A novel Security-by-Design methodology: Modeling and assessing security by SLAs with a quantitative approach

Recent software development methodologies, as DevOps or Agile, are very popular and widely used, especially for the development of cloud services and applications. They dramatically reduce the time-to-market of developed software but, at the same time, they can be hardly integrated with security design and risk management methodologies. These cannot be easily automated and require big economic investments, due to the necessity of security experts in the development team and to the lack of automatic tools to evaluate risk and to assess security in the design and operation phases. This paper presents a novel Security-by-Design methodology based on Security Service Level Agreements (SLAs), which can be integrated within modern development processes and that is able to support the risk management life-cycle in an almost-completely automated way. In particular, it relies upon a guided risk analysis process and a completely automated security assessment phase, which enable to assess the security properties granted by a cloud application and to report them in a Security SLA. We validated the proposed methodology with respect to a real case study, which showed its effectiveness in improving the awareness of designer and developer teams on security aspects and in reducing the secure design process time.