Systematic Mapping of the Literature on Secure Software Development

The accelerated growth in exploiting vulnerabilities due to errors or failures in the software development process is a latent concern in the Software Industry. In this sense, this study aims to provide an overview of the Secure Software Development trends to help identify topics that have been extensively studied and those that still need to be. Therefore, in this paper, a systematic mapping review with PICo search strategies was conducted. A total of 867 papers were identified, of which only 528 papers were selected for this review. The main findings correspond to the Software Requirements Security, where the Elicitation and Misuse Cases reported more frequently. In Software Design Security, recurring themes are security in component-based software development, threat model, and security patterns. In the Software Construction Security, the most frequent topics are static code analysis and vulnerability detection. Finally, in Software Testing Security, the most frequent topics are vulnerability scanning and penetration testing. In conclusion, there is a diversity of methodologies, models, and tools with specific objectives in each secure software development stage.

[1]  Ayse Basar Bener,et al.  Establishing a baseline for measuring advancement in the science of security: an analysis of the 2015 IEEE security & privacy proceedings , 2016, HotSoS.

[2]  Padmaraj Nidagundi Software Application Security Test Strategy with Lean Canvas Design , 2018 .

[3]  Daniela Cruzes,et al.  A Perception of the Practice of Software Security and Performance Verification , 2018, 2018 25th Australasian Software Engineering Conference (ASWEC).

[4]  Marius Iulian Mihailescu,et al.  Security Design Patterns , 2010 .

[5]  Eric Bodden State of the Systems Security , 2018, 2018 IEEE/ACM 40th International Conference on Software Engineering: Companion (ICSE-Companion).

[6]  Yanyan Zhuang,et al.  It's the psychology stupid: how heuristics explain software vulnerabilities and how priming can illuminate developer's blind spots , 2014, ACSAC.

[7]  Bashar Nuseibeh,et al.  "Hopefully We Are Mostly Secure": Views on Secure Code in Professional Practice , 2019, 2019 IEEE/ACM 12th International Workshop on Cooperative and Human Aspects of Software Engineering (CHASE).

[8]  Eduardo B. Fernández,et al.  Securing distributed systems using patterns: A survey , 2012, Comput. Secur..

[9]  Jen-Feng Shih,et al.  An integrated security testing framework for Secure Software Development Life Cycle , 2016, 2016 18th Asia-Pacific Network Operations and Management Symposium (APNOMS).

[10]  Marcos Kalinowski,et al.  A Systematic Mapping Study on Security in Agile Requirements Engineering , 2018, 2018 44th Euromicro Conference on Software Engineering and Advanced Applications (SEAA).

[11]  Muthu Ramachandran,et al.  Software Security Requirements Engineering: State of the Art , 2015, ICGS3.

[12]  Sajjad Mahmood,et al.  Exploring software security approaches in software development lifecycle: A systematic mapping study , 2017, Comput. Stand. Interfaces.

[13]  Siffat Ullah Khan,et al.  A Preliminary Structure of Software Security Assurance Model , 2018, 2018 IEEE/ACM 13th International Conference on Global Software Engineering (ICGSE).

[14]  Jeffrey C. Carver,et al.  Guidelines for Systematic Mapping Studies in Security Engineering , 2018, ArXiv.

[15]  Ruth Breu,et al.  Security Testing: A Survey , 2016, Adv. Comput..

[16]  Volker Gruhn,et al.  A Systematic Mapping Study on Security Requirements Engineering Frameworks for Cyber-Physical Systems , 2018, SpaCCS.

[17]  Stacy Simpson,et al.  SAFECode Whitepaper: Fundamental Practices for Secure Software Development 2nd Edition , 2014, ISSE.

[18]  Ruth Breu,et al.  Evolution of Security Engineering Artifacts: A State of the Art Survey , 2014, Int. J. Secur. Softw. Eng..

[19]  Hossain Shahriar,et al.  Secure Mobile IPC Software Development with Vulnerability Detectors in Android Studio , 2018, 2018 IEEE 42nd Annual Computer Software and Applications Conference (COMPSAC).

[20]  Isabelle Comyn-Wattiau,et al.  Reusable knowledge in security requirements engineering: a systematic mapping study , 2015, Requirements Engineering.

[21]  Bassam A. Hussein,et al.  Practical insight about choice of methodology in large complex software projects in Norway , 2014, 2014 IEEE International Technology Management Conference.

[22]  Futian Wang,et al.  Extracting Software Security Concerns of Problem Frames Based on a Mapping Study , 2017, 2017 24th Asia-Pacific Software Engineering Conference Workshops (APSECW).

[23]  Nora Koch,et al.  Evaluation of Engineering Approaches in the Secure Software Development Life Cycle , 2014, Engineering Secure Future Internet Services and Systems.

[24]  Pearl Brereton,et al.  Performing systematic literature reviews in software engineering , 2006, ICSE.

[25]  Tao Yue,et al.  Model-based security engineering for cyber-physical systems: A systematic mapping study , 2017, Inf. Softw. Technol..

[26]  Wm. Arthur Conklin,et al.  CSSLP Certification All-in-One Exam Guide , 2013 .

[27]  Zachary Munn,et al.  Qualitative research synthesis: methodological guidance for systematic reviewers utilizing meta-aggregation , 2015, International journal of evidence-based healthcare.

[28]  Atsuo Hazeyama,et al.  A Case-based Management System for Secure Software Development Using Software Security Knowledge , 2015, KES.

[29]  Hernán Astudillo,et al.  Software Development Initiatives to Identify and Mitigate Security Threats: A Systematic Mapping , 2016, CIbSE.

[30]  M. Petticrew,et al.  Systematic Reviews in the Social Sciences: A Practical Guide , 2005 .

[31]  Sean Barnum,et al.  Attack Patterns as a Knowledge Resource for Building Secure Software , 2007 .