantin Beznosov is an Assistant Professor at the Department of Electrical and Computer Engineering, University of British Columbia (UBC), Vancouver, British Columbia, Canada. He joined UBC in August 2003 after working as a Security Architect at Quadrasis, Hitachi Computer Products (America), Inc (HICAM), where he designed and developed products for security integration of enterprise applications. Before HICAM, Dr. Beznosov consulted large telecommunication and banking companies on the architecture of security solutions for distributed enterprise applications, as a Security Architect at Concept Five Technologies. Prior to graduating from Florida International University (FIU) in 2000 with a Ph.D. in Computer Science, Dr. Beznosov was a Senior Research Associate with the FIU's Center for Advanced Distributed Systems Engineering (CADSE), conducting research on engineering access control for distributed enterprise applications. He also worked on distributed DBMS development at High Performance Database Research Center at FIU, where he received a M.S. in Computer Science in 1997. Dr. Beznosov's prior work on applying CORBA Security architecture to computerized medical records at Baptist Health Systems of South Florida laid the foundation for the OMG standard on Resource Access Decision (RAD) Facility. He actively participated in standardization of security-related OMGs specifications (CORBA Security, RAD, SDMM) from 1997 to 2001, and was a co-chair of the Security SIG. Dr. Beznosov has served on program committees of SACMAT and DOCSec. Having published various research papers on security engineering, he is a co-author of "Enterprise Security with EJB and CORBA" and "Mastering Web Services Security" by Wiley Computer Publishing, and a contributor to the "Handbook of Software Engineering and Knowledge Engineering" by World Scientific Publishing.