An exploratory study on secure software practices among software practitioners in Malaysia

Rapid growths of computers, mobile phones and Internet technology have created ways for irresponsible people to undertake computer crimes. Millions of users across the globe have fallen as victims to computer crimes, including Malaysia.It is due to current software environment which is more complex, distributed, keeps confidential data and easily exposed to malicious attacks. Consequently, secure software process is increasingly gaining much importance among software practitioners and researchers.However, even though its importance has been revealed, only few studies were conducted regarding its current practice in the software industry, especially in Malaysia.Thus, an exploratory study is conducted among software practitioners in Malaysia to study their experiences and practices on the secure software process in the real-world projects.This paper discusses the findings from the study, which involved 93 software practitioners. Structured questionnaire is utilized for data collection purpose whilst statistical methods such as frequency, mean, and cross tabulation are used for data analysis.Outcomes from this study reveal that software practitioners are becoming increasingly aware on the importance of secure software process, however, they lack of appropriate implementation of the practices

A process based approach software certification model for agile and secure environment

In today’s business environment, Agile and secure software processes are essential since they bring high quality and secured software to market faster and more cost effectively. Unfortunately, some software practitioners are not following the proper practices of both processes when developing software. There exist various studies which assess the quality of software process; nevertheless, their focus is on the conventional software process. Furthermore, they do not consider weight values in the assessment although each evaluation criterion might have different importance. Consequently, software certification is needed to give conformance on the quality of Agile and secure software processes. Therefore, the objective of this thesis is to propose Extended Software Process Assessment and Certification Model (ESPAC) which addresses both software processes and considers the weight values during the assessment. The study is conducted in four phases: 1) theoretical study to examine the factors and practices that influence the quality of Agile and secure software processes and weight value allocation techniques, 2) an exploratory study which was participated by 114 software practitioners to investigate their current practices, 3) development of an enhanced software process certification model which considers process, people, technology, project constraint and environment, provides certification guideline and utilizes the Analytic Hierarchy Process (AHP) for weight values allocation and 4) verification of Agile and secure software processes and AHP through expert reviews followed by validation on satisfaction and practicality of the proposed model through focus group discussion. The validation result shows that ESPAC Model gained software practitioners’ satisfaction and practical to be executed in the real environment. The contributions of this study straddle research perspectives of Software Process Assessment and Certification and Multiple Criteria Decision Making, and practical perspectives by providing software practitioners and assessors a mechanism to reveal the quality of software process and helps investors and customers in making investment decisions

Secure software development practice selection model

Developing secure software is critical for organizations as highly-sensitive and confidential data are transacted through online applications. Insecure software can lead to loss of revenue and damage to business reputation. Although numerous methods, models and standards in regards to secure software development have been established, implementation of the whole model is quite challenging as it involves cost, skill, and time. Moreover, lack of knowledge and guidance on selection of suitable secure development practices becomes a challenge for project managers. On that account, this thesis developed a model which aims to guide the project managers to select secure software development practices based on the factors fulfilled by the project. Initially, a systematic literature review (SLR) was conducted, and as a result 18 influential factors were identified. To strengthen and enhance these findings, semistructured interviews were conducted with 21 software development experts from eight IT departments in Malaysian public sector, and 18 influential factors emerged from the interviews. The findings from both the SLR and interviews were consolidated, and analysed using the grounded theory techniques. As a result, 20 influential factors were finalized and grouped into four main categories that influenced software development outcomes: institutional context, software project content, people and action, and development processes. To assess the fulfilment of each factor, assessment criteria to determine the fulfilment of the factors were identified using secondary data analysis method. Subsequently, secure development practices which were suitable for the Malaysian public sector were identified through a survey, and as a result 24 practices were identified. The identified factors, assessment criteria, and practices were validated using the Delphi method, involving ten experts. In addition, the experts mapped the influential factors to each secure software development practice. As a result of the Delphi method which involved three phases, the lists of validated factors and assessment criteria were produced. Additionally, a list of practices mapped with the related influential factors was produced. The validated elements were used to formulate the Secure Software Development Practice Selection Model. The proposed model was finally evaluated using a multiple case study method that involved four software development projects in the Malaysian public sector. The project managers were provided with questionnaire to assess the fulfilment of factors, and identify practices that can be incorporated in their software development project. Thus, with the proposed Secure Software Development Practice Selection Model, suitable secure software development practices can be effectively identified by assessing the influential factors fulfilled by the software project. Furthermore, the average System Usability Scale score obtained for all agencies was 70.7; thus Secure Software Development Practice Selection Model was perceived to have ‘good’ usability which corresponds to the adjective scale. In sum, there are four significant contributions of this research: a validated list of factors influencing secure software development, a list of assessment criteria for the factors, mapping of secure software development practices with the influential factors, and evaluated Secure Software Development Practice Selection Model

AMAN-DA : Une approche basée sur la réutilisation de la connaissance pour l'ingénierie des exigences de sécurité

In recent years, security in Information Systems (IS) has become an important issue that needs to be taken into account in all stages of IS development, including the early phase of Requirement Engineering (RE). Considering security during early stages of IS development allows IS developers to envisage threats, their consequences and countermeasures before a system is in place. Security requirements are known to be “the most difficult of requirements types”, and potentially the ones causing the greatest risk if they are not correct. Moreover, requirements engineers are not primarily interested in, or knowledgeable about, security. Their tacit knowledge about security and their primitive knowledge about the domain for which they elicit security requirements make the resulting security requirements poor and too generic.This thesis explores the approach of eliciting requirements based on the reuse of explicit knowledge. First, the thesis proposes an extensive systematic mapping study of the literature on the reuse of knowledge in security requirements engineering identifying the diferent knowledge forms. This is followed by a review and classification of security ontologies as the main reuse form.In the second part, AMAN-DA is presented. AMAN-DA is the method developed in this thesis. It allows the elicitation of domain-specific security requirements of an information system by reusing knowledge encapsulated in domain and security ontologies. Besides that, the thesis presents the different elements of AMANDA: (i) a core security ontology, (ii) a multi-level domain ontology, (iii) security goals and requirements’s syntactic models, (iv) a set of rules and mechanisms necessary to explore and reuse the encapsulated knowledge of the ontologies and produce security requirements specifications.The last part reports the evaluation of the method. AMAN-DA was implemented in a prototype tool. Its feasibility was evaluated and applied in case studies of three different domains (maritime, web applications, and sales). The ease of use and the usability of the method and its tool were also evaluated in a controlled experiment. The experiment revealed that the method is beneficial for the elicitation of domain specific security requirements, and that the tool is friendly and easy to use.Au cours de ces dernières années, la sécurité des Systèmes d'Information (SI) est devenue une préoccupation importante, qui doit être prise en compte dans toutes les phases du développement du SI, y compris dans la phase initiale de l'ingénierie des exigences (IE). Prendre en considération la sécurité durant les premieres phases du dévelopment des SI permet aux développeurs d'envisager les menaces, leurs conséquences et les contre-mesures avant qu'un système soit mis en place. Les exigences de sécurité sont connues pour être "les plus difficiles des types d’exigences", et potentiellement celles qui causent le plus de risque si elles ne sont pas correctes. De plus, les ingénieurs en exigences ne sont pas principalement intéressés à, ou formés sur la sécurité. Leur connaissance tacite de la sécurité et leur connaissance primitive sur le domaine pour lequel ils élucident des exigences de sécurité rendent les exigences de sécurité résultantes pauvres et trop génériques.Cette thèse explore l'approche de l’élucidation des exigences fondée sur la réutilisation de connaissances explicites. Tout d'abord, la thèse propose une étude cartographique systématique et exhaustive de la littérature sur la réutilisation des connaissances dans l'ingénierie des exigences de sécurité identifiant les diférentes formes de connaissances. Suivi par un examen et une classification des ontologies de sécurité comme étant la principale forme de réutilisation.Dans la deuxième partie, AMAN-DA est présentée. AMAN-DA est la méthode développée dans cette thèse. Elle permet l’élucidation des exigences de sécurité d'un système d'information spécifique à un domaine particulier en réutilisant des connaissances encapsulées dans des ontologies de domaine et de sécurité. En outre, la thèse présente les différents éléments d'AMAN-DA : (i) une ontologie de sécurité noyau, (ii) une ontologie de domaine multi-niveau, (iii) des modèles syntaxique de buts et d’exigences de sécurité, (iv) un ensemble de règles et de mécanismes nécessaires d'explorer et de réutiliser la connaissance encapsulée dans les ontologies et de produire des spécifications d’exigences de sécurité.La dernière partie rapporte l'évaluation de la méthode. AMAN-DA a été implémenté dans un prototype d'outil. Sa faisabilité a été évaluée et appliquée dans les études de cas de trois domaines différents (maritimes, applications web, et de vente). La facilité d'utilisation et l’utilisabilité de la méthode et de son outil ont également été évaluées dans une expérience contrôlée. L'expérience a révélé que la méthode est bénéfique pour l’élucidation des exigences de sécurité spécifiques aux domaines, et l'outil convivial et facile à utiliser