Secure software development practice selection model

Developing secure software is critical for organizations as highly-sensitive and confidential data are transacted through online applications. Insecure software can lead to loss of revenue and damage to business reputation. Although numerous methods, models and standards in regards to secure software development have been established, implementation of the whole model is quite challenging as it involves cost, skill, and time. Moreover, lack of knowledge and guidance on selection of suitable secure development practices becomes a challenge for project managers. On that account, this thesis developed a model which aims to guide the project managers to select secure software development practices based on the factors fulfilled by the project. Initially, a systematic literature review (SLR) was conducted, and as a result 18 influential factors were identified. To strengthen and enhance these findings, semistructured interviews were conducted with 21 software development experts from eight IT departments in Malaysian public sector, and 18 influential factors emerged from the interviews. The findings from both the SLR and interviews were consolidated, and analysed using the grounded theory techniques. As a result, 20 influential factors were finalized and grouped into four main categories that influenced software development outcomes: institutional context, software project content, people and action, and development processes. To assess the fulfilment of each factor, assessment criteria to determine the fulfilment of the factors were identified using secondary data analysis method. Subsequently, secure development practices which were suitable for the Malaysian public sector were identified through a survey, and as a result 24 practices were identified. The identified factors, assessment criteria, and practices were validated using the Delphi method, involving ten experts. In addition, the experts mapped the influential factors to each secure software development practice. As a result of the Delphi method which involved three phases, the lists of validated factors and assessment criteria were produced. Additionally, a list of practices mapped with the related influential factors was produced. The validated elements were used to formulate the Secure Software Development Practice Selection Model. The proposed model was finally evaluated using a multiple case study method that involved four software development projects in the Malaysian public sector. The project managers were provided with questionnaire to assess the fulfilment of factors, and identify practices that can be incorporated in their software development project. Thus, with the proposed Secure Software Development Practice Selection Model, suitable secure software development practices can be effectively identified by assessing the influential factors fulfilled by the software project. Furthermore, the average System Usability Scale score obtained for all agencies was 70.7; thus Secure Software Development Practice Selection Model was perceived to have ‘good’ usability which corresponds to the adjective scale. In sum, there are four significant contributions of this research: a validated list of factors influencing secure software development, a list of assessment criteria for the factors, mapping of secure software development practices with the influential factors, and evaluated Secure Software Development Practice Selection Model

An Approach Toward Implementing Continuous Security In Agile Environment

Traditionally, developers design software to accomplish a set of functions and then later add—or do not add—security measures, especially after the prevalence of the agile software development model. Consequently, there is an increased risk of security vulnerabilities that are introduced into the software in various stages of development. To avoid security vulnerabilities, there are many secure software development efforts in the directions of secure software development lifecycle process. The purpose of this thesis is to propose a software security assurance methodology and integrate it into the Msg Life organization’s development lifecycle based on security best practices that fulfill their needs in building secure software applications. Ultimately, the objective adhered to increasing the security maturity level according to the suggested security assurance roadmap and implemented partly in the context of this thesis.Tradicionalmente, os desenvolvedores projetam o software para realizar um conjunto de funções e, posteriormente, adicionam - ou não - medidas de segurança, especialmente após a prevalência do modelo de desenvolvimento ágil de software. Consequentemente, há um risco aumentado de vulnerabilidades de segurança que são introduzidas no software em vários estágios de desenvolvimento. Para evitar vulnerabilidades de segurança, existem muitos esforços no desenvolvimento de software nas direções dos processos do ciclo de vida desse mesmo software. O objetivo desta tese é propor uma metodologia de garantia de segurança de software e integrá-la ao ciclo de vida de desenvolvimento da Msg Life Company, com base nas melhores práticas de segurança que atendem às suas necessidades na criação de aplicativos de software seguros. Por fim, o objetivo aderiu ao aumento do nível de maturidade da segurança de acordo com o roteiro sugerido de garantia de segurança e implementado parcialmente no contexto desta tese