Exploring software security approaches in software development lifecycle: A systematic mapping study

There is an increase use of security driven approaches to support software development activities, such as requirements, design and implementation. The objective of this paper is to identify the existing software security approaches used in the software development lifecycle (SDLC). In order to meet our goal, we conducted a systematic mapping study to identify the primary studies on the use of software security techniques in SDLC. In total, we selected and categorized 118 primary studies. After analyzing the selected studies, we identified 52 security approaches and we categorized them in to five main categories, namely, 'secure requirements modeling', 'vulnerability identification, adaption and mitigation', 'software security focused process', 'extended UML-based secure modeling profiles', 'non UML-based secure modeling notations'. The results show that the most frequently used approaches are static analysis and dynamic analysis that provide security checks in the coding phase. In addition, our results show that many studies in this review considered security checks around the coding stage of software development. This work will assist software development organizations in better understanding the existing software security approaches used in the software development lifecycle. It can also provide researchers with a firm basis on which to develop new software security approaches. The objective is to identify the existing software security approaches used in the software development lifecycle.We have conducted a systematic mapping study to identify the primary studies on the use of software security techniques.We selected and categorized 118 primary studies.We identified 52 security approaches and we categorized them in to five main categories.The results show that the most frequently used approaches are static analysis and dynamic analysis.Our results show that many studies considered security checks around the coding stage of software development.This work will assist software development organizations in better understanding the existing software security approaches.

[1]  Mohammad Zulkernine,et al.  UMLintr: a UML profile for specifying intrusions , 2006, 13th Annual IEEE International Symposium and Workshop on Engineering of Computer-Based Systems (ECBS'06).

[2]  Mohamed Eltoweissy,et al.  Goal-Oriented, B-Based Formal Derivation of Security Design Specifications from Security Requirements , 2008, ARES.

[3]  S. Kanmani,et al.  Survey and analysis on Security Requirements Engineering , 2012, Comput. Electr. Eng..

[4]  Davor Svetinovic,et al.  Evaluating the effectiveness of the security quality requirements engineering (SQUARE) method: a case study using smart grid advanced metering infrastructure , 2012, Requirements Engineering.

[5]  Mahmood Niazi,et al.  Do Systematic Literature Reviews Outperform Informal Literature Reviews in the Software Engineering Domain? An Initial Case Study , 2015 .

[6]  Sonia,et al.  Development of Agile Security Framework Using a Hybrid Technique for Requirements Elicitation , 2011 .

[7]  Mario Piattini,et al.  Towards security requirements management for software product lines: a security domain requirements engineering process , 2008, JISBD.

[8]  S. Kanmani,et al.  Security Requirements Engineering Process for Web Applications , 2012 .

[9]  Salma Imtiaz,et al.  Establishing trust in offshore software outsourcing relationships: an exploratory study using a systematic literature review , 2013, IET Softw..

[10]  Mohammad Zulkernine,et al.  Quantifying Security in Secure Software Development Phases , 2008, 2008 32nd Annual IEEE International Computer Software and Applications Conference.

[11]  Mahmood Niazi,et al.  Critical Barriers for Offshore Software Development Outsourcing Vendors: A Systematic Literature Review , 2009, 2009 16th Asia-Pacific Software Engineering Conference.

[12]  Charles P. Pfleeger,et al.  Security in computing , 1988 .

[13]  Gary McGraw,et al.  Risk Analysis in Software Design , 2004, IEEE Secur. Priv..

[14]  Mohammad Zulkernine,et al.  On Selecting Appropriate Development Processes and Requirements Engineering Methods for Secure Software , 2009, 2009 33rd Annual IEEE International Computer Software and Applications Conference.

[15]  Pearl Brereton,et al.  Protocol for a Tertiary study of Systematic Literature Reviews and Evidence-based Guidelines in IT and Software Engineering , 2009 .

[16]  Debra J. Richardson,et al.  SRRS: a recommendation system for security requirements , 2008, RSSE '08.

[17]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[18]  Carl E. Landwehr,et al.  A taxonomy of computer program security flaws , 1993, CSUR.

[19]  Amel Mammar,et al.  Using Testing Techniques for Vulnerability Detection in C Programs , 2011, ICTSS.

[20]  Paolo Giorgini,et al.  STS-Tool: Security Requirements Engineering for Socio-Technical Systems , 2014, Engineering Secure Future Internet Services and Systems.

[21]  Wouter Joosen,et al.  On the Secure Software Development Process: CLASP and SDL Compared , 2007, Third International Workshop on Software Engineering for Secure Systems (SESS'07: ICSE Workshops 2007).

[22]  Vahid Garousi,et al.  Graphical user interface (GUI) testing: Systematic mapping and repository , 2013, Inf. Softw. Technol..

[23]  Daniel Mellado,et al.  A systematic review of security requirements engineering , 2010, Comput. Stand. Interfaces.

[24]  Laurie A. Williams,et al.  Using templates to elicit implied security requirements from functional requirements - a controlled experiment , 2014, ESEM '14.

[25]  Christopher Krügel,et al.  Leveraging User Interactions for In-Depth Testing of Web Applications , 2008, RAID.

[26]  Gordhan Das Menghwar,et al.  Security modeling for service-oriented systems using security pattern refinement approach , 2012, Software & Systems Modeling.

[27]  Barry W. Boehm,et al.  Understanding and Controlling Software Costs , 1988, IEEE Trans. Software Eng..

[28]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[29]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[30]  Jan Jürjens,et al.  Tools for secure systems development with UML , 2007, International Journal on Software Tools for Technology Transfer.

[31]  James Miller,et al.  Agile security testing of Web-based systems via HTTPUnit , 2005, Agile Development Conference (ADC'05).

[32]  Sergio F. Ochoa,et al.  A systematic mapping study on practical approaches to teaching software engineering , 2014, 2014 IEEE Frontiers in Education Conference (FIE) Proceedings.

[33]  Mario Piattini,et al.  Applying a Security Requirements Engineering Process , 2006, ESORICS.

[34]  Debra J. Richardson,et al.  Formality of the Security Specification Process: Benefits Beyond Requirements , 2010, 2010 43rd Hawaii International Conference on System Sciences.

[35]  Sajjad Mahmood,et al.  Challenges of project management in Global Software Development: Initial results , 2013, 2013 Science and Information Conference.

[36]  William H. Allen,et al.  The ISDF Framework: Integrating Security Patterns and Best Practices , 2009 .

[37]  Mario Piattini,et al.  Security Requirements Management in Software Product Line Engineering , 2008, ICETE.

[38]  Francesco Parisi-Presicce,et al.  UML specification of access control policies and their formal verification , 2006, Software & Systems Modeling.

[39]  Z. Hasan A Survey on Shari’Ah Governance Practices in Malaysia, GCC Countries and the UK , 2011 .

[40]  Gary McGraw,et al.  From the Ground Up: The DIMACS Software Security Workshop , 2003, IEEE Secur. Priv..

[41]  Gary McGraw,et al.  Exploiting Software: How to Break Code , 2004 .

[42]  Gary Mcgraw Software security , 2004, IEEE Security & Privacy Magazine.

[43]  Jan Jürjens Sound methods and effective tools for model-based security engineering with UML , 2005, ICSE '05.

[44]  Mohammad Ali Hadavi,et al.  Software Security; A Vulnerability Activity Revisit , 2008, 2008 Third International Conference on Availability, Reliability and Security.