Documente Academic
Documente Profesional
Documente Cultură
DSDM
Javeria Jabeen1, Yasir Hafeez Motla2, Mateen Ahmed Abbasi3, Dur-e-Benish Batool4, Rahil Butt5, Sana Nazir6 &
Syeda Ayesha Anwer7
University Institute of Information Technology
PMAS Arid Agriculture University
Rawalpindi, Pakistan
javeria.jabeen@yahoo.com1, yasir@uaar.edu.pk2, mateenabbasi@msn.com3, benimalik@rocketmail.com4, rahil4u@gmail.com5 & sana_taurus5@yahoo.com6
Abstract— Dynamic System Development Method has been security is treated as an Add-on feature and not part of design.
criticized because of absence security practices in its phases. The Ultimately, resultant is found in the security-bugs and hence,
key objective is proposed the secure software development Quality may not be achieved / as desired.
framework. CBR-DSDM model had proposed in this paper to Paper is divided into five sections in this section give an
cover the security in an entire development life cycle of DSDM
introduction and overview of DSDM, Artificial intelligence
phases from the beginning to final phase. This paper proposes a
way to map security activities into the dynamic system technique. In the second section give related work. In 3rd
development method. A Case based reasoning technique is used section discuss is based on the proposed framework. In the 4th
for maintaining security requirement repository. The main section evaluate the proposed framework using expert review,
purpose of this research is to fill the gap by integrating security control experiment, case study and discuss about the result.
into DSDM phases and maintaining its agility. Our model is The last section describes the conclusion and future work.
evaluated using publish case study. For the Assessment of CBR-
DSDM used the control experiment and expert review evaluation A. Dynamic System Development Method (DSDM)
methods. Dynamic system development method was introduced in
1995. DSDM focus on the management of the project. DSDM
Keywords— Dynamic system development method, Security, has many versions and latest version is DSDM Atern. DSDM
Agile methodology, Case based reasoning.
is agile methodology it adjust the functionality of the system
according to the available time, quality and resources [4].
I. INTRODUCTION DSDM is based upon Rapid Application Development (RAD)
Software development process is defined as “A software and it is one of agile software development methodology is
process is a set of activities that leads to the production of a DSDM is de facto standard agile methodology delivers the
software product”. The software development life cycle has project on time, within budget and meet the user needs. It is
many activities, but most fundamental are these Specification, well documented methodology as compare to other agile
design, implementation, validation and maintenance. SDLC is methodology. DSDM support multiple teams on one project
a model that defines task performed at each step of software and better perform when less number of members in teams.
development [1]. Many software process models are waterfall, DSDM support all type and size of the organization or project.
V Model, Spiral model, Agile. Every software process model DSDM involve user in all phases. DSDM has 3 phases pre
has unique features and shortcomings. Now a day agile is project, project life cycle, post project. Project life cycle has
mostly used. Agile is a software development method based five phases. DSDM project life cycle has five phases first two
on iterative and incremental development [2]. Agile has many phases are sequential and other 3 phases are iterative and
methodologies such as extreme programming, Dynamic incremental [5][6].
system development method, Scrum, Feature Driven
Development etc. Dynamic system development Method
(DSDM) is the agile methodology for software development
and it mainly focus on the information system project which
have a tight schedule and fixed cost. DSDM is iterative and
incremental development approach [3]. In CBR-DSDM model
security incorporate into the phases of the Dynamic system
development method. In general, one of the most important
reasons why the agile methods ignore security issue of
software may come from the misconception that security
delays development process. However, this leads to the
negligence of the security issues in the final product. Besides, Fig. 1. Dynamic System Development Method Atern
1) Pre Project: In this phase stakeholder of the project are research on the developing secure software using DSDM. In
identified and funding is finalized and commitment is agile success is measure on the basis of functionality of the
confirmed [7]. system but don’t give importance to the security [11].
2) Project life cycle: SQUARE DSDM provides secure software development
a) Feasibility: Dynamic system development method is because it incorporates security to the quality requirement
right methodology for development or not. Feasibility report is engineering (SQUARE) into DSDM. SQUARE methodology
the output of this phase. has nine practices and all of the fit into the first two phases of
the DSDM. Main drawback of this process model is it
b) Foundations: Determines project resources, outlines
provides security in the initial phase of the system
system architecture and prioritizes high level requirements of
(Requirement) its practices are not felt into the other phases of
the system.
the DSDM [12].
c) Exploration: Develops functional prototypes
CB-RCM model incorporate CBR into Requirement
according to the functional model and develops other artifacts
change management model. RCM cases are store into the case
which are necessary for functionality [8].
base repository. CBR solves problem using four types of cases
d) Engineering: Creates a design prototype which is
retrieve, reuse, revise, retain. Its effect on the cost and time
handed to the user for daily use and feedback.
and maintain history [13].
e) Deployment: Trains user, system implements in
Introduce security into Feature Driven Development
operational environment and deliver system.
(FDD) it’s improved the result and not affect the agility nature
3) Post project: In this phase it’s ensured that system
of FDD. Secure feature Driven Development (SFDD) is
perform effectively in the operational environment. DSDM
expending FDD using relationship between security principle
has iterative nature and mostly project not complete in one
and security. For achieving security, new phases and sub
cycle due to iterative nature product goes back to the previous
phases are defined in the existing FDD. SFDD is evaluated
phase in this way product refined [7].
using case study its prove that it is a better approach for secure
software development and introduce a new role of security
B. Artificial Intelligence (AI)
master which give knowledge of security to the stakeholders
AI is an area of computer science that focuses on making
[14].
intelligent machines that work as a human being. Machine
AI ant and software engineering are the important areas of
learning and robotics are main fields of AI. AI has many
the computer science and each field has unique and different
techniques; each technique has its own characteristics, its own
features, strengths and drawbacks. In this paper give the
strengths and weaknesses. AI techniques are CBR (Case based
knowledge of the incorporate Artificial intelligence technique
reasoning), Genetic algorithms, fuzzy models, rule based
into Software Engineering and software engineering good
system, hybrid systems etc.
practices into AI both reduce the limitations and give better
Case based reasoning is the AI technique which solves
result [15].
problem using previous solution/cases. CBR solves problems
Software Requirements Specifications (SRS) is
using four types of cases Retrieve, reuse, revise, and retain. If
documentation of a customer’s system requirements. Main
current problem is matched with previous problem which is
focuses on the quality of the SRS. The Software Quality
stored in the case base repository with a well-known solution,
Assurance (SQA) audit technique is used in this paper to
then we retrieve the most similar case and reuse the solution of
determine whether or not the required standards within SRS.
previous case to solve current problem. If we retrieve case but
The proposed online quality analysis system ensures that
cases are similar in some situation then revise the case. Its
software requirements are complete, consistent, and correct.
mean changes in that case and in the end saves the updated
The Case-Based Reasoning (CBR) technique is used to
case into repository is called retain case [9].
evaluate the requirements quality by referring to previously
stored software requirements quality analysis cases (past
II. RELATED WORK experiences) [16].
Hybrid model which introduces AI technique into agile
The main difference between DSDM and RAD is that both the
software development practices. CBR solve problem using
approaches are testing of the applications. RAD testing is done
four types of cases Retrieve, reuse, revise, retain. Its result
at the end of iteration but in DSDM testing is performed
shows that agile reduce cost and time. Show that incorporating
during the whole life cycle. Main weakness of DSDM is lack
Artificial intelligence technique (CBR) into agile give better
of quality because it delivers the product fast. An error in the
result [17].
system exists but doesn’t affect the user if changes made in the
product latter [10].
Dynamic system development method provides the III. PROPOSED FRAMEWORK
framework for developing and maintaining the software, In this section we discussed about the proposed framework
delivers the project with in time and budget. Systematic (CBR-DSDM). CBR-DSDM has been supported by using two
literature review of Dynamic system development method sub sections such as security requirement elicitation and
(DSDM) proves that the Dynamic system development security cases repository.
method has not any phases which focus on the security and no
A. CBR-DSDM of the architecture of that solution.Solution prototype show
CBR-DSDM is a secure software development model. It’s solution how it finally work and passed from foundation phase
shown in the figure 2. Red color shows business activities and to exploration phase for further developed into final solution.
blue color reflects management activities and green color The management foundation describes how Atern practices
shows evolving and delivering the solution activities. and techniques will apply to ensure management of the
project. In management, assign roles and responsibilities,
1) Pre-Project: In this phase commencement of the empowerment of team and reporting. Delivery Plan refines
project is confirmed. Project funding is realized on agreeing and elaborate the schedule described in outline plan. Its
with the term of reference for work. Term of reference is also discuss schedule of timeboxes and incremental nature of the
defined as a project charter. Objective, Scope and deliverable project.
of the project are defined. c) Exploration and Engineering: Exploration phase
2) Project life cycle iteratively and incrementally explores detailed business
a) Feasibility: In this phases recognize the profit requirements and transform into a feasible solution.
achieved after delivery of the project. Mostly it is a short Demonstrate the functional solution meet the business needs.
phase and assessed the suitability of DSDM. Feasibility phase Business Area definition and System architecture definition
ensures that proposed project is feasible from a business and are transformed into models that describe how the solution
technical perspective. In the short project feasibility study and works. Engineering phase refines the solution of the
foundation study are same. In DSDM is necessary if DSDM is exploration phase to meet the agree acceptance criteria. It is
not suitable the project then you should stop the project and iterative and incremental phase where the solution is to be
stop as early as possible. Outline plan provides an overview of engineered and support the solution to the operational
possible approaches for delivery, including plans for finding environment. In this phase mostly focus on the non-functional
the solution and project management. Outline plan provides requirement and validate the business purpose from functional
detailed planning for foundation phase, clearly declaring the requirement perspective. Iterative development cycle phases
scope and objective of the project. are identify, plan, evolve and review. In identify phase project
team agree on objective of what is being develop in this
b) Foundation: In these phases high level requirements
increment. In plan phase team work out what is needs to be
are baseline, ensuring that the project is understood and
done by whom to meet the current objective. Timebox plan
business cases are identified. Foundation phase emphasis on
elaborates the objective for each development timebox in
three vital perspectives of business, solution and management
delivery plan. In evolving phase plan activities take place in
provide clear project focus. Focus on designing the solution
agreed timescale. Timebox technique is used for deliver the
architecture and how quality product achieved. Using
activities with in time. In the review phase ensure that
Workshop techniques different stakeholders come together
objective has been achieved.
and discuss the proposed system. Timeboxing technique is
used to deliver the project on time, within budget and quality d) Exploration and Engineering with security: In phase
product. Business foundation provides information about security issues are mapped so that it will protected against any
business and that needs to be understood by all stakeholders vulnerabilities. Identify security design: In this sub phase
before the development of the project begins. The pinpoint the vulnerable module and functional, nonfunctional
requirements are prioritized using MoSCoW technique. requirement need to be tested in combination with the security
MoSCoW means important things are done first. MoSCoW requirement. Plan Security: In this phase when and how these
stands for Must have, Should have Could have and Won’t security requirements are realized. Evolve security: In this
have this time. Must have vital for success and 60% must have phase create system handed to the end user for daily use and
in the project. For must have purpose ask one question “if you getting feedback. Review security: In this phase complete
do not get this, should we still continue the project?”. If the system will be reviewed then test records and user comments
answer is yes - it is NOT a must-have. Should have and could are saved and vulnerable modules will be identified. So that
have provided remaining 40%efforts. Project complete developer can implement security in the deployment phase.
without could have requirement. Won’t have this time mean e) Deployment: The key focus of Deployment phase is
leave the requirement fulfill in the later iteration. Security to get the solution into the operational environment.
requirements gather using a security requiremnet elicitation Implementation of the system with security is a vital phase in
model. It explain in the security requiremnet elicitaion sub CBR-DSDM. Integrate security into DSDM make sure that
section. Security requirement also prioritizes in this phase. develop project are secure. Train the end user how to use
Solution foundation provides information about solution. system with respect to security and provide documentation.
Solution foundation consists of system architecture definition User approval is necessary for implementation of the system.
and solution prototype. System architecture definition is blue Review overall project performance, according to business
print of the system and architecture depends on the and technical perspective. Project assessment is done at the
requirements of the system. It provides high level description end.
Fig. 2. CBR-DSDM
3) Post Project: Post project is last stage of the DSDM life be the most efficient, but virtual document review can also
cycle in this phases which is measure the effectiveness of the take place. Prior to the meetings, the requirements engineer
delivered system. Business values are used to measure the can assess the goals for quick categorization to facilitate
performance of the project. Assessment of the project starts efficient communications. Business stakeholders should be
after some time of hand over the system. educated on general security principles prior to the meeting.
During this activity, each security objective is categorized
B. Security Requirement Elicitation based on a security principle in order to facilitate additional
Preliminary functional requirements artifacts are used as stakeholder elicitation. Each candidate security objective
inputs and draft security requirements as output. These should be categorized with at least one security principle.
documents can be draft software requirements specifications Reject the candidate security objective, if its objective is not
(SRS), requests for proposals (RFP’s), or other requirements categorized in security principle. Security principles are
specification documents that will be used to generate the final confidentiality, integrity and availability. The more security
software requirements specification. Discovered security principle is also defined. The output of this step is
terminology and the location within the requirements artifacts achievement of the security requirement. Security
are tagged for additional review. Using Security cases requirements are prioritized in foundation phase of DSDM.
repository (CBR) retrieve the case from a database if new case For prioritization MoSCoW technique use the letters stands
and retrieve case are similar in this way we reuse the case and for: Must Have, Should Have, Could Have and Won’t Have
directly write security requirement. In reuse case the first this time. The security requirement elicitation steps and
match security term of the new case exists in the repository. If model are shown in table 1 and figure 3.
yes, then match functional requirement of the retrieve case and
new case. If they match then take security requirement from TABLE 1. SECURITY REQUIREMENT ELICITATION STEPS
repository. In this way we save time and budget. The text Functional FR-1.Malicious requests are detected and
Requirements rejected,
mining technique is used to retrieve the cases from the FR-2.Malicious requests are identified and
repository. It’s helpful in matching the cases. If retrieve case acted upon
and new case was not match, then we revise the case and in Security Term Malicious
the last we retain the security requirement. In the revise case Candidate Security The system shall identify, detect and determine
all artifacts are tagged, the requirements engineer reviews the Objectives appropriate responses to malicious requests
requirements artifacts and identifies candidate security
Security Principles SP1, SP2
objectives. Candidate security objectives identified from the
Security The system shall protect the confidentiality and
previous activity are used as input for the categorize activity. Requirement integrity of data by identifying, detecting and
The requirements engineer and business stakeholders work rejecting malicious requests using access
together to review all requirements artifacts that have tagged control policies.
candidate security objective. Interactive meetings will likely
Fig. 3. Security Requirement Elicitation Model
C. Security Cases Repositry TABLE 2. SECURITY TERMS
Security Terms
The security requirement elicitation approach relies on the
Security Login Authentication
security cases repository. The security cases repository is a Encryption Malicious Password
database repository which saves the record of the Software
(functional) requirement and their security requirement. In the
security requirement two important points are its security term 2) Security Principle Entity: Attribute of the security
and its principle. In security cases repository also maintains Principle entity are PrincipleID(PK), Principle and its
artifact information. Fig. 4 Show the Security Cases description. Security principles are confidentiality, integrity,
Repository. Key symbol shows the primary key (PK). availability. More security principles are defined as well.
REFERENCES