Towards the Integration of Security Practices in the Software Implementation Process of ISO/IEC 29110: A Mapping

Secure software practices are gradually gaining relevance among software practitioners and researchers. This is happening because today more than ever software is becoming part of our lives and cybercrimes are constantly appearing. Despite its importance, its current practice in the software industry is still scarce. Indeed, software security problems are divided 50/50 between bugs and flaws. In particular, it remains a significant challenge for software practitioners in small software companies. Therefore, there is a need to support small companies in changing their existing ways of work to integrate these new and unfamiliar practices. The aim of this study is twofold. First, to help building an awareness of the software security process among practitioners in small companies. Second, to help the integration of these practices with software implementation process of ISO/IEC 29110 which results in an extension of the latter with additional activities identified from the industry best practices. Nevertheless, the extension proposal is to be performed selectively, based on the value of the software as an asset to the stakeholders and on stakeholders needs.

[1]  Gary McGraw,et al.  Software Security: Building Security In , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[2]  Simson L. Garfinkel,et al.  The cybersecurity risk , 2012, Commun. ACM.

[3]  Nancy R. Mead,et al.  Software Security Engineering: A Guide for Project Managers , 2004 .

[4]  Rory V. O'Connor,et al.  Security awareness in the software arena , 2018 .

[5]  Pascal Meunier,et al.  Can source code auditing software identify common vulnerabilities and be used to evaluate software security? , 2004, 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the.

[6]  Malik Imran Daud Secure Software Development Model: A Guide for Secure Software Life Cycle , 2010 .

[7]  Mary-Luz Sánchez-Gordón,et al.  Understanding the gap between software process practices and actual practice in very small companies , 2015, Software Quality Journal.

[8]  Brian Chess,et al.  Software Security in Practice , 2011, IEEE Security & Privacy.

[9]  Rory O'Connor,et al.  The Evolution of the ISO/IEC 29110 Set of Standards and Guides , 2017, Int. J. Inf. Technol. Syst. Approach.

[10]  Dieter Gollmann,et al.  Computer security , 2010, Worlwide series in computer cience.

[11]  Mario Piattini,et al.  Harmonization of ISO/IEC 9001:2000 and CMMI-DEV: from a theoretical comparison to a real case application , 2011, Software Quality Journal.

[12]  Tom Janicki,et al.  Moving Beyond Coding: Why Secure Coding Should be Implemented , 2016 .

[13]  Rory O'Connor,et al.  Evaluating VSEs Viewpoint and Sentiment Towards the ISO/IEC 29110 Standard: A Two Country Grounded Theory Study , 2015, SPICE.

[14]  S. Kanmani,et al.  Survey and analysis on Security Requirements Engineering , 2012, Comput. Electr. Eng..

[15]  Ricardo Colomo Palacios,et al.  Gamification and Human Factors in Quality Management Systems: Mapping from Octalysis Framework to ISO 10018 , 2016, EuroSPI.

[16]  Mano Paul Official (Isc)2 Guide to the Csslp , 2011 .

[17]  Haralambos Mouratidis,et al.  Integrating Security and Software Engineering: Advances and Future Visions , 2006 .

[18]  Rory O'Connor,et al.  Systems and Software Engineering Standards for Very Small Entities: Accomplishments and Overview , 2016, Computer.

[19]  Dieter Gollmann,et al.  Computer Security , 1979, Lecture Notes in Computer Science.