Authors: Sri Lakshmi Kanniah, Mohd Naz’ri Mahrin

Abstract:

More and more businesses and services are depending on software to run their daily operations and business services. At the same time, cyber-attacks are becoming more covert and sophisticated, posing threats to software. Vulnerabilities exist in the software due to the lack of security practices during the phases of software development. Implementation of secure software development practices can improve the resistance to attacks. Many methods, models and standards for secure software development have been developed. However, despite the efforts, they still come up against difficulties in their deployment and the processes are not institutionalized. There is a set of factors that influence the successful deployment of secure software development processes. In this study, the methodology and results from a systematic literature review of factors influencing the implementation of secure software development practices is described. A total of 44 primary studies were analysed as a result of the systematic review. As a result of the study, a list of twenty factors has been identified. Some of factors that affect implementation of secure software development practices are: Involvement of the security expert, integration between security and development team, developer’s skill and expertise, development time and communication between stakeholders. The factors were further classified into four categories which are institutional context, people and action, project content and system development process. The results obtained show that it is important to take into account organizational, technical and people issues in order to implement secure software development initiatives.

Keywords: Secure software development, software development, software security, systematic literature review.

Digital Object Identifier (DOI): doi.org/10.5281/zenodo.1127256

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 2410

References:

[1] Shuaibu, B.M., et al., Systematic review of web application security development model. Artificial Intelligence Review, 2013: p. 1-18.
[2] WhiteHat, Web Applications Security Statistics Report 2016. 2016.
[3] Viega, J. and G. McGraw, Building secure software: how to avoid security problems the right way. 2001: Pearson Education.
[4] Keele, S., Guidelines for performing systematic literature reviews in software engineering. 2007, Technical report, EBSE Technical Report EBSE-2007-01.
[5] Goertzel, K.M. and T. Winograd, Enhancing the development life cycle to produce secure software. Technology Analysis Center (IATAC), USA, October, 2008.
[6] Flechais, I., C. Mascolo, and M.A. Sasse, Integrating security and usability into the requirements and design process. International Journal of Electronic Security and Digital Forensics, 2007. 1(1): p. 12-26.
[7] Sodiya, A.S., S.A. Onashoga, and O.B. Ajayi, Towards building secure software systems. Issues in Informing Science and Information Technology, 2006. 3.
[8] Viega, J., Security in the Software Development Lifecycle: An introduction to CLASP, the Comprehensive Lightweight Application Security Process. Secure Software, Inc., McLean, Virginia, USA, White Paper, 2005.
[9] De Win, B., et al., On the secure software development process: CLASP, SDL and Touchpoints compared. Information and software technology, 2009. 51(7): p. 1152-1171.
[10] Lipner, S. The trustworthy computing security development lifecycle. in Computer Security Applications Conference, 2004. 20th Annual. 2004. IEEE.
[11] Chess, B. and B. Arkin, Software Security in Practice. Security & Privacy, IEEE, 2011. 9(2): p. 89-92.
[12] Marback, A., et al., A threat model-based approach to security testing. Software: Practice and Experience, 2013. 43(2): p. 241-258.
[13] Jones, R.L. and A. Rastogi, Secure Coding: Building Security into the Software Development Life Cycle. Information Systems Security, 2004. 13(5): p. 29-39.
[14] Hein, D. and H. Saiedian, Secure Software Engineering: Learning from the Past to Address Future Challenges. Information Security Journal: A Global Perspective, 2009. 18(1): p. 8-25.
[15] Allen, J., Why is Security a Software Issue?, in EDPACS. 2007, Taylor & Francis. p. 1-13.
[16] Mouratidis, H., P. Giorgini, and G. Manson, Integrating Security and Systems Engineering: Towards the Modelling of Secure Information Systems, in Advanced Information Systems Engineering, J. Eder and M. Missikoff, Editors. 2003, Springer Berlin Heidelberg. p. 63-78.
[17] Baca, D., et al. Static Code Analysis to Detect Software Security Vulnerabilities - Does Experience Matter? in Availability, Reliability and Security, 2009. ARES '09. International Conference on. 2009.
[18] Okubo, T., H. Kaiya, and N. Yoshioka. Mutual Refinement of Security Requirements and Architecture Using Twin Peaks Model. in Computer Software and Applications Conference Workshops (COMPSACW), 2012 IEEE 36th Annual. 2012.
[19] Xie, J., B. Chu, and H. Richter Lipford, Idea: Interactive Support for Secure Software Development, in Engineering Secure Software and Systems, Ú. Erlingsson, R. Wieringa, and N. Zannone, Editors. 2011, Springer Berlin Heidelberg. p. 248-255.
[20] Mockel, C. and A.E. Abdallah. Threat modeling approaches and tools for securing architectural designs of an e-banking application. in Information Assurance and Security (IAS), 2010 Sixth International Conference on. 2010.
[21] Haron, G.R. and S. Ng Kang. Extrapolating security requirements to an established software process: Version 1.0. in Internet Technology and Secured Transactions (ICITST), 2011 International Conference for. 2011.
[22] Colley, J., Why Secure Coding is not Enough: Professionals’ Perspective, in ISSE 2009 Securing Electronic Business Processes, N. Pohlmann, H. Reimer, and W. Schneider, Editors. 2010, Vieweg+Teubner. p. 302-311.
[23] Payne, J., Integrating Application Security into Software Development. IT Professional, 2010. 12(2): p. 6-9.
[24] Davis, N., et al., Processes for producing secure software. Security & Privacy, IEEE, 2004. 2(3): p. 18-25.
[25] Jain, S. and M. Ingle. Techno-management view of Secured Software Development. in Software Engineering (CONSEG), 2012 CSI Sixth International Conference on. 2012.
[26] Raghavan, V.V. and X. Zhang. Building security in during information systems development. in 15th Americas Conference on Information Systems 2009, AMCIS 2009. 2009. San Francisco, CA.
[27] Bartsch, S. Practitioners' Perspectives on Security in Agile Development. in Availability, Reliability and Security (ARES), 2011 Sixth International Conference on. 2011.
[28] Mitropoulos, D., et al., Countering code injection attacks: A unified approach. Information Management and Computer Security, 2011. 19(3): p. 177-194.
[29] Chand, P., Building India as the Destination for Secure Software Development – Next Wave of Opportunities for the ICT Industry, in Information Systems Security, S. Jajodia and C. Mazumdar, Editors. 2005, Springer Berlin Heidelberg. p. 49-65.
[30] Knauss, E., et al., Supporting Requirements Engineers in Recognising Security Issues, in Requirements Engineering: Foundation for Software Quality, D. Berry and X. Franch, Editors. 2011, Springer Berlin Heidelberg. p. 4-18.
[31] Kleidermacher, D. and M. Wolf. Using static analysis to improve communications infrastructure. in Digital Avionics Systems Conference, 2008. DASC 2008. IEEE/AIAA 27th. 2008.
[32] Wurster, G. and P.C.v. Oorschot, The developer is the enemy, in Proceedings of the 2008 workshop on New security paradigms. 2008, ACM: Lake Tahoe, California, USA. p. 89-97.
[33] Witschey, J., S. Xiao, and E. Murphy-Hill, Technical and Personal Factors Influencing Developers' Adoption of Security Tools, in Proceedings of the 2014 ACM Workshop on Security Information Workers. 2014, ACM: Scottsdale, Arizona, USA. p. 23-26.
[34] Byers, D. and N. Shahmehri. Design of a Process for Software Security. in Availability, Reliability and Security, 2007. ARES 2007. The Second International Conference on. 2007.
[35] Jing, X., H.R. Lipford, and C. Bill. Why do programmers make security errors? in Visual Languages and Human-Centric Computing (VL/HCC), 2011 IEEE Symposium on. 2011.
[36] Zia, T.A. and A. Rizvi. Source Code EMbedded (SCEM) security framework. in 9th Australian Information Security Management Conference, AISM. 2011. Perth, WA.
[37] Guan, H., et al., Environment-Driven Threats Elicitation for Web Applications, in Agent and Multi-Agent Systems: Technologies and Applications, J. O’Shea, et al., Editors. 2011, Springer Berlin Heidelberg. p. 291-300.
[38] Zuccato, A., N. Daniels, and C. Jampathom. Service Security Requirement Profiles for Telecom: How Software Engineers May Tackle Security. in Availability, Reliability and Security (ARES), 2011 Sixth International Conference on. 2011.
[39] Geer, D., Are Companies Actually Using Secure Development Life Cycles? Computer, 2010. 43(6): p. 12-16.
[40] Schneider, K., et al., Enhancing security requirements engineering by organizational learning. Requirements Engineering, 2012. 17(1): p. 35-56.
[41] Teodoro, N. and C. Serrão. Web application security: Improving critical web-based applications quality through in-depth security analysis. in International Conference on Information Society, i-Society 2011. 2011. London.
[42] Abramov, J., et al., A methodology for integrating access control policies within database development. Computers & Security, 2012. 31(3): p. 299-314.
[43] Alkussayer, A. and W. Allen, The ISDF Framework: Integrating Security Patterns and Best Practices, in Advances in Information Security and Its Application, J. Park, et al., Editors. 2009, Springer Berlin Heidelberg. p. 17-28.
[44] Bonver, E. and M. Cohen, Developing and Retaining a Security Testing Mindset. Security & Privacy, IEEE, 2008. 6(5): p. 82-85.
[45] Riaz, M., et al., Using templates to elicit implied security requirements from functional requirements - a controlled experiment, in Proceedings of the 8th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement. 2014, ACM: Torino, Italy. p. 1-10.
[46] Okubo, T. and H. Tanaka, Web security patterns for analysis and design, in Proceedings of the 15th Conference on Pattern Languages of Programs. 2008, ACM: Nashville, Tennessee, USA. p. 1-13.
[47] Diamant, J., Resilient Security Architecture: A Complementary Approach to Reducing Vulnerabilities. Security & Privacy, IEEE, 2011. 9(4): p. 80-84.
[48] Ma, Z., et al., Model-driven secure development lifecycle. International Journal of Security and its Applications, 2012. 6(2): p. 443-448.
[49] Zhu, J., et al., Mitigating Access Control Vulnerabilities through Interactive Static Analysis, in Proceedings of the 20th ACM Symposium on Access Control Models and Technologies. 2015, ACM: Vienna, Austria. p. 199-209.
[50] Karpati, P., G. Sindre, and A. Opdahl, Visualizing Cyber Attacks with Misuse Case Maps, in Requirements Engineering: Foundation for Software Quality, R. Wieringa and A. Persson, Editors. 2010, Springer Berlin Heidelberg. p. 262-275.
[51] Glisson, W.B. and R. Welland. Web development evolution: the assimilation of Web engineering security. in Web Congress, 2005. LA-WEB 2005. Third Latin American. 2005.
[52] Díaz, G. and J.R. Bermejo, Static analysis of source code security: Assessment of tools against SAMATE tests. Information and Software Technology, 2013. 55(8): p. 1462-1476.
[53] Salini, P. and S. Kanmani, Model Oriented Security Requirements Engineering (MOSRE) framework for web applications, in 2nd International Conference on Advances in Computing and Information Technology, ACITY 2012. 2013: Chennai. p. 341-353.
[54] McLeod, L. and S.G. MacDonell, Factors that affect software systems development project outcomes: A survey of research. ACM Computing Surveys (CSUR), 2011. 43(4): p. 24.
[55] Hossain, E., M.A. Babar, and H.-y. Paik. Using scrum in global software development: a systematic literature review. in 2009 Fourth IEEE International Conference on Global Software Engineering. 2009. Ieee.
[56] Xie, J., H.R. Lipford, and B. Chu. Evaluating interactive support for secure programming. in 30th ACM Conference on Human Factors in Computing Systems, CHI 2012. 2012. Austin, TX.