Meta-Modeling Based Secure Software Development Processes

This work suggests a multilevel support to software developers, who often lack knowledge and skills on how to proceed to develop secure software. In fact, developing software with such quality is a hard and complex task that involves many additional security-dedicated activities which are usually omitted in traditional software development lifecycles or integrated but not efficiently and appropriately deployed in some others. To federate all these software security-assurance activities in a structured way and provide the required guidelines for choosing and using them in a flexible development process, authors used meta-modeling techniques and dynamic process execution that consider developer's affinities and product's states. The proposed approach formalizes existing secure software development processes, allows integration of new ones, prevents ad-hoc executions and is supported by a tool to facilitate its deployment. A case study is given here to exemplify the proposed approach application and to illustrate some of its advantages.

Download Full-text

Towards a Security Competence of Software Developers

10.4018/978-1-6684-3702-5.ch098 ◽

2022 ◽

pp. 2050-2064

Author(s):

Nana Assyne

Keyword(s):

Software Development ◽

Software Security ◽

Daily Basis ◽

Software Developers ◽

Body Of Knowledge ◽

Secure Software ◽

Full Knowledge ◽

Software Engineers ◽

Secure Software Development ◽

The Common

Software growth has been explosive as people depend heavily on software on daily basis. Software development is a human-intensive effort, and developers' competence in software security is essential for secure software development. In addition, ubiquitous computing provides an added complexity to software security. Studies have treated security competences of software developers as a subsidiary of security engineers' competence instead of software engineers' competence, limiting the full knowledge of the security competences of software developers. This presents a crucial challenge for developers, educators, and users to maintain developers' competences in security. As a first step in pushing for the developers' security competence studies, this chapter utilises a literature review to identify the security competences of software developers. Thirteen security competences of software developers were identified and mapped to the common body of knowledge for information security professional framework. Lastly, the implications for, with, and without the competences are analysed and presented.

Download Full-text

Towards a Security Competence of Software Developers

Modern Theories and Practices for Cyber Ethics and Security Compliance - Advances in Information Security, Privacy, and Ethics ◽

10.4018/978-1-7998-3149-5.ch005 ◽

2020 ◽

pp. 73-87

Author(s):

Nana Assyne

Keyword(s):

Software Development ◽

Software Security ◽

Daily Basis ◽

Software Developers ◽

Body Of Knowledge ◽

Secure Software ◽

Full Knowledge ◽

Software Engineers ◽

Secure Software Development ◽

The Common

Software growth has been explosive as people depend heavily on software on daily basis. Software development is a human-intensive effort, and developers' competence in software security is essential for secure software development. In addition, ubiquitous computing provides an added complexity to software security. Studies have treated security competences of software developers as a subsidiary of security engineers' competence instead of software engineers' competence, limiting the full knowledge of the security competences of software developers. This presents a crucial challenge for developers, educators, and users to maintain developers' competences in security. As a first step in pushing for the developers' security competence studies, this chapter utilises a literature review to identify the security competences of software developers. Thirteen security competences of software developers were identified and mapped to the common body of knowledge for information security professional framework. Lastly, the implications for, with, and without the competences are analysed and presented.

Download Full-text

A Systematic Review and Catalog of Security Metric during the Secure Software Development Life Cycle

Recent Advances in Electrical & Electronic Engineering (Formerly Recent Patents on Electrical & Electronic Engineering) ◽

10.2174/2352096513999201201121823 ◽

2020 ◽

Vol 13 ◽

Author(s):

Sampada G.C ◽

Tende Ivo Sake ◽

Amrita

Keyword(s):

Systematic Review ◽

Life Cycle ◽

Software Development ◽

Software Security ◽

Security Assessment ◽

Security Metrics ◽

Development Life Cycle ◽

Development Processes ◽

Secure Software Development ◽

Software Development Life Cycle

Background: With the advancement in the field of software development, software poses threats and risks to customers’ data and privacy. Most of these threats are persistent because security is mostly considered as a feature or a non-functional requirement, not taken into account during the software development life cycle (SDLC). Introduction: In order to evaluate the security performance of a software system, it is necessary to integrate the security metrics during the SDLC. The appropriate security metrics adopted for each phase of SDLC aids in defining the security goals and objectives of the software as well as quantify the security in the software. Methods: This paper presents systematic review and catalog of security metrics that can be adopted during the distinguishable phases of SDLC, security metrics for vulnerability and risk assessment reported in the literature for secure development of software. The practices of these metrics enable software security experts to improve the security characteristics of the software being developed. The critical analysis of security metrics of each phase and their comparison are also discussed. Results: Security metrics obtained during the development processes help to improve the confidentiality, integrity, and availability of software. Hence, it is imperative to consider security during the development of the software, which can be done with the use of software security metrics. Conclusion: This paper reviews the various security metrics that are meditated in the copious phases during the progression of the SDLC in order to provide researchers and practitioners with substantial knowledge for adaptation and further security assessment.

Download Full-text

A Tagging Approach to Extract Security Requirements in Non-Traditional Software Development Processes

International Journal of Secure Software Engineering ◽

10.4018/ijsse.2014100102 ◽

2014 ◽

Vol 5 (4) ◽

pp. 31-47 ◽

Cited By ~ 2

Author(s):

Annette Tetmeyer ◽

Daniel Hein ◽

Hossein Saiedian

Keyword(s):

Software Development ◽

Software Security ◽

Security Requirements ◽

Software Systems ◽

Small Organizations ◽

Pos Tagging ◽

Part Of Speech ◽

Security Requirements Engineering ◽

Development Processes

While software security has become an expectation, stakeholders often have difficulty expressing such expectations. Elaborate (and expensive) frameworks to identify, analyze, validate and incorporate security requirements for large software systems (and organizations) have been proposed, however, small organizations working within short development lifecycles and minimal resources cannot justify such frameworks and often need a light and practical approach to security requirements engineering that can be easily integrated into their existing development processes. This work presents an approach for eliciting, analyzing, prioritizing and developing security requirements which can be integrated into existing software development lifecycles for small organizations. The approach is based on identifying candidate security goals using part of speech (POS) tagging, categorizing security goals based on canonical security definitions, and understanding the stakeholder goals to develop preliminary security requirements and to prioritize them. It uses a case study to validate the feasibility and effectiveness of the proposed approach.

Download Full-text

A Survey on Secure Software Development Lifecycles

Software Design and Development ◽

10.4018/978-1-4666-4301-7.ch002 ◽

2014 ◽

pp. 17-33

Author(s):

José Fonseca ◽

Marco Vieira

Keyword(s):

Software Development ◽

Software Security ◽

Software Products ◽

Development Lifecycle ◽

Software Product ◽

Secure Software ◽

Secure Software Development ◽

Software Development Practices ◽

Complete Solutions ◽

The Web

This chapter presents a survey on the most relevant software development practices that are used nowadays to build software products for the web, with security built in. It starts by presenting three of the most relevant Secure Software Development Lifecycles, which are complete solutions that can be adopted by development companies: the CLASP, the Microsoft Secure Development Lifecycle, and the Software Security Touchpoints. However it is not always feasible to change ongoing projects or replace the methodology in place. So, this chapter also discusses other relevant initiatives that can be integrated into existing development practices, which can be used to build and maintain safer software products: the OpenSAMM, the BSIMM, the SAFECode, and the Securosis. The main features of these security development proposals are also compared according to their highlights and the goals of the target software product.

Download Full-text

Case Base for Secure Software Development Using Software Security Knowledge Base

2015 IEEE 39th Annual Computer Software and Applications Conference ◽

10.1109/compsac.2015.86 ◽

2015 ◽

Cited By ~ 3

Author(s):

Atsuo Hazeyama ◽

Masahito Saito ◽

Nobukazu Yoshioka ◽

Azusa Kumagai ◽

Takanori Kobashi ◽

...

Keyword(s):

Software Development ◽

Knowledge Base ◽

Software Security ◽

Secure Software ◽

Secure Software Development ◽

Case Base

Download Full-text

A Survey on Secure Software Development Lifecycles

Software Development Techniques for Constructive Information Systems Design ◽

10.4018/978-1-4666-3679-8.ch003 ◽

2013 ◽

pp. 57-73 ◽

Cited By ~ 2

Author(s):

José Fonseca ◽

Marco Vieira

Keyword(s):

Software Development ◽

Software Security ◽

Software Products ◽

Development Lifecycle ◽

Software Product ◽

Secure Software ◽

Secure Software Development ◽

Software Development Practices ◽

Complete Solutions ◽

The Web

This chapter presents a survey on the most relevant software development practices that are used nowadays to build software products for the web, with security built in. It starts by presenting three of the most relevant Secure Software Development Lifecycles, which are complete solutions that can be adopted by development companies: the CLASP, the Microsoft Secure Development Lifecycle, and the Software Security Touchpoints. However it is not always feasible to change ongoing projects or replace the methodology in place. So, this chapter also discusses other relevant initiatives that can be integrated into existing development practices, which can be used to build and maintain safer software products: the OpenSAMM, the BSIMM, the SAFECode, and the Securosis. The main features of these security development proposals are also compared according to their highlights and the goals of the target software product.

Download Full-text

A Case-based Management System for Secure Software Development Using Software Security Knowledge

Procedia Computer Science ◽

10.1016/j.procs.2015.08.155 ◽

2015 ◽

Vol 60 ◽

pp. 1092-1100 ◽

Cited By ~ 4

Author(s):

Masahito Saito ◽

Atsuo Hazeyama ◽

Nobukazu Yoshioka ◽

Takanori Kobashi ◽

Hironori Washizaki ◽

...

Keyword(s):

Software Development ◽

Management System ◽

Software Security ◽

Secure Software ◽

Secure Software Development ◽

Case Based

Download Full-text

Steps Towards Fuzz Testing in Agile Test Automation

International Journal of Secure Software Engineering ◽

10.4018/ijsse.2016010103 ◽

2016 ◽

Vol 7 (1) ◽

pp. 38-52 ◽

Cited By ~ 1

Author(s):

Pekka Pietikäinen ◽

Atte Kettunen ◽

Juha Röning

Keyword(s):

Software Development ◽

Practical Method ◽

Agile Development ◽

Test Automation ◽

Fuzz Testing ◽

Main Challenge ◽

Secure Software ◽

Development Processes ◽

Secure Software Development ◽

Minimal Effort

Including and automating secure software development activities into agile development processes is challenging. Fuzz testing is a practical method for finding vulnerabilities in software, but has some characteristics that do not directly map to existing processes. The main challenge is that fuzzing needs to continue to show value while requiring minimal effort. The authors present experiences and practical ways to utilize fuzzing in software development, and generic ways for developers to keep security in mind.

Download Full-text