Secure Software Development: Industrial Practice - A Review

Henry O. Nwaete*
Northcentral University, San Diego, California.
Periodicity:January - March'2022
DOI : https://doi.org/10.26634/jse.16.3.18674

Abstract

The current state of application assets with respect to their development, functionality, scalability, user friendliness, and compatibility with legacy systems has witnessed an unprecedented degree of positive improvements. This induced increase in productivity and value has been a product of the technological innovations within and around the software development landscape. Owing to specific software development practices including software reusability, Object Oriented Programming (OOP), encapsulation, and portability, all sectors of the economy have come to embrace software products that have helped to drive business transactions. Nonetheless, the proliferation of software which has driven up the velocity, veracity and volume of data associated with transactions has become a goldmine for grabs. Hackers and adversaries alike have thus capitalized on this development to exploit the potential threats and vulnerabilities associated with software products. Insecure software is global issue, and one that impacts individuals, organizations and governments. Data loss is both a security and privacy issue, with compliance, regulatory and legal concerns, and bad actors are relentless in their efforts to steal, deface, alter/manipulate, destroy, and compromise software systems. Organizations should therefore embrace secure code principles, threat modeling, and institute a Secure Software Development Lifecycle (SSDLC) practice that will aid the embedment of security into the development phase, to contain the risks, threats, and vulnerabilities that are inherent in software development. This paper demonstrates an effort to provide and arm organizations with the necessary tools, processes, and mechanisms that can be leveraged to combat cyber-threats and enforce Information Assurance (IA) within and around enterprise application assets. Beginning with an overview of the contemporary software development practices witnessed in diverse organizations, including financial, energy, aviation, commerce, nuclear, defense, and several other Critical Infrastructure (CI) organizations, the tenets of a composite, structured and robust. SSDLC has been presented to promote a defense-in-depth security for enterprise organizations.

Keywords

Security-by-Design, Threat Modelling (TM), Architectural Review, Penetration Testing (PT), Static Code Analysis, Web Application Monitoring.

How to Cite this Article?

Nwaete., H. O. (2022). Secure Software Development: Industrial Practice - A Review. i-manager’s Journal on Software Engineering, 16(3), 60-71. https://doi.org/10.26634/jse.16.3.18674

References

[1]. 53 Using the Java EE Security API. (2017). Retrieved from https://javaee.github.io/tutorial/security-api.html
[2]. Al-Amin, S., Ajmeri, N., Du, H., Berglund, E. Z., & Singh, M. P. (2018). Toward effective adoption of secure software development practices. Simulation Modelling Practice and Theory, 85, 33-46. https://doi.org/10.1016/j.simpat.2018.03.006
[3]. Allahar, H. (2019). Innovation management and value chain design: Case of a small professional services firm. International Journal of Innovation, 7(2), 192-209. https://doi.org/10.5585/iji.v7i2.380
[4]. Banerjee, C., Banerjee, A., & Sharma, S. K. (2017). Estimating influence of threat using Misuse Case Oriented Quality Requirements (MCOQR) Metrics: Security Requirements Engineering. Journal of Information Assurance & Security, 12(3), 104–113.
[5]. Bhukya, S., & Pabboju, S. (2016, March). Software architecture techniques and emergence of problem domain in E-Governance. In 2016 International Conference on Electrical, Electronics, and Optimization Techniques (ICEEOT), (pp. 1097 - 1109), IEEE. https://doi.org/10.1109/ICEEOT.2016.7754856
[6]. Bialas, A. (2016). Computer-aided sensor development focused on security issues. Sensors, 16(6), 759. https://doi.org/10.3390/s16060759
[7]. Camacho, C. R., Marczak, S., & Cruzes, D. S. (2016, August). Agile team members perceptions on nonfunctional testing: influencing factors from an empirical study. In 2016 11th international Conference on Availability, Reliability and Security (ARES), (pp. 582-589), IEEE. https://doi.org/10.1109/ARES.2016.98
[8]. Checkmarx. (n.d.). The World Runs on Code. We secure it. Retrieved from https://checkmarx.com/
[9]. Choi, K. H., & Kim, K. J. (2017). A study on acceptance procedure improvement of web application by outsourcing for mobile service. Wireless Personal Communications, 94(1), 5-16. https://doi.org/10.1007/s11277-015-3153-0
[10]. Cloudcheck. (2019). How the Payment Card Industry Data Security Standard (PCI DSS) works. Retrieved from https://cloudcheckr.com/cloud-compliance/howthe- payment-card-industry-data-security-standard-pcidss- works/?gclid=EAIaIQobChMIor7ogay39QIVkcm UCR2lBwYfEAAYASAAEgJ63_D_BwE
[11]. CSIS. (2022). A Shared Responsibility: Public-Private Cooperation for Cybersecurity. Retrieved from https://www.csis.org/analysis/shared-responsibility-publicprivate-cooperation-cybersecurity
[12]. Cybersecurity & Infrastructure Security Agency. (2020). Federal Information Security Modernization Act. Retrieved from https://www.cisa.gov/federal-informationsecurity-modernization-act
[13]. Daley, J. (2017). Insecure software is eating the world: Promoting cybersecurity in an age of ubiquitous software-embedded systems. Stanford Technology Law Review, 19(3), 533–546.
[14]. Dayanandan, U., & Kalimuthu, V. (2018). Software architectural quality assessment model for security analysis using Fuzzy Analytical Hierarchy Process (FAHP) method. 3D Research, 9(3), 1-14. https://doi.org/10.1007/s13319-018-0183-x
[15]. DHS. (2018, May 15). U.S. Department of Homeland Security: Cybersecurity Strategy. Department of Homeland Security.
[16]. Fein, A., Skeath, C., & Brewer, L. (2018). Key information security pointers from the FTC's stick with security guidance. Intellectual Property & Technology Law Journal, 30(3), 19-22.
[17]. Fernandes, A. M., Pai, A., & Colaco, L. M. M. (2018, March). Secure SDLC for IoT based health monitor. In 2018 Second International Conference on Electronics, Communication and Aerospace Technology (ICECA) (pp. 1236-1241). IEEE. https://doi.org/10.1109/ICECA.2018.8474668
[18]. Fernández-García, A. J., Iribarne, L., Corral, A., Criado, J., & Wang, J. Z. (2018). A flexible data acquisition system for storing the interactions on mashup user interfaces. Computer Standards & Interfaces, 59, 10-34. https://doi.org/10.1016/j.csi.2018.02.002
[19]. Gartner. (2021). Gartner Forecasts Global Devices Installed Base to Reach 6.2 Billion Units in 2021: Remote and Hybrid Work is Increasing the Number of Devices Per Person. Retrieved from https://www.gartner.com/en/ newsroom/press-releases/2021-04-01-gartner-forecastsglobal- devices-installed-base-to-reach-6-2-billion-unitsin-2021
[20]. GDPR. (2022). What are the GDPR fines? Retrieved from https://gdpr.eu/fines/
[21]. Groot, J. D. (2020). What Is The NYDFS Cybersecurity Regulation? A Cybersecurity Compliance Requirement for Financial Institutions. Retrieved from https://digital guardian.com/blog/what-nydfs-cybersecurity - regulation-new-cybersecurity-compliance-requirementfinancial
[22]. Harvard Business Review. (2009). Creating a Culture of Innovation. Retrieved from https://ncuone.ncu.edu/ d2l/le/content/91264/viewContent/569088/View?ou=91264
[23]. HIPAA. (2021). What are the Penalties for HIPAA Violations?. Retrieved from https://www.hipaajournal. com/what-are-the-penalties-for-hipaa-violations-7096/
[24]. Hu, V. C., Kuhn, R., & Yaga, D. (2017). Verification and test methods for access control policies/models. NIST Special Publication, 800, 192. https://doi.org/10.6028/ NIST.SP.800-192
[25]. IT Governance. (n.d.). Cybersecurity Governance and Frameworks. Retrieved from https://www. itgovernanceusa.com/cybersecurity-standards
[26]. Karantzas, G., & Patsakis, C. (2021). An empirical assessment of endpoint detection and response systems against advanced persistent threats attack vectors. Journal of Cybersecurity and Privacy, 1(3), 387-421. https://doi.org/10.3390/jcp1030021
[27]. Karim, N. S. A., Albuolayan, A., Saba, T., & Rehman, A. (2016). The practice of secure software development in SDLC: an investigation through existing model and a case study. Security and Communication Networks, 9(18), 5333-5345. https://doi.org/10.1002/sec.1700
[28]. Karim, N. S. A., Albuolayan, A., Saba, T., & Rehman, A. (2016). The practice of secure software development in SDLC: an investigation through existing model and a case study. Security and Communication Networks, 9(18), 5333-5345. https://doi.org/10.1109/ICMCS.2018.8525494.
[29]. Kriebel, F., Rehman, S., Hanif, M. A., Khalid, F., & Shafique, M. (2018, July). Robustness for smart cyber physical systems and internet-of-things: From adaptive robustness methods to reliability and security for machine learning. In 2018 IEEE Computer Society Annual Symposium on VLSI (ISVLSI) (pp. 581-586). IEEE. https://doi.org/10.1109/ISVLSI.2018.00111
[30]. Krini, O., & Laile, E. (2018). Unambiguous and Reliable Positioning in the vehicle in terms of Functional Safety and Cyber Security. In MATEC Web of Conferences (Vol. 210, p. 03013). EDP Sciences. https://doi.org/10.1051/matecconf/201821003013
[31]. Kuhn, D. R., Kacker, R. N., & Lei, Y. (2010). Practical combinatorial testing. NIST Special Publication, 800(142), 142.
[32]. Lord, S., Helfgott, A., & Vervoort, J. M. (2016). Choosing diverse sets of plausible scenarios in multidimensional exploratory futures techniques. Futures, 77, 11-27. https://doi.org/10.1016/j.futures.2015.12.003
[33]. McGinnis, C., Yaga, D., Podio, F. (2015). Conformance Testing Methodology Framework for ANSI/NIST-ITL 1-2011 Update: 2013, Data Format for the Interchange of Fingerprint, Facial & Other Biometric Information. NIST Special Publication, 500, 304.
[34]. Microfocus. (n.d.). Retrieved from https://www. microfocus.com/en-us/cyberres/application-security
[35]. Microsoft. (n.d.). Microsoft Security Development Lifecycle (SDL). Retrieved from https://www.microsoft. com/en-us/securityengineering/sdl/
[36]. Mohan, V., ben Othmane, L., & Kres, A. (2018, September). BP: Security concerns and best practices for automation of software deployment processes: An industrial case study. In 2018 IEEE Cybersecurity Development (SecDev) (pp. 21-28). IEEE. https://doi.org/10.1109/SecDev.2018.00011
[37]. Morrison, P., Smith, B. H., & Williams, L. (2017, May). Measuring security practice use: A case study at IBM. In 2017 IEEE/ACM 5th International Workshop on Conducting Empirical Studies in Industry (CESI) (pp. 16-22). IEEE. 10.1109/CESI.2017.4
[38]. Musa, S. B., Md Norwawi, N., Selamat, M. H., & Al- Alwani, A. (2015). Systematic review of web application security development model. Artificial Intelligence Review, 43(2), 259-276. http://doi.org/10.1007/s10462-012-9375-6
[39]. NIST. (2012). NIST Special Publication 800-165. Computer Security Division. Retrieved from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST .SP.800-165.pdf
[40]. NIST. (2016). Special Publication 800-166, Derived PIV Application and Data Model Test Guidelines. Retrieved from https://csrc.nist.gov/News/2016/Special- Publication-800-166
[41]. OWASP. (n.d). Project Spotlight: Top 10. Retrieved from https://owasp.org/projects/spotlight/#:~:text=The %20OWASP%20Top%2010%20is,organisations%20and %20is%20then%20analysed
[42]. OWASP. (n.d.). OWASP Top Ten. Retrieved from https://owasp.org/www-project-top-ten/
[43]. Pathak, N. (2018). UML 2.0 based round trip engineering framework for the development of SPF based secure application. In Journal of Engineering Science and Technology (Vol. 13, No. 9, pp. 2734-2749). School of Engineering, Taylor's University, Malaysia.
[44]. Petrenko, K., Mashatan, A., & Shirazi, F. (2019). Assessing the quantum-resistant cryptographic agility of routing and switching IT network infrastructure in a largesize financial organization. Journal of Information Security and Applications, 46, 151-163. https://doi.org/10.1016/j.jisa.2019.03.007
[45]. Ren, Y., Liu, L., Zhang, Q., Wu, Q., Guan, J., Kong, J., & Shao, L. (2016). Shared-memory optimizations for intervirtual- machine communication. ACM Computing Surveys (CSUR), 48(4), 1-42. https://doi.org/10.1145/2847562
[46]. Salini, P., & Kanmani, S. (2016). Effectiveness and performance analysis of model-oriented security requirements engineering to elicit security requirements: a systematic solution for developing secure software systems. International Journal of Information Security, 15(3), 319-334. https://doi.org/10.1007/s10207-015-0305-x
[47]. SANS. (2021). Web Application Security Awareness. Retrieved from https://www.sans.org/security-awarenesstraining/ products/specialized-training/developer/
[48]. Scarfone, K. A., Souppaya, M. P., Cody, A., & Orebaugh, A. D. (2008). Sp 800-115. Technical Guide to Information Security Testing and Assessment. Retrieved from https://csrc.nist.gov/publications/detail/sp/800-115/final
[49]. Schoeni, D. E. (2015). Long on rhetoric, short on results: Agile methods and cyber acquisitions in the Department of Defense. Santa Clara Computer & High Tech. LJ, 31, 385.
[50]. Semenov, S. S., Weilin, C., Liqiang, Z., & Bulba, S. S. (2021). Automated penetration testing method using deep machine learning technology. Advanced Information Systems, 5(3), 119-127. https://doi.org/10.20998/2522-9052.2021.3.16
[51]. Silva, L. V., Barbosa, P., Marinho, R., & Brito, A. (2018). Security and privacy aware data aggregation on cloud computing. Journal of Internet Services and Applications, 9(1), 1-13. https://doi.org/10.1186/s13174-018-0078-3
[52]. Span, M. T., Mailloux, L. O., Grimaila, M. R., & Young, W. B. (2018, June). A Systems Security Approach for Requirements Analysis of Complex Cyber-Physical Systems. In 2018 International Conference on Cyber Security and Protection of Digital Services (Cyber Security) (pp. 1-8). IEEE.
[53]. Synopsis. (2022). Secure Code Assist Overview. Retrieved from https://community.synopsys.com/s/ article/SecureAssist-Overview
[54]. The CIS Critical Security Controls for Effective Cyber Defense. (n.d.). In Wikipedia. Retrieved from https://en.wikipedia.org/wiki/The_CIS_Critical_Security_C ontrols_for_Effective_Cyber_Defense
[55]. The United States Department of Justice. (2021). Privacy Act of 1974. Retrieved from https://www.justice. gov/opcl/privacy-act-1974#:~:text=The%20Privacy %20Act%20of%201974,of%20records%20by%20feder al%20agencies
[56]. Theisen, C., Herzig, K., Murphy, B., & Williams, L. (2017, May). Risk-based attack surface approximation: how much data is enough?. In 2017 IEEE/ACM 39th International Conference on Software Engineering: Software Engineering in Practice Track (ICSE-SEIP) (pp. 273-282). IEEE. https://doi.org/10.1109/ICSE-SEIP.2017.9
[57]. Van Rossem, S., Tavernier, W., Colle, D., Pickavet, M., & Demeester, P. (2018). Introducing development features for virtualized network ser vices. IEEE Communications Magazine, 56(8), 184-192. https://doi.org/10.1109/MCOM.2018.1600104
[58]. Veracode. (n.d.). Software Code Security & Secure Code Analysis Software Code Security Protects the Enterprise. Retrieved from https://www.veracode.com/ security/code-security
[59]. Vidas, T., Larsen, P., Okhravi, H., & Sadeghi, A. R. (2018). Changing the game of software security. IEEE Security & Privacy, 16(2), 10-11. https://doi.org/10.1109/ MSP.2018.1870863
[60]. Wang, W., Zhang, X., Hao, Q., Zhang, Z., Xu, B., Dong, H., & Wang, X. (2019). Hardware-enhanced protection for the runtime data security in embedded systems. Electronics, 8(1), 52. https://doi.org/10.3390/electronics8010052
[61]. Wendzel, S. (2016). How to increase the security of smart buildings?. Communications of the ACM, 59(5), 47- 49. https://doi.org/10.1145/2828636
[62]. Williams, M. A., Dey, S., Barranco, R. C., Naim, S. M., Hossain, M. S., & Akbar, M. (2018, December). Analyzing evolving trends of vulnerabilities in national vulnerability database. In 2018 IEEE International Conference on Big Data (Big Data) (pp. 3011-3020). IEEE. https://doi.org/10.1109/BigData.2018.8622299
[63]. Yoshizawa, M., Washizaki, H., Fukazawa, Y., Okubo, T., Kaiya, H., & Yoshioka, N. (2016). Implementation support of security design patterns using test templates. Information, 7(2), 34. https://doi.org/10.3390/info7020034
If you have access to this article please login to view the article or kindly login to purchase the article

Purchase Instant Access

Single Article

North Americas,UK,
Middle East,Europe
India Rest of world
USD EUR INR USD-ROW
Online 15 15

Options for accessing this content:
  • If you would like institutional access to this content, please recommend the title to your librarian.
    Library Recommendation Form
  • If you already have i-manager's user account: Login above and proceed to purchase the article.
  • New Users: Please register, then proceed to purchase the article.