Systematic Mapping Study Protocol For Secure Software Engineering

Abstract

In today's world, software security has become essential for protecting the overall organization's operations. Mostly software development companies are adopting various strategies to build secure software to cope with the challenges of the client organization. Information become threatened due to connection with the cyber world, and it requires better security mechanisms. Software development organizations are receiving pressure from their clients to focus on the enhancement of security during the whole software development life cycle (SDLC). This protocol aims to review the literature in a systematic way to identify the state-of-the-art of software security to be considered by Global Software Development (GSD) vendor organizations during the development of a secure software as it evolves from requirements engineering to its final disposal. In order to improve security processes in the context of software development, our current research developed a Systematic Mapping Study (SMS) protocol. Presently, we are in the implementation phase of the protocol for the development of secure software. The expected outcomes of this SMS will be a list of security measurements and their solutions to be incorporated by GSD vendor organizations in each phase of the SDLC. This will also give a direction for new research in this area.

Keywords: Software Security”“Secure Software”“SDLC”; “Systematic Mapping Study”“Global Software Development”“Vendors”

Introduction

Due to the advancement of information and communication technologies (ICTs), software security is becoming more and more critical. Nowadays software systems are becoming an important part in every domain of human society, such as electronics, telecommunications, shipping, home appliances, financial services, and more. For developing any software system, the main important part is to consider its security. Software security is the most important part of a system. Literature reveals that a number of strategies have been developed for building secure software, however no such tools are adapted to handle the security of a complex environment, generally at each phase of SDLC and in large distributed software development teams (Pan, Zhu, & Mao, 2016; Tung, Lo, Shih, & Lin, 2016).

The critical question is arising that how could a software will be secure to security threats? Obviously, majority of software products undergoing live testing are vulnerable to threats and mostly fail to provide a secure and safe environment to clients and users. This is due to the lack of systematic evaluations such as systematic reviews, procedures, approaches, or frameworks as these evaluations could help project managers and software engineers to ensure that security processes are continuously followed throughout the software development process, according to a set of predefined procedures or rules (Karim, Albuolayan, Saba, & Rehman, 2016; Mundher, Muhamad, Rehman, Saba, & Kausar, 2014). To efficiently grip the security problems, that are present in during the development of applications, it is necessary to consider security-minded thinking throughout the development processes, which reduces the threats of missing essential security requirements or creating vital faults in software design (Mohammed, Niazi, Alshayeb, & Mahmood, 2017).

Traditionally, most software developers ignore taking care of early stage vulnerabilities and security threats. These defects in software are rising due to poor development approach, bad design and bad requirement analysis, which can lead to easy exploitation by the cybercriminal (Garousi, Coşkunçay, Demirörs, & Yazici, 2016). Security in software development life cycle are mostly treated by adding security features, using firewalls by security experts, imposition avoidance systems, proxies, platform security and antivirus (Jürjens, 2005). Today, the most widespread security risks are encountered due to Internet enabled software applications, and software are rapidly growing extensibility and complexity which adding up more fuel to the fire. As a result of every assessment, security risks are very common in software applications and the problems are rising day-by-day (McGraw, 2004).

Software Security plays an essential role in the software development life cycle, and software security testing is very significant means to achieve the goal of building secure software. Considerable research has been focused on software security in the context of SDLC. In order to develop a secure software and improve software development processes, several standards and models have been initiated:

A systematic mapping study performed by (M. Nabil. Mohammed, Niazi. Mahmood, Alshayeb. Mohammad, & Sajjad, February 2017), has identified various approaches that are used for detection of security defects in SDLC. After thorough analysis they argued that dynamic code analysis and static code analysis are the most frequently used approaches for checking security risks mainly in coding phase. The study shows that most of the security checks are approximately applied only to coding stage of SDLC. In order to construct a secure software, (Tung et al., 2016), suggested an integrated security testing framework, which assume security activities and practices of SDLC to generate security guidelines and test cases.

(Velmourougan, Dhavachelvan, Baskaran, & Ravikumar, 2014), presents a maintainable software development life cycle model (MSDLC), which establishes different maintainability tasks to be followed during the software development life cycle phases. They propose various actions and practices to be incorporated at different stages of SDLC. (Hashimi, Hafez, & Beraka, 2012) have determined risk management processes and related techniques, and have defined the critical risks that may face the software. To attain that, they intend a wheel model which shows the relation among phases of SDLC and risk management. (Gilliam, Wolfe, Sherif, & Bishop, 2003), have worked on the SDLC and proposed software development security checklists. They proposed 26 software security checklists that should be followed during the critical areas of requirements collection and its specification, design and code issues, maintenance and decommissioning of software and systems. As in traditional SDLC, security testing is done at the end however, it should consider security and risks at each phase to avoid major threats at the later phases.

The Software Assurance Maturity Model (SAMM) is an open framework to facilitate organizations in assuring the organization's maturity towards software security (Chandra, 2009). This model was defined with flexibility in mind which could be developed by small, medium, and large organizations using any approach of development. (Karim et al., 2016) conducted a case study and have argued to introduce security measures at the early stages in the SDLC. They presents different essential basics as a security standards, practices, approaches, tools and techniques used within SDLC. In this manner, they gathered various recommendations and verifications to obtain the real activities that are suitable to be performed at each stage of SDLC. Recently, complicated and inventive attacks have been reported which are constantly increasing software security risks (Bedi, Gandotra, Singhal, Narang, & Sharma, 2013). (Bedi et al., 2013) proposed a three phased threat-oriented security model, gathering complicated and inventive attacks as a component, and then suggesting practices to handle it. (Felderer, Zech, Breu, Büchler, & Pretschner, 2016), systematically extracted a categorization of testing approaches for model based security. This model contains filter criterion (i.e. model of system security, security model of the environment and precise test collection criteria) and indication criteria (i.e. maturity of evaluated system, evidence measures and evidence level).

Problem Statement

From the above literature in the field of Software Engineering, we overreach to this point that there is a growing interest and need of research in software security in the context of SDLC. Regardless of emergent attention in this area, there is lack of systematic literature review or systematic mapping study to be conducted which covers the identification of challenges/risks, security configurations and its practices to develop a secure software for Global Software Development (GSD) vendors. It is important to note that the limit of our systematic analysis is constrained to the area of software security in the context of SDLC, which is defined in our search plan and terms.

Research Questions

The overreaching goal of this systematic mapping study is to examine the state-of-the-art in the area of software security in the context of SDLC and also to capture the needs and directions for future research. To achieve this, our main aim is tackle the following research questions (RQs):

RQ1: What is the state-of-the-art in secure software engineering (SSE)?

In order to answer RQ1, we will analyze the literature on the basis of the following sub questions:

RQ1.1: Which topics/techniques/challenges that are related to secure software engineering are covered?

RQ1.2: What are the solutions that should be followed at each phase of the SDLC to deliver a secure software?

Purpose of the Study

The overreaching goal of this systematic mapping study is to examine the state-of-the-art in the area of software security in the context of SDLC and also to capture the needs and directions for future research

Research Methods

In this paper, a systematic mapping study protocol is discussed. We have followed the SMS guidelines (Budgen, Turner, Brereton, & Kitchenham, 2008) for developing this protocol. Protocol development is the first phase of a system mapping study. SMS reviews topics in a broader sense and categorize the basic research articles in a specific area of interest (Kitchenham, Budgen, & Brereton, 2011). As compared to systematic literature review (SLR), systematic mapping study is conducted on a broader research questions in order to identify the gaps in a particular research domain. Therefore, SMS preserve huge approaching significance to the field of software engineering researchers by giving a general idea about the literature in particular area.

Findings

We designed a search string, given as follow, to examine the state-of-the-art in the area of software security in the context of GSD, however the results retrieved through different digital libraries, as shown in Table 02 , were limited. We entitled this search string as Track 1. The search string was constructed on connecting the features of PICO by Boolean AND connector:

Track 1: ((“software security” OR “software privacy” OR “secure software” OR “software protection” OR “software safety”) AND (“global software development” OR “GSD” OR “Distributed software development”)

We then decided to design another search string by naming it Track 2, given as follow, such as to examine the state-of-the-art in the area of software security in the context of SDLC, without restricting it to the GSD context. We therefore got significant results through different digital libraries, as shown in Table 02 . We also presented the results of Track 2 to the members of the software engineering research group at University of Malakand (SERG_UOM), and it was concluded after a thorough discussion to follow and implement Track 2 for the conduction of the SLR, as shown in Table 02 .

Track 2: ((“software security” OR “software privacy” OR “secure software” OR “software protection” OR “software safety”) AND (“Software Engineering” OR “Software Development lifecycle” OR “SDLC” OR “Software security Model”))

This search string was run in IEEE Xplore, Science Direct, ACM, Springer Link, Wiley Online Library, and AIS Electronic Library (AiSel) digital libraries. We also run this search string in Google Scholar an online search engine. Table 02 shows the number of search results per database and search engine.

Conclusion

It is evident from the findings of the search phase of the systematic mapping study that no systematic mapping study or systematic literature review is published so far that can identify the GSD security challenges and its solutions at each phase of the SDLC. In this paper, we only present findings of the one component of our proposed study in the form of SMS protocol. Currently, we are in the implementation phase of the SMS protocol.

The ultimate aim in future, We plan the following in future:

• Identification of the software security challenges, security contributions and their practices for GSD vendors through SLR and empirical study in the industry.

• To develop Software Security Assurance Model (SSAM) to assist GSD vendor organizations in measuring their readiness towards the development of secure software.

Acknowledgments

We are very thankful to Software Engineering Research Group, University of Malakand (SERG_UOM) for their valuable feedbacks/reviews in validation of the SMS protocol. We are also grateful to COE Grant Universiti Teknologi Malaysia (Q.J130000.2428.03G94) for financial supporting.

References

1. Bedi, P., Gandotra, V., Singhal, A., Narang, H., & Sharma, S. (2013). Threat‐oriented security framework in risk management using multiagent system. Software: Practice and Experience, 43(9), 1013-1038.
2. Budgen, D., Turner, M., Brereton, P., & Kitchenham, B. A. (2008). Using Mapping Studies in Software Engineering. Paper presented at the PPIG.
3. Chandra, P. (2009). Software assurance maturity model. A guide to building security into software development v1. 0.
4. Felderer, M., Zech, P., Breu, R., Büchler, M., & Pretschner, A. (2016). Model‐based security testing: a taxonomy and systematic classification. Software Testing, Verification and Reliability, 26(2), 119-148.
5. Garousi, V., Coşkunçay, A., Demirörs, O., & Yazici, A. (2016). Cross-factor analysis of software engineering practices versus practitioner demographics: An exploratory study in Turkey. Journal of Systems and Software, 111, 49-73.
6. Gilliam, D. P., Wolfe, T. L., Sherif, J. S., & Bishop, M. (2003). Software security checklist for the software life cycle. Paper presented at the WET ICE 2003. Proceedings. Twelfth IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, 2003.
7. Hashimi, H., Hafez, A., & Beraka, M. (2012). A novel view of risk management in software development life cycle. Paper presented at the 2012 12th International Symposium on Pervasive Systems, Algorithms and Networks.
8. Jürjens, J. (2005). Secure systems development with UML: Springer Science & Business Media.
9. Karim, N. S. A., Albuolayan, A., Saba, T., & Rehman, A. (2016). The practice of secure software development in SDLC: an investigation through existing model and a case study. Security and Communication Networks, 9(18), 5333-5345.
10. Kitchenham, B. A., Budgen, D., & Brereton, O. P. (2011). Using mapping studies as the basis for further research–a participant-observer case study. Information and Software Technology, 53(6), 638-651.
11. M. Nabil. Mohammed, Niazi. Mahmood, Alshayeb. Mohammad, & Sajjad, M. (February 2017). Exploring Software Security Approaches in Software Development Lifecycle: A Systematic Mapping Study. Computer Standards & Interfaces, 50, 107-115.
12. McGraw, G. (2004). Software security. IEEE Security & Privacy, 2(2), 80-83.
13. Mohammed, N. M., Niazi, M., Alshayeb, M., & Mahmood, S. (2017). Exploring software security approaches in software development lifecycle: A systematic mapping study. Computer Standards & Interfaces, 50, 107-115.
14. Mundher, M., Muhamad, D., Rehman, A., Saba, T., & Kausar, F. (2014). Digital watermarking for images security using discrete slantlet transform. Applied Mathematics & Information Sciences, 8(6), 2823.
15. Pan, P., Zhu, X., & Mao, X. (2016). Security Test for Application Software Based on SPN. Paper presented at the First International Conference on Real Time Intelligent Systems.
16. Tung, Y.-H., Lo, S.-C., Shih, J.-F., & Lin, H.-F. (2016). An integrated security testing framework for Secure Software Development Life Cycle. Paper presented at the 2016 18th Asia-Pacific Network Operations and Management Symposium (APNOMS).
17. Velmourougan, S., Dhavachelvan, P., Baskaran, R., & Ravikumar, B. (2014). Software development life cycle model to improve maintainability of software applications. Paper presented at the 2014 Fourth International Conference on Advances in Computing and Communications.