Global software development (GSD) is rapidly becoming standard practice in the software industry due to its many potential benefits. However, one of the biggest challenges in GSD projects is to ...explicitly include security in the different phases of the global software development life cycle (GSDLC). To make GSD projects secure and successful, it is necessary to identify secure software development (SSD) practices vital to GSD project success. This article aims to identify SSD practices critical for GSD projects. To do this, we selected 36 security practices vital to the security of non-GSD projects from existing scientific and grey literature on software security. From the identified security practices, we shortlisted the security practices which are critical for GSD projects based on practitioners’ opinions using an online survey. Fifty-four GSD practitioners participated in this survey. Participants who evaluated these practices were asked to score each SSD practice on a four-point scale to indicate its relevance to GSD projects. The results obtained from the survey uncovered critical SSD practices that are primarily applicable to GSD projects. Our findings reveal variations of opinion among GSD practitioners with varying experience and company size regarding the importance of selected security practices for GSD. According to study findings, 16/36 practices are critical for GSD projects. These identified security practices belong to various phases of GSDLC.
Different activities, artifacts, and roles can be found in the literature on the agile engineering of secure software (AESS). The purpose of this paper is to consolidate them and thus identify key ...activities, artifacts, and roles that can be employed in AESS. To gain initial sets of activities, artifacts, and roles, the literature was first extensively reviewed. Activities, artifacts, and roles were then cross-evaluated with similarity matrices. Finally, similarity matrices were converted into distance matrices, enabling the use of Ward’s hierarchical clustering method for consolidating activities, artifacts, and roles into clusters. Clusters of activities, artifacts, and roles were then named as key activities, artifacts, and roles. We identified seven key activities (i.e., security auditing, security analysis and testing, security training, security prioritization and monitoring, risk management, security planning and threat modeling; and security requirements engineering), five key artifacts (i.e., security requirement artifacts, security repositories, security reports, security tags, and security policies), and four key roles (i.e., security guru, security developer, penetration tester, and security team) in AESS. The identified key activities, artifacts, and roles can be used by software development teams to improve their software engineering processes in terms of software security.
An Ontology for Security Patterns Vale, Anelis Pereira; Fernandez, Eduardo B.
2019 38th International Conference of the Chilean Computer Science Society (SCCC),
2019-Nov.
Conference Proceeding
Security is a fundamental requirement that we must keep in mind when developing a system. We approach the secure construction of software through the use of security patterns, as a way to mitigate ...their threats. We propose an ontological approach to security patterns, with the aim of adding semantics to the elements that surround security patterns. We have added ontological descriptions to pattern descriptions to make their use more precise, to allow the development of appropriate tools to present to the developer the relevant patterns in each stage and to be able to build better pattern catalogs. A final objective would be the construction of a complete catalog where each pattern includes ontological descriptions. Our contributions are (i) a representation of security patterns in the form of ontology; (ii) examples through queries on the use of the ontology and (iii) a discussion of the possible uses of this ontology for secure software development.
Mobile apps exploit embedded sensors and wireless connectivity of a device to empower users with portable computations, context-aware communication, and enhanced interaction. Specifically, mobile ...health apps (mHealth apps for short) are becoming integral part of mobile and pervasive computing to improve the availability and quality of healthcare services. Despite the offered benefits, mHealth apps face a critical challenge, i.e., security of health-critical data that is produced and consumed by the app. Several studies have revealed that security specific issues of mHealth apps have not been adequately addressed. The objectives of this study are to empirically (a) investigate the challenges that hinder development of secure mHealth apps, (b) identify practices to develop secure apps, and (c) explore motivating factors that influence secure development. We conducted this study by collecting responses of 97 developers from 25 countries - across 06 continents - working in diverse teams and roles to develop mHealth apps for Android, iOS, and Windows platform. Qualitative analysis of the survey data is based on (i) 8 critical challenges, (ii) taxonomy of best practices to ensure security, and (iii) 6 motivating factors that impact secure mHealth apps. This research provides empirical evidence as practitioners' view and guidelines to develop emerging and next generation of secure mHealth apps.
Secure software development training course Gorbatov, V. S.; Meshcheriakov, A. A.
Bezopasnostʹ informat͡s︡ionnykh tekhnologiĭ,
06/2017, Volume:
24, Issue:
2
Journal Article
Peer reviewed
Open access
Information security is one of the most important criteria for the quality of developed software. To obtain a sufficient level of application security companies implement security process into ...software development life cycle. At this stage software companies encounter with deficit employees who able to solve problems of software design, implementation and application security. This article provides a description of the secure software development training course. Training course of application security is designed for co-education students of different IT-specializations.
From the early 1970s, the U.S. government began to recognize that simple penetration testing could not assure the security quality of products. The results of penetration testing such as identified ...vulnerabilities and faults can vary depending on the capabilities of the team. In other words, the penetration testing team cannot assure that “vulnerabilities are not found” is equal to “product does not have any vulnerabilities”. So the U.S. government realized that in order to improve the security quality of products, the development process itself should be managed in a strict, systematic manner. The US government began to publish various standards related to development methodology and evaluation procurement systems, embedding the “Security-by-Design” concept from the 1980s. Security-by-Design involves reducing a product’s complexity by considering security from the early phase of the development life-cycle such as during the product requirements analysis and design phase to ultimately achieve trustworthiness of the product. Since then, the Security-by-Design concept has spread to the private sector, since 2002 this has often come in the form of Secure SDLC by Microsoft and IBM, this system is currently being used in various fields such as automotive and advanced weapon systems. However, the problem is that it is not easy to implement in the field because the standards or guidelines related to Secure SDLC contain only abstract and declarative content. Therefore, in this paper, we present a new framework that specifies the level of Secure SDLC desired by enterprises. We propose the CIA (functional Correctness, safety Integrity, security Assurance)-level based Security-by-Design framework which combines an evidence-based security approach standard with existing Secure SDLC. By using our methodology, we can quantitatively show any differences in Secure SDLC process level employed between the company in question one of its competitors. In addition, our framework is very useful when you want to build Secure SDLC in the field because you can easily derive detailed security activities and documents to build the desired level of Secure SDLC.
Full text
Available for:
EMUNI, FIS, FZAB, GEOZS, GIS, IJS, IMTLJ, KILJ, KISLJ, MFDPS, NLZOH, NUK, OILJ, PNG, SAZU, SBCE, SBJE, SBMB, SBNM, UKNU, UL, UM, UPUK, VKSCE, ZAGLJ
Software Security and development experts have addressed the problem of building secure software systems. There are several processes and initiatives to achieve secure software systems. However, most ...of these lack empirical evidence of its application and impact in building secure software systems. Two systematic mapping studies (SM) have been conducted to cover the existent initiatives for identification and mitigation of security threats. The SMs created were executed in two steps, first in 2015 July, and complemented through a backward snowballing in 2016 July. Integrated results of these two SM studies show a total of 30 relevant sources were identified; 17 different initiatives covering threats identification and 14 covering the mitigation of threats were found. All the initiatives were associated to at least one activity of the Software Development Lifecycle (SDLC); while 6 showed signs of being applied in industrial settings, only 3 initiatives presented experimental evidence of its results through controlled experiments, some of the other selected studies presented case studies or proposals.
During the initial stages of software development, the primary goal is to define precise and detailed requirements without concern for software realizations. Security constraints should be introduced ...then and must be based on the semantic aspects of applications, not on their software architectures, as it is the case in most secure development methodologies. In these stages, we need to identify threats as attacker goals and indicate what conceptual security defenses are needed to thwart these goals, without consideration of implementation details. We can consider the effects of threats on the application assets and try to find ways to stop them. These threats should be controlled with abstract security mechanisms that can be realized by
security patterns (ASPs)
, that include only the core functions of these mechanisms, which must be present in every implementation of them. An abstract security pattern describes a conceptual security mechanism that includes functions able to stop or mitigate a threat or comply with a regulation or institutional policy. We describe here the properties of ASPs and present a detailed example. We relate ASPs to each other and to Security Solution Frames, which describe families of related patterns. We show how to include ASPs to secure an application, as well as how to derive concrete patterns from them. Finally, we discuss their practical value, including their use in “security by design” and IoT systems design.
Security Thinking in Online Freelance Software Development Rauf, Irum; Petre, Marian; Tun, Thein ...
2023 IEEE/ACM 45th International Conference on Software Engineering: Software Engineering in Society (ICSE-SEIS),
05/2023
Conference Proceeding
Open access
Online freelance software development (OFSD) is a significant part of the software industry and is a thriving online economy; a recent survey by Stack Overflow reported that nearly 15% of developers ...are independent contractors, freelancers, or self-employed. Although security is an important quality requirement for the social sustainability of software, existing studies have shown differences in the way security issues are handled by developers working in OFSD compared to those working in organisational environments. This paper investigates the security culture of OFSD developers, and identifies significant themes in how security is conceived, practiced, and compensated. Based on in-depth interviews with 20 freelance (FL) developers, we report that (a) security thinking is evident in descriptions of their work, (b) security thinking manifests in different ways within OFSD practice, and (c) the dynamics of the freelance development ecosystem influence financial investment in secure development. Our findings help to understand the reasons why insecure software development is evident in freelance development, and they contribute toward developing security interventions that are tailored to the needs of freelance software developers.
General Summary- Online freelance software development (OFSD) is a significant part of the software industry and is a thriving online economy. Although security is an important quality requirement for the social sustainability of software, existing studies have shown differences in the way security issues are handled by developers working in OFSD compared to those working in organisational environments. Based on in-depth interviews with 20 freelance developers, this paper investigates the security culture of OFSD developers, and identifies significant themes in how security is conceived, practiced, and compensated.