Generalized Software Security Framework

Security of information has become a major concern in today's digitized world. As a result, effective techniques to secure information are required. The most effective way is to incorporate security in the development process itself thereby resulting into secured product. In this paper, we propose a framework that enables security to be included in the software development process. The framework consists of three layers namely; control layer, aspect layer and development layer. The control layer illustrates the managerial control of the entire software development process with the help of governance whereas aspect layer recognizes the security mechanisms that can be incorporated during the software development to identify the various security features. The development layer helps to integrate the various security aspects as well as the controls identified in the above layers during the development process. The layers are further verified by a survey amongst the IT professionals. The professionals concluded that the developed framework is easy to use due to its layered architecture and, can be customized for various types of softwares

Building Security in during Information Systems Development

There are many facets of managing security in information systems. Although there are prior studies that focus on how to build secure code from an architectural standpoint, an often overlooked aspect of security is the relationship between the systems development policies and procedures and the security of the systems developed. We focus on this relationship and draw from a general software quality model to provide a foundation for testing this relationship. This study discusses ideas that follow from prior research and develops a survey instrument for exploring the relationship between policies and procedures during systems development life cycle and the security quality of the system developed

An Integrative Model of Managing Software Security during Information Systems Development

This study investigates the critical relationship between organizational system development policies, procedures and processes and the resulting security quality of the systems developed. We draw from a general software quality model to provide a theoretical foundation for testing this relationship. We used paper-based survey as well as online surveys to collect data from software developers and project managers. Our results revealed a significant relationship between management support and security policies and development process control. We also found significant relationships between development-process control and security quality, attitude and security quality, and the interaction between value congruence and commitment to provide security skills development. Counter-intuitively, we did not find a significant relationship between either security policy and security quality or the interaction between security policy and its legitimacy as perceived by systems development personnel. The managerial implications of the study include the need to foster a climate of security skills development through training for system development personnel and also simultaneously find strategies to more closely align their values to the security goals of the organization. Additionally, providing management support to formulate guidelines for development process control can improve the security quality of the systems developed

A Review of Security Issues in SDLC

Software Engineers do not implement security as a continuing process in software development; they give it worth at the end of software development.  Security implementation is an essential on-going routine in each phase of the software development lifecycle. This quantitative type of research investigates the security factors in different phases of Software Development Life Cycle (SDLC) and evaluates them from the research community and software engineers. Results are analyzed by using a statistical tool (SPSS), and security rules are proposed in each step of SDLC to assist software engineers and research community

Secure coding intention via protection motivation theory based survey

Abstract. According to studies, programming skills are obtained by a large number of persons but most of them lack the ability to produce secure software. This statement reflects the essence of this thesis and provides a direction to problem solving. The focus of this study is a research into the possibility of using a questionnaire prepared with the use of a protection motivation theory (PMT) to provide a indication of intention for software developers towards secure programming techniques. This study answers the following research question: Can secure programming intention be aroused with a PMT questionnaire? The questionnaire consists of three categories: background-, awareness-/knowledge- and PMT questions. Background questions are used to identify the focus group. Awareness and knowledge questions are used to provide secure coding information which is reflected by cognitive thinking via PMT questions. The questionnaire was built as web survey and distributed via professional social network. The questionnaire uses focused subject group working in micro and small enterprises (<50 employees). The study results are analysed against PMT components to validate focus group selection as a correct choice. Survey findings analysed in qualitative manner (partly in quantitative), indicates that majority of subjects created intention towards studying or using secure coding techniques. The focus group PMT analysis results shows that in each PMT section, at least over half indicated positive response into it. These results will provide a deeper research direction for how to promote secure coding

Software Technology Maturation and Software Security

Software technology maturation, also referred to as technology transfer, is as difficult as it is rare, mostly because of the time scale involved. Software maturation is defined as the process of taking a piece of technology from conception to popularization. Frequently, software engineers and developers tend to oversimplify the problems of technology transfer. They attribute problems to management pressures that complicate the use of software-engineering practices. However, a good understanding of the processes and problems is necessary to effectively tackle the technology-transfer problem. Without that understanding, the transfer of inappropriate technology to an organization without the maturity to understand and absorb it is likely to do harm, rather than to bring benefits. This research aims to answer two research questions regarding the technology maturation. Namely, is Redwine and Riddle's "Software Technology Maturation" study the accepted and gold standard within the software engineering discipline for assessing the maturation of software technology? Secondly, can the software technology maturation study be applied to other areas of software technology? The purpose of this research is to answer these questions of interest which will serve as the basis for the second implementation; applying the Redwine and Riddle criteria to the comparatively young discipline of software security. The primary goal for the second implementation is to explore and extend the second research question and demonstrate the maturity phases for the field of software security

A Generic Approach for Developing and Executing Electronic Questionnaires on the iOS Platform

The creation of questionnaires is a very time-consuming and costly task when developing a study. In most cases they are created in a paper-based form. However, this paper-based approach leaves less scope for interaction with the participant to motivate them when filling in the questionnaire. Moreover, data collection and subsequent evaluation is very cumbersome because all data has to be transferred manually to electronic worksheets. To deal with these issues, this master’s thesis presents a concept and implementation of an electronic questionnaire application to solve the mentioned problems. Thereby, different generic approaches are introduced and compared with each other. In general, questions and answers are determined using an XML document. In addition, a generic XML schema is provided to validate the specified questionnaires during the creation. When running such a questionnaire, user interface elements like textfields, checkboxes, radiobuttons or sliders are automatically generated by the application. Moreover, the results of completed questionnaires can be viewed and exported for later analysis. Requirements and styleguides for an iOS specific application development are determined an discussed. The theoretical characterization ends in a practical part whereby a possible scenario for the utilization of the electronic questionnaire application is shown. In addition, the steps to create, deploy and enact such an electronic questionnaire are discussed

0028/2009 - Problemas na Elicitação de Requisitos: Uma visão de pesquisa/literatura

A primeira fase na engenharia de requisitos é a elicitação de requisitos, na qual as informações sobre as necessidades do cliente são adquiridas, sendo crucial e crítica e podendo comprometer todas as etapas subseqüentes do desenvolvimento. O presente relatório apresenta um levantamento dos problemas que ocorrem durante a elicitação de requisitos citados na literatura da área

Security-Driven Software Evolution Using A Model Driven Approach

High security level must be guaranteed in applications in order to mitigate risks during the deployment of information systems in open network environments. However, a significant number of legacy systems remain in use which poses security risks to the enterprise’ assets due to the poor technologies used and lack of security concerns when they were in design. Software reengineering is a way out to improve their security levels in a systematic way. Model driven is an approach in which model as defined by its type directs the execution of the process. The aim of this research is to explore how model driven approach can facilitate the software reengineering driven by security demand. The research in this thesis involves the following three phases. Firstly, legacy system understanding is performed using reverse engineering techniques. Task of this phase is to reverse engineer legacy system into UML models, partition the legacy system into subsystems with the help of model slicing technique and detect existing security mechanisms to determine whether or not the provided security in the legacy system satisfies the user’s security objectives. Secondly, security requirements are elicited using risk analysis method. It is the process of analysing key aspects of the legacy systems in terms of security. A new risk assessment method, taking consideration of asset, threat and vulnerability, is proposed and used to elicit the security requirements which will generate the detailed security requirements in the specific format to direct the subsequent security enhancement. Finally, security enhancement for the system is performed using the proposed ontology based security pattern approach. It is the stage that security patterns derived from security expertise and fulfilling the elicited security requirements are selected and integrated in the legacy system models with the help of the proposed security ontology. The proposed approach is evaluated by the selected case study. Based on the analysis, conclusions are drawn and future research is discussed at the end of this thesis. The results show this thesis contributes an effective, reusable and suitable evolution approach for software security

Enterprise security architecture - mythology or methodology?

Security is a complex issue for organisations, with its management now a fiduciary responsibility as well as a moral one. Organisational security, such as computer security, human security, access control, risk management etc.; is conducted in separate business units creating a silo effect. A cohesive and holistic approach is required to mitigate the risk of security breaches and parts of the business not monitored by any silo. Without a holistic robust structure, the assets of an organisation are at critical risk. Enterprise architecture (EA) is a strong and reliable structure that has been tested and used effectively for designing, building, and managing organisations globally for at least 30 years. Grouping security with EA promises to leverage the benefits of EA in the security domain. Through a review of existing security frameworks this work evaluates the extent to which they employ EA and determines there is a need for developing a comprehensive solution. This research designs, develops, evaluates and demonstrates a security EA framework for organisations regardless of their industry, budgetary constraints or size. The framework is developed from the Zachman framework 2013 Version 3.0 because it is the most complete, most referenced in our frameworks review, and historically the methodology that is chosen by others to base their frameworks on. The results support the need for a holistic security structure and indicate benefits including reduction of security gaps, improved security investment decisions, clear functional responsibilities and a complete security nomenclature and international security standard compliance among others. This research bridges the gap and changes the way we fundamentally view security in an organisation, from individual silo capabilities to a holistic security eco-system with highly interdependent primitive security models.Thesis (Ph.D.) -- University of Adelaide, School of Computer Science, 202