Incorporating Artificial Intelligence Technique into DSDM Javeria Jabeen1, Yasir Hafeez Motla2, Mateen Ahmed Abbasi3, Dur-e-Benish Batool4, Rahil Butt5, Sana Nazir6 & Syeda Ayesha Anwer7 University Institute of Information Technology PMAS Arid Agriculture University Rawalpindi, Pakistan
[email protected],
[email protected],
[email protected],
[email protected],
[email protected] &
[email protected]
Abstract— Dynamic System Development Method has been criticized because of absence security practices in its phases. The key objective is proposed the secure software development framework. CBR-DSDM model had proposed in this paper to cover the security in an entire development life cycle of DSDM phases from the beginning to final phase. This paper proposes a way to map security activities into the dynamic system development method. A Case based reasoning technique is used for maintaining security requirement repository. The main purpose of this research is to fill the gap by integrating security into DSDM phases and maintaining its agility. Our model is evaluated using publish case study. For the Assessment of CBRDSDM used the control experiment and expert review evaluation methods. Keywords— Dynamic system development method, Security, Agile methodology, Case based reasoning.
I. INTRODUCTION Software development process is defined as “A software process is a set of activities that leads to the production of a software product”. The software development life cycle has many activities, but most fundamental are these Specification, design, implementation, validation and maintenance. SDLC is a model that defines task performed at each step of software development [1]. Many software process models are waterfall, V Model, Spiral model, Agile. Every software process model has unique features and shortcomings. Now a day agile is mostly used. Agile is a software development method based on iterative and incremental development [2]. Agile has many methodologies such as extreme programming, Dynamic system development method, Scrum, Feature Driven Development etc. Dynamic system development Method (DSDM) is the agile methodology for software development and it mainly focus on the information system project which have a tight schedule and fixed cost. DSDM is iterative and incremental development approach [3]. In CBR-DSDM model security incorporate into the phases of the Dynamic system development method. In general, one of the most important reasons why the agile methods ignore security issue of software may come from the misconception that security delays development process. However, this leads to the negligence of the security issues in the final product. Besides,
security is treated as an Add-on feature and not part of design. Ultimately, resultant is found in the security-bugs and hence, Quality may not be achieved / as desired. Paper is divided into five sections in this section give an introduction and overview of DSDM, Artificial intelligence technique. In the second section give related work. In 3rd section discuss is based on the proposed framework. In the 4th section evaluate the proposed framework using expert review, control experiment, case study and discuss about the result. The last section describes the conclusion and future work. A. Dynamic System Development Method (DSDM) Dynamic system development method was introduced in 1995. DSDM focus on the management of the project. DSDM has many versions and latest version is DSDM Atern. DSDM is agile methodology it adjust the functionality of the system according to the available time, quality and resources [4]. DSDM is based upon Rapid Application Development (RAD) and it is one of agile software development methodology is DSDM is de facto standard agile methodology delivers the project on time, within budget and meet the user needs. It is well documented methodology as compare to other agile methodology. DSDM support multiple teams on one project and better perform when less number of members in teams. DSDM support all type and size of the organization or project. DSDM involve user in all phases. DSDM has 3 phases pre project, project life cycle, post project. Project life cycle has five phases. DSDM project life cycle has five phases first two phases are sequential and other 3 phases are iterative and incremental [5][6].
Fig. 1. Dynamic System Development Method Atern
1) Pre Project: In this phase stakeholder of the project are identified and funding is finalized and commitment is confirmed [7]. 2) Project life cycle: a) Feasibility: Dynamic system development method is right methodology for development or not. Feasibility report is the output of this phase. b) Foundations: Determines project resources, outlines system architecture and prioritizes high level requirements of the system. c) Exploration: Develops functional prototypes according to the functional model and develops other artifacts which are necessary for functionality [8]. d) Engineering: Creates a design prototype which is handed to the user for daily use and feedback. e) Deployment: Trains user, system implements in operational environment and deliver system. 3) Post project: In this phase it’s ensured that system perform effectively in the operational environment. DSDM has iterative nature and mostly project not complete in one cycle due to iterative nature product goes back to the previous phase in this way product refined [7]. B. Artificial Intelligence (AI) AI is an area of computer science that focuses on making intelligent machines that work as a human being. Machine learning and robotics are main fields of AI. AI has many techniques; each technique has its own characteristics, its own strengths and weaknesses. AI techniques are CBR (Case based reasoning), Genetic algorithms, fuzzy models, rule based system, hybrid systems etc. Case based reasoning is the AI technique which solves problem using previous solution/cases. CBR solves problems using four types of cases Retrieve, reuse, revise, and retain. If current problem is matched with previous problem which is stored in the case base repository with a well-known solution, then we retrieve the most similar case and reuse the solution of previous case to solve current problem. If we retrieve case but cases are similar in some situation then revise the case. Its mean changes in that case and in the end saves the updated case into repository is called retain case [9]. II. RELATED WORK The main difference between DSDM and RAD is that both the approaches are testing of the applications. RAD testing is done at the end of iteration but in DSDM testing is performed during the whole life cycle. Main weakness of DSDM is lack of quality because it delivers the product fast. An error in the system exists but doesn’t affect the user if changes made in the product latter [10]. Dynamic system development method provides the framework for developing and maintaining the software, delivers the project with in time and budget. Systematic literature review of Dynamic system development method (DSDM) proves that the Dynamic system development method has not any phases which focus on the security and no
research on the developing secure software using DSDM. In agile success is measure on the basis of functionality of the system but don’t give importance to the security [11]. SQUARE DSDM provides secure software development because it incorporates security to the quality requirement engineering (SQUARE) into DSDM. SQUARE methodology has nine practices and all of the fit into the first two phases of the DSDM. Main drawback of this process model is it provides security in the initial phase of the system (Requirement) its practices are not felt into the other phases of the DSDM [12]. CB-RCM model incorporate CBR into Requirement change management model. RCM cases are store into the case base repository. CBR solves problem using four types of cases retrieve, reuse, revise, retain. Its effect on the cost and time and maintain history [13]. Introduce security into Feature Driven Development (FDD) it’s improved the result and not affect the agility nature of FDD. Secure feature Driven Development (SFDD) is expending FDD using relationship between security principle and security. For achieving security, new phases and sub phases are defined in the existing FDD. SFDD is evaluated using case study its prove that it is a better approach for secure software development and introduce a new role of security master which give knowledge of security to the stakeholders [14]. AI ant and software engineering are the important areas of the computer science and each field has unique and different features, strengths and drawbacks. In this paper give the knowledge of the incorporate Artificial intelligence technique into Software Engineering and software engineering good practices into AI both reduce the limitations and give better result [15]. Software Requirements Specifications (SRS) is documentation of a customer’s system requirements. Main focuses on the quality of the SRS. The Software Quality Assurance (SQA) audit technique is used in this paper to determine whether or not the required standards within SRS. The proposed online quality analysis system ensures that software requirements are complete, consistent, and correct. The Case-Based Reasoning (CBR) technique is used to evaluate the requirements quality by referring to previously stored software requirements quality analysis cases (past experiences) [16]. Hybrid model which introduces AI technique into agile software development practices. CBR solve problem using four types of cases Retrieve, reuse, revise, retain. Its result shows that agile reduce cost and time. Show that incorporating Artificial intelligence technique (CBR) into agile give better result [17]. III. PROPOSED FRAMEWORK In this section we discussed about the proposed framework (CBR-DSDM). CBR-DSDM has been supported by using two sub sections such as security requirement elicitation and security cases repository.
A. CBR-DSDM CBR-DSDM is a secure software development model. It’s shown in the figure 2. Red color shows business activities and blue color reflects management activities and green color shows evolving and delivering the solution activities. 1) Pre-Project: In this phase commencement of the project is confirmed. Project funding is realized on agreeing with the term of reference for work. Term of reference is also defined as a project charter. Objective, Scope and deliverable of the project are defined. 2) Project life cycle a) Feasibility: In this phases recognize the profit achieved after delivery of the project. Mostly it is a short phase and assessed the suitability of DSDM. Feasibility phase ensures that proposed project is feasible from a business and technical perspective. In the short project feasibility study and foundation study are same. In DSDM is necessary if DSDM is not suitable the project then you should stop the project and stop as early as possible. Outline plan provides an overview of possible approaches for delivery, including plans for finding the solution and project management. Outline plan provides detailed planning for foundation phase, clearly declaring the scope and objective of the project. b) Foundation: In these phases high level requirements are baseline, ensuring that the project is understood and business cases are identified. Foundation phase emphasis on three vital perspectives of business, solution and management provide clear project focus. Focus on designing the solution architecture and how quality product achieved. Using Workshop techniques different stakeholders come together and discuss the proposed system. Timeboxing technique is used to deliver the project on time, within budget and quality product. Business foundation provides information about business and that needs to be understood by all stakeholders before the development of the project begins. The requirements are prioritized using MoSCoW technique. MoSCoW means important things are done first. MoSCoW stands for Must have, Should have Could have and Won’t have this time. Must have vital for success and 60% must have in the project. For must have purpose ask one question “if you do not get this, should we still continue the project?”. If the answer is yes - it is NOT a must-have. Should have and could have provided remaining 40%efforts. Project complete without could have requirement. Won’t have this time mean leave the requirement fulfill in the later iteration. Security requirements gather using a security requiremnet elicitation model. It explain in the security requiremnet elicitaion sub section. Security requirement also prioritizes in this phase. Solution foundation provides information about solution. Solution foundation consists of system architecture definition and solution prototype. System architecture definition is blue print of the system and architecture depends on the requirements of the system. It provides high level description
of the architecture of that solution.Solution prototype show solution how it finally work and passed from foundation phase to exploration phase for further developed into final solution. The management foundation describes how Atern practices and techniques will apply to ensure management of the project. In management, assign roles and responsibilities, empowerment of team and reporting. Delivery Plan refines and elaborate the schedule described in outline plan. Its discuss schedule of timeboxes and incremental nature of the project. c) Exploration and Engineering: Exploration phase iteratively and incrementally explores detailed business requirements and transform into a feasible solution. Demonstrate the functional solution meet the business needs. Business Area definition and System architecture definition are transformed into models that describe how the solution works. Engineering phase refines the solution of the exploration phase to meet the agree acceptance criteria. It is iterative and incremental phase where the solution is to be engineered and support the solution to the operational environment. In this phase mostly focus on the non-functional requirement and validate the business purpose from functional requirement perspective. Iterative development cycle phases are identify, plan, evolve and review. In identify phase project team agree on objective of what is being develop in this increment. In plan phase team work out what is needs to be done by whom to meet the current objective. Timebox plan elaborates the objective for each development timebox in delivery plan. In evolving phase plan activities take place in agreed timescale. Timebox technique is used for deliver the activities with in time. In the review phase ensure that objective has been achieved. d) Exploration and Engineering with security: In phase security issues are mapped so that it will protected against any vulnerabilities. Identify security design: In this sub phase pinpoint the vulnerable module and functional, nonfunctional requirement need to be tested in combination with the security requirement. Plan Security: In this phase when and how these security requirements are realized. Evolve security: In this phase create system handed to the end user for daily use and getting feedback. Review security: In this phase complete system will be reviewed then test records and user comments are saved and vulnerable modules will be identified. So that developer can implement security in the deployment phase. e) Deployment: The key focus of Deployment phase is to get the solution into the operational environment. Implementation of the system with security is a vital phase in CBR-DSDM. Integrate security into DSDM make sure that develop project are secure. Train the end user how to use system with respect to security and provide documentation. User approval is necessary for implementation of the system. Review overall project performance, according to business and technical perspective. Project assessment is done at the end.
Fig. 2. CBR-DSDM
3) Post Project: Post project is last stage of the DSDM life cycle in this phases which is measure the effectiveness of the delivered system. Business values are used to measure the performance of the project. Assessment of the project starts after some time of hand over the system. B. Security Requirement Elicitation Preliminary functional requirements artifacts are used as inputs and draft security requirements as output. These documents can be draft software requirements specifications (SRS), requests for proposals (RFP’s), or other requirements specification documents that will be used to generate the final software requirements specification. Discovered security terminology and the location within the requirements artifacts are tagged for additional review. Using Security cases repository (CBR) retrieve the case from a database if new case and retrieve case are similar in this way we reuse the case and directly write security requirement. In reuse case the first match security term of the new case exists in the repository. If yes, then match functional requirement of the retrieve case and new case. If they match then take security requirement from repository. In this way we save time and budget. The text mining technique is used to retrieve the cases from the repository. It’s helpful in matching the cases. If retrieve case and new case was not match, then we revise the case and in the last we retain the security requirement. In the revise case all artifacts are tagged, the requirements engineer reviews the requirements artifacts and identifies candidate security objectives. Candidate security objectives identified from the previous activity are used as input for the categorize activity. The requirements engineer and business stakeholders work together to review all requirements artifacts that have tagged candidate security objective. Interactive meetings will likely
be the most efficient, but virtual document review can also take place. Prior to the meetings, the requirements engineer can assess the goals for quick categorization to facilitate efficient communications. Business stakeholders should be educated on general security principles prior to the meeting. During this activity, each security objective is categorized based on a security principle in order to facilitate additional stakeholder elicitation. Each candidate security objective should be categorized with at least one security principle. Reject the candidate security objective, if its objective is not categorized in security principle. Security principles are confidentiality, integrity and availability. The more security principle is also defined. The output of this step is achievement of the security requirement. Security requirements are prioritized in foundation phase of DSDM. For prioritization MoSCoW technique use the letters stands for: Must Have, Should Have, Could Have and Won’t Have this time. The security requirement elicitation steps and model are shown in table 1 and figure 3. TABLE 1. SECURITY REQUIREMENT ELICITATION STEPS Functional FR-1.Malicious requests are detected and Requirements rejected, FR-2.Malicious requests are identified and acted upon Security Term Malicious Candidate Security The system shall identify, detect and determine Objectives appropriate responses to malicious requests Security Principles Security Requirement
SP1, SP2 The system shall protect the confidentiality and integrity of data by identifying, detecting and rejecting malicious requests using access control policies.
Fig. 3. Security Requirement Elicitation Model
C. Security Cases Repositry The security requirement elicitation approach relies on the security cases repository. The security cases repository is a database repository which saves the record of the Software (functional) requirement and their security requirement. In the security requirement two important points are its security term and its principle. In security cases repository also maintains artifact information. Fig. 4 Show the Security Cases Repository. Key symbol shows the primary key (PK).
TABLE 2. SECURITY TERMS Security Terms Security Login Authentication Encryption Malicious Password
2) Security Principle Entity: Attribute of the security Principle entity are PrincipleID(PK), Principle and its description. Security principles are confidentiality, integrity, availability. More security principles are defined as well. Principle ID SP1 SP2 SP3
Fig. 4. Security Cases Repository
1) Security Terminology Entity: Attributes of the security terminology entity are terminologyID, Security Term; Security Term Description. TerminologyID is primary key of table. Table 2 show the security terms and more security terms save with timeNumber equations consecutively.
TABLE 3. SECURITY PRINCIPLES Principles Description Confidentiality Information should be secret and authorized person access and receive its information Integrity Unauthorized modification of information Availability Objectives to ensure that information is readily accessible to authorized users.
3) Requirements Arifacts Entity: Attribute of a requirements Arificts entity is ArtifactID (PK), Artifact Name, Artifact Description. Discovered security terminology and the location within the requirements artifacts are tagged for additional review. 4) Security Requirement Entity: Attribute of security Requirement entity is secReqID (PK), TermpricipleID, SecReq Description and Articat ID. SeqReq description contains a security requirement that is generated during the elicitation process. 5) Software Requirement Entity: Attribute of Software Requirement entity are Software Req ID(PK) and SeqReqID(Seconadr Key). The entity relates newly generated security requirement to the software requirement specification Artifact.
IV. EVALUATION A. Control Experiment Control experiment is defined as a research method that is chosen for evaluation and validation of the proposed model. Two teams of students T1, T2 from public sector university Z are taken. Each group develops a web based system. T1 develop Hospital management Information System(HMIS), T2 develops a Residential Reservation System for university X. HMIS has three modules Patient Panel, Admin Panel, Lab test management and Residential Reservation System also have three modules profile package, quota package and reservation package. Complexity and nature of the both systems are almost same. Team TI uses DSDM and T2 use CBR-DSDM. Before the start of the development, conduct a workshop to introduce agile, especially DSDM, its values, knowledge about security and the proposed model. Each team had 6 members that is composed of developer, designer and tester. Duration of the case study was 3 weeks. The total number of the iterations was 4. First two iterations were completed in one week and next two iterations in next two weeks. Software used for the documentation and development of the system were MS Office 2010, PHP programming language, dreamweaver software, my SQL database, mind maps and wampserver. After the usage of the models we take their opinion about the following factors maintain history, customer satisfaction, secure software development, impact on the cost and impact on time. We took their opinion about theses factor as they agree, partially agree and do not agree. The data culled from the case study and comparison shows that our proposed CBRDSDM framework is suitable for secure software development within budget. TABLE 4. CONTROL EXPERIMENT Parameters Customer satisfaction Secure Software Development Maintain History Impact on Time Impact on Cost
Team 1
B. Expert Reviews For the evaluation of our mod el we take the experts review of small structure organization. We present our model to the experts and ask about their reviews when they implement our model in their organization. According to the experts it is a better approach for software development. Security case repository (CBR) is used to maintain a repository and it helps in security requirement elicitation. If functional requirement of new case matches with the retrieving case requirement. In this way we save time and cost. The expert panel consists of 10 experts in which one is the project manager having 10 years of experience; two are team leaders having 6 and 5 years of experience respectively, one software engineer having 8 years of experience, two requirements engineer and one developer. Software architecture has 3 year of experience, requirement analyst and stakeholder. • Security Achieve: Using CBR-DSDM develops secure software. • Maintaining history: It provides a good technique to maintain the history of the security Requirement. • Customer satisfaction: Increases the customer satisfaction level. • Change impact on cost: Our model is helpful to reduce the cost of software development. • Impact on Time: Our model is helpful to build secure software with in time. Expert review answer taken in three options as agreed, partially agreed and not agreed. The results of the evaluation are shown in table 5 and graph of expert review about factor is shown in figure 6. TABLE 5. ASSESSMENT OF EXPERTS REVIEWS
Team 2
Agre e
Partially Agree
Not Agree
Agree
Partially Agree
Not Agree
4
1
1
4
2
0
1
3
2
4
2
0
0
0
6
5
1
0
4
1
1
3
2
1
3
2
1
4
2
0
Security Achieve
Maintain History
Customer Satisfaction
Impact on Cost
Impact on Time
Agreed
9
8
7
5
6
Partially Agreed
1
2
3
3
2
Not Agreed
0
0
0
2
2
Fig. 6. Assessment of Expert Reviews Fig. 5. Evaluation of Control Experiment
C.
CASE STUDY
Evaluation of our result and performance of proposed framework we developed database application software based on the underlying concept and applied on Published case study LIMS: Library Information management system. The case study has been selected from the publish paper [19]. Here we give the general overview of the library information management system user requirements and not discuss the each user requirements in detail. For demonstration purpose, we give the overview of the case study LIMS. Library members access LIMS using login, if anyone forget password, password will be sent on its email. Members reserve and issue the books. If reserved book was not issued` within two days then released automatically. System generates email automatically to the member to remind daily book return within 15 days and you have only 13 days. If not return within time then give Rs.50 fine per day. We developed a repository that is capable to capture different Security Requirement, security terms, software requirement, security principle and requirement Artifact description. The file was imported to our database software application and mapping process has been executed. In its first execution, all security requirements were extracted from user requirement documents. First map tag security terms to the keywords which are saved in repository, then map User Software Requirement to the repository Software Requirement. If match then directly write the store security requirement and if not then revise the solution and define it security requirement. This case study executes on the proposed framework and gives better result its accuracy is 89%. In this case study only two security requirement found and its Candidate security objective define below. Its associated security Principles and its security requirements also defined below. Candidate security objective (CSO) is define below CSO-1: The logon screen shall request user name and corresponding password. CSO-2: The authorized users get password using email and save in encrypted form. Its related Candidate Security Objective to its Security Principles. SP show security Principle. CSO-1: SP-2 CSO-2: SP-2 Final Security Requirements are given below.SR stands for Security requirements. SR-1: The system shall protect the integrity of data by requesting a user name and password prior to access. SR-2: The system shall protect confidentiality of user passwords by encrypting passwords and send on email. Case study graph is shown in the figure 7.
Fig.7. LIMS Results
CONCLUSION AND FUTURE WORK The objective behind this research is to use the Artificial Intelligence technique into Dynamic System development method. In this model case base reasoning (CBR) technique is used to maintain the repository for security requirement elicitation. Security requirements incorporate into initial phase of the DSDM and exploration and engineering phase also have security practices which provide security in model and design phase. In case of lack of technical know-how of security first give training of security knowledge, security Principles and security policies to software engineers, software developers and programmer and business stakeholder. One new role should be introduced for security purpose which helps them for understanding security and security requirement elicitation. However, the CBR-DSDM model we proposed in this paper cover the security in an entire development life cycle of DSDM phases from the beginning up to the final phase. CBRDSDM is evaluated using control experiment, expert review and case study. In future we will conduct more case studies of large scale organizations and also present a more detailed CBR-DSDM model. ACKNOWLEDGEMENT This research is partially supported by i-LaB Australia under The Technology for Humanity Project and Asia-Pacific World Congress on Computer Science and Engineering 2014. REFERENCES [1] I. Sommerville, “Introduction to software Engineering,” in Software Engineering, 9th ed. Addison-Wesley, 2010.
[2] C. Wallin and R. Land “Software Development Lifecycle Models the Basic Types,” 2002 [3]http://intra.iam.hva.nl/content/0708/propedeuse/ontwikkelmethoden_en_te chnieken/intro-en-materiaal/DSDM.pdf visited 24 March 2014. [4]History of DSDM | DSDM consortium available at http://www.dsdm.org/content/history-dsdm visited 3 May 2014. [5] A. Aitken and V. Ilango, “A Comparative Analysis of Traditional Software Engineering and Agile Software Development,” in 46th Hawaii Int. Conf. on System Science, 2013, pp. 4751–4760. [6] D. Tudor (2006) “PRINCE2 and DSDM: Why should I use both,[online]” Available FTP: www.tcc-net.com/articles/PRINCE2-and-DSDM File: PRINCE AND DSDM.pdf [7] J. Strickland, “Dynamic System Development Method,” in Simulation Conceptual Modeling, lulu, 2011, pp.145-170. [8] B. J. J. Voigt. (2004, January 20). Dynamic System Development Method [online]. Available: http://www.dynamic system development method. [9] R. L. D. Mántaras, “Retrieval , reuse , revision , and retention in casebased reasoning,” doi: 10.1017, 2005. [10] D. Gall,“Dynamic Systems Development Method and Rapid Application Development,” 2005. [11] A. Sani, “A Review on Software Development Security Engineering using Dynamic System Method ( DSDM ),” in Int. J. of Computer Applications, 2013, pp. 37–44. [12] N. R. Mead, “Incorporating Security Requirements Engineering into the Dynamic Systems Development Method,” 32 Annu. IEEE Int. Comput. Software Appicatl. Conf., Turku, 2008, pp. 949–954. [13] H. Naz, Y. Hafeez, S. Asghar and A. Khatoon “Effective usage of AI technique for requirement change management practices,” in 5th Int. Conf. on CSIT, 2013 pp. 121–125. [14] A. Firdaus, “Secure Feature Driven Development (SFDD) Model for Secure Software Development,” in Int. Conf. on Innovation, Management and Technology Research, Malaysia, 2014, pp. 546–553. [15] P. Jain, “Interaction between Software Engineering and Artificial Intelligence- A Review,” in Int. J. on Computer Science and Engineering (IJCSE), 2011, pp. 3774–3779. [16] H. M. Jani, “Applying Case-Based Reasoning to Software Requirements Specifications Quality Analysis System,” in Int. Conf. Software Engineering and Data Mining (SEDM), Chengdu, China, 2010, pp. 140– 144. [17] M. Mukhtar, Y. Hafeez, M. Riaz, M. A. Khan, M. Mehmood and A. Batool, “A Hybrid Model for Agile Practices Using Case Based Reasoning,” in 4th Int. Conf. on Software Engineering and Service Science (ICSESS), Beijing,, 2013, pp. 820–823. [18] S. Coyle and K. Conboy, “A Study of Risk Management in DSDM,” Springer-Verlag Berlin Heidelberg, 2009, pp. 142–148. [19] N. M. Minhas, "Controlled Vocabulary based Software Requirements Classification,” in 5th Malaysian Conference in Software Engineering (MySEC), IEEE, Johor Bahru, 2011, pp. 31 – 36.
