A Survey on Design Methods for Secure Software Development
DOI:
https://doi.org/10.24297/ijct.v16i7.6467Keywords:
Software, Security, Software Development Life CycleAbstract
Software provide services that may come with some vulnerabilities or risks. Attackers perform actions that break security of system through threats and cause a failure. To avoid security vulnerability, there are many security-specific concepts that should be determined as requirements during software development life cycle in order to deliver a strong and secure software. This paper first, survey a number of existing processes, life cycle and methodologies needed for developing secure software based on the related published works. It starts by presenting the most relevant Secure Software Development Lifecycles, a comparison between the main security features for each process is proposed. The results of the comparison will give the software developer with a guideline which will help on selecting the best secure process. Second, the paper list a set of the most widely used specification languages with the advantages and disadvantages for each.
Downloads
Download data is not yet available.
References
[1] Schneider, T., “Secure Software Engineering Processes: Improving the Software Development Life Cycle to Combat Vulnerabilityâ€, SQP VOL. 9, NO. 1, 2006, http://www.asq.org
[2] McGraw, G., Software Security: Building Security In, Addison Wesley, 2006
[3] Verdon, D. and McGraw, G., “Risk Analysis in Software Design,†IEEE Security and Privacy, IEEE CS Press, 2004, volume 2, number 4, pages 79-84.
[4] Lipner, S., “The Trustworthy Computing Security Development Lifecycle,†In Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC ‘04), Tucson, Arizona, USA, 2004, IEEE CS Press, pages 2-13.
[5] Flechais, I., Mascolo, C., and Sasse, M. A., “Integrating Security and Usability into the Requirements and Design Process,†International Journal of Electronic Security and Digital Forensics, Inderscience Publishers, Geneva, Switzerland, 2007, volume 1, number 1, pages 12-26.
[6] Sodiya, A. S., Onashoga, S. A., and Ajayi, O. B., “Towards Building Secure Software Systems,†Issues in Informing Science and Information Technology, Informing Science Institute, California, USA, 2006, volume 3, pages 635-646.
[7] Mead, N. R., Hough, E., and Stehney, T. “Security Quality Requirements Engineering (SQUARE) Methodology,†Technical Report CMU/SEI-2005-TR-009, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania, USA, 2005.
[8] Yu,W. D. and Le, K., “Towards a Secure Software Development Lifecycle with SQUARE+R,†In Proceedings of the 36th International Conference on Computer Sofwtare and Applications Workshops, Izmir, Turkey, 2012, pages 565-570
[9] Jain, S.and Ingle, M., “Techno-Management View of Secured Software Development,†In Proceedings of the 6th International Conference on Software Engineering (CONSEG), Indore, India, 2012, pages 1-6.
[10] British Standard Institute, Information technology -- Security techniques -- Management of information and communications technology security -- Part 1: Concepts and models for information and communications technology security management BS ISO/IEC 13335-1-2004
[11] A. Apvrille and M. Pourzandi, “Secure Software Development by Example,†IEEE Security and Privacy, IEEE CS Press, 2005, vol. 3, no. 4, pp. 10-17.
[12] Noopur Davis, “Secure Software Development Life Cycle Processes: A Technology Scouting Reportâ€, December 2005, Software Engineering Process Management
[13] Lipner, Steve & Howard, Michael. The Trustworthy Computing Security Development Lifecycle. http://msdn.microsoft.com/security/default.aspx?pull=/library /en-us/dnsecure/html/sdl.asp (2005).
[14] Sanjai Gupta, Md Faisal, Mohammed Hussain,†SECURE SOFTWARE DEVELOPMENT PROCESS FOR EMBEDDED SYSTEMS CONTROLâ€, International Journal of Engineering Sciences & Emerging Technologies, Dec. 2012., ISSN: 2231 – 6604, Volume 4, Issue 1, pp: 133-143 ©IJESET
[15] Abrahamsson, P., Warsta, J., Siponen, M.T. & Ronkainen, J., (2003), New directions on agile methods: A comparative analysis. International Conference on Software Engineering.
[16] Beznosov, Konstantin. eXtreme Security Engineering: On Employing XP Practices to Achieve ‘Good Enough Security’ without Defining It. http://konstantin.beznosov.net/professional/papers /eXtreme_Security_Engineering.html (2003).
[17] Mehrez Essafi, Lamia Labed, and Henda Ben Ghezala, “S2D-ProM: A Strategy Oriented Process Model for Secure Software Developmentâ€, In Proc. of the 2nd International Conference on Software Engineering Advances (ICSEA’07), Cap Esterel, French Riviera, France, 2007, p. 24.
[18] OWASP Foundation, "OWASP CLASP v1.2 Comprehensive, Lightweight Application Security Process", OWASP. November 9, 2007.
[19] Li, W. and Chiueh, T., “Automated Format String Attack Prevention for Win32/X86 Binaries,†In Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC’07), Miami, Florida, USA, Dec 2007, pages 398409
[20] Peine, H., “Rules of Thumb for Developing Secure Software: Analyzing and Consolidating Two Proposed Sets of Rules,†In Proceedings of the 3rd International Conference on Availability, Reliability and Security (ARES’08), Barcelona, Spain, 2008, IEEE CS Press, pages 1204-1209.
[21] Saltzer, J. H., and Schroeder, M. D., “The Protection of Information in Computer Systems,†Proceedings of the IEEE, IEEE Press, 1975, volume 63, number 9, pages 1278-1308.
[22] Viega, J. and McGraw, G., Building Secure Software, Addison Wesley, 2002.
[23] Howard, M. and LeBlanc, D., Writing Secure Code 2nd Edition, Microsoft Press, 2003.
[24] Khan, M. U. and Zulkernine, M., “On Selecting Appropriate Development Processes and Requirement Engineering Methods for Secure Software,†In Proceedings of the 4th IEEE International Workshop on Security, Trust, and Privacy for Software Applications (STPSA 2009), Seattle, Washington, USA, 2009, IEEE CS Press, volume 2, pages 353-358.
[25] Khan, M. U. and Zulkernine, M., “Activity and Artifact Views of a Secure Software Development Process,†In Proceedings of the International Workshop on Software Security Process (SSP’09), Vancouver, Canada, 2009, IEEE CS Press, volume 3, pages 399-404.
[26] Khan, M. U. and Zulkernine, M., “Quantifying Security in Secure Software Development Phases,†In Proceedings of the 2nd IEEE International Workshop on Secure Software Engineering (IWSSE’08), Turku, Finland, 2008, IEEE CS Press, pages 955-960.
[27] D.P. Gilliam, T.L. Wolfe, J.S. Sherif, and M. Bishop, “Software Security Checklist for the Software Life Cycle,†In Proc. of the 12th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE’03), Linz, Austria, IEEE CS Press, 2003, pp. 243-248.
[28] D. Gilliam, J. Powell, E. Haugh, and M. Bishop, “Addressing Software Security Risk and Mitigations in the Life Cycle,†In Proc. of the 28th Annual NASA Goddard Software Engineering Workshop (SEW’03), Greenbelt, Maryland, USA, 2003, pp. 201-206.
[29] G. McGraw, “Testing for Security During Development: Why we should Scrap Penetrate-and-Patch,†IEEE Aerospace and Electronic Systems, IEEE CS Press, 1998, vol. 13, no. 4, pp. 13-15.
[30] L. Futcher and R.v. Solms, “SecSDM: A Model for Integrating Security into the Software Development Life Cycle,†In IFIP International Federation for Information Processing, Volume 237, Proc. of the 5th World Conference on Information Security Education, Springer, 2007, pp. 41-48
[31] I. Flechais, M.A. Sasse, and S.M.V. Hales, “Bringing Security Home: A Process for Developing Secure and Usable Systems,†In Proc. of the New Security Paradigms Workshop (NSPW’07), Ascona, Switzerland, ACM Press, 2003, pp. 49-57.
[32] J. Gregoire, K. Buyens, B. De Win, R. Scandariato, and W. Joosen, “On the Secure Software Development Process: CLASP and SDL Compared,†In Proc. of the 3rd International Workshop on Software Engineering for Secure Systems (SESS’07), Minneapolis, Minnesota, USA, IEEE CS Press, 2007, pp. 1-1.
[33] Hall, Anthony & Chapman, Roderick. “Correctness by Construction: Developing a Commercial Secure System.†IEEE Software 19, 1 (January/February 2002): 18–25.
[34] Ross, Philip E. “The Exterminators: A Small British Firm Shows That Software Bugs Aren’t Inevitable.†IEEE Spectrum 42, 9 (September 2005): 36–41.
[35] S.T. Eckmann, G. Vigna, and R.A. Kemmerer, “STATL: An Attack Language for State-Based Intrusion Detection,†Journal of Computer Security, IOS Press, Amsterdam, 2002, vol. 10, no. 1/2, pp. 71-104.
[36] Md Swawibe Ul Alam,†Survey of Speciï¬cation Languages for Cloud Securityâ€,
[37] T. Lodderstedt, D.A. Basin, and J. Doser, “SecureUML: A UML-Based Modeling Language for Model Driven Security,†In Proc. of the 5th International Conference on the Unified Modeling Language (UML’02), Dresden, Germany, Springer, 2002, LNCS 2460/2002, pp. 426-441.
[38] M. Hussein and M. Zulkernine, “UMLintr: a UML profile for specifying intrusions,†In Proceedings of the 13th IEEE International Conference and Workshop on the Engineering of Computer-Based Systems, Potsdam, Germany, IEEE CS Press, 2006, pp. 279–286.
[39] Microsoft. ASML. https://www.microsoft.com/en-us/research/project/ asml-abstract-state-machine-language/, 2000. [Online; accessed 06-March-2017].
[40] M. Raihan and M. Zulkernine. Asmlsec: An extension of abstract state machine language for attack scenario speciï¬cation. In Availability, Reliability and Security, 2007. ARES 2007. The Second International Conference on, pages 775–782. IEEE, 2007.
[41] M. Graves and M. Zulkernine, “Bridging the Gap: Software Specification Meets Intrusion Detector,†In Proc. of the 4th Annual Conference on Privacy, Security and Trust (PST’06), Ontario, Canada, pp. 265-274.
[42] Snort, www.snort.org. Last Accessed March 2009
[43] Michael Felderer, Matthias Bu¨chler, Martin Johns, Achim D. Brucker, Ruth Breu, Alexander Pretschner, “Security Testing: A Surveyâ€, Survey. In: Memon, A., (ed.) Advances in Computers, Volume 101. Elsevier , Cambridge, MA, USA , pp. 1-51. ISBN 9780128051580
[44] M. Gallaher and B. Kropp. The economic impacts of inadequate infrastructure for software testing. Technical Report Planning Report 02-03, National Institute of Standards & Technology, May 2002.
[45] G. Buehrer, B. W. Weide, and P. A. G. Sivilotti. Using parse tree validation to prevent sql injection attacks. In Proceedings of the 5th International Workshop on Software Engineering and Middleware, SEM ’05, pages 106–113, New York, NY, USA, 2005. ACM
[46] K. Scarfone, M. Souppaya, A. Cody, and A. Orebaugh. Technical Guide to Information Security Testing and Assessment. Special Publication 800-115, National Institute of Standards and Technology (NIST), 2008.
[47] B. P. Miller, L. Fredriksen, and B. So. An empirical study of the reliability of unix utilities. Commun. ACM, 33(12):32–44, Dec. 1990.
[48] M. Felderer and E. Fourneret. A systematic classiï¬cation of security regression testing approaches. International Journal on Software Tools for Technology Transfer, pages 1–15, 2015.
[49] S. Yoo and M. Harman. Regression testing minimisation, selection and prioritisation: A survey. Software Testing, Veriï¬cation, and Reliability, 1(1):121–141, 2010.
[50] Abdullah Saad AL-Malaise AL-Ghamdi, “A Survey on Software Security Testing Techniquesâ€, International Journal of Computer Science and Telecommunications [Volume 4, Issue 4, April 2013]
[2] McGraw, G., Software Security: Building Security In, Addison Wesley, 2006
[3] Verdon, D. and McGraw, G., “Risk Analysis in Software Design,†IEEE Security and Privacy, IEEE CS Press, 2004, volume 2, number 4, pages 79-84.
[4] Lipner, S., “The Trustworthy Computing Security Development Lifecycle,†In Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC ‘04), Tucson, Arizona, USA, 2004, IEEE CS Press, pages 2-13.
[5] Flechais, I., Mascolo, C., and Sasse, M. A., “Integrating Security and Usability into the Requirements and Design Process,†International Journal of Electronic Security and Digital Forensics, Inderscience Publishers, Geneva, Switzerland, 2007, volume 1, number 1, pages 12-26.
[6] Sodiya, A. S., Onashoga, S. A., and Ajayi, O. B., “Towards Building Secure Software Systems,†Issues in Informing Science and Information Technology, Informing Science Institute, California, USA, 2006, volume 3, pages 635-646.
[7] Mead, N. R., Hough, E., and Stehney, T. “Security Quality Requirements Engineering (SQUARE) Methodology,†Technical Report CMU/SEI-2005-TR-009, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania, USA, 2005.
[8] Yu,W. D. and Le, K., “Towards a Secure Software Development Lifecycle with SQUARE+R,†In Proceedings of the 36th International Conference on Computer Sofwtare and Applications Workshops, Izmir, Turkey, 2012, pages 565-570
[9] Jain, S.and Ingle, M., “Techno-Management View of Secured Software Development,†In Proceedings of the 6th International Conference on Software Engineering (CONSEG), Indore, India, 2012, pages 1-6.
[10] British Standard Institute, Information technology -- Security techniques -- Management of information and communications technology security -- Part 1: Concepts and models for information and communications technology security management BS ISO/IEC 13335-1-2004
[11] A. Apvrille and M. Pourzandi, “Secure Software Development by Example,†IEEE Security and Privacy, IEEE CS Press, 2005, vol. 3, no. 4, pp. 10-17.
[12] Noopur Davis, “Secure Software Development Life Cycle Processes: A Technology Scouting Reportâ€, December 2005, Software Engineering Process Management
[13] Lipner, Steve & Howard, Michael. The Trustworthy Computing Security Development Lifecycle. http://msdn.microsoft.com/security/default.aspx?pull=/library /en-us/dnsecure/html/sdl.asp (2005).
[14] Sanjai Gupta, Md Faisal, Mohammed Hussain,†SECURE SOFTWARE DEVELOPMENT PROCESS FOR EMBEDDED SYSTEMS CONTROLâ€, International Journal of Engineering Sciences & Emerging Technologies, Dec. 2012., ISSN: 2231 – 6604, Volume 4, Issue 1, pp: 133-143 ©IJESET
[15] Abrahamsson, P., Warsta, J., Siponen, M.T. & Ronkainen, J., (2003), New directions on agile methods: A comparative analysis. International Conference on Software Engineering.
[16] Beznosov, Konstantin. eXtreme Security Engineering: On Employing XP Practices to Achieve ‘Good Enough Security’ without Defining It. http://konstantin.beznosov.net/professional/papers /eXtreme_Security_Engineering.html (2003).
[17] Mehrez Essafi, Lamia Labed, and Henda Ben Ghezala, “S2D-ProM: A Strategy Oriented Process Model for Secure Software Developmentâ€, In Proc. of the 2nd International Conference on Software Engineering Advances (ICSEA’07), Cap Esterel, French Riviera, France, 2007, p. 24.
[18] OWASP Foundation, "OWASP CLASP v1.2 Comprehensive, Lightweight Application Security Process", OWASP. November 9, 2007.
[19] Li, W. and Chiueh, T., “Automated Format String Attack Prevention for Win32/X86 Binaries,†In Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC’07), Miami, Florida, USA, Dec 2007, pages 398409
[20] Peine, H., “Rules of Thumb for Developing Secure Software: Analyzing and Consolidating Two Proposed Sets of Rules,†In Proceedings of the 3rd International Conference on Availability, Reliability and Security (ARES’08), Barcelona, Spain, 2008, IEEE CS Press, pages 1204-1209.
[21] Saltzer, J. H., and Schroeder, M. D., “The Protection of Information in Computer Systems,†Proceedings of the IEEE, IEEE Press, 1975, volume 63, number 9, pages 1278-1308.
[22] Viega, J. and McGraw, G., Building Secure Software, Addison Wesley, 2002.
[23] Howard, M. and LeBlanc, D., Writing Secure Code 2nd Edition, Microsoft Press, 2003.
[24] Khan, M. U. and Zulkernine, M., “On Selecting Appropriate Development Processes and Requirement Engineering Methods for Secure Software,†In Proceedings of the 4th IEEE International Workshop on Security, Trust, and Privacy for Software Applications (STPSA 2009), Seattle, Washington, USA, 2009, IEEE CS Press, volume 2, pages 353-358.
[25] Khan, M. U. and Zulkernine, M., “Activity and Artifact Views of a Secure Software Development Process,†In Proceedings of the International Workshop on Software Security Process (SSP’09), Vancouver, Canada, 2009, IEEE CS Press, volume 3, pages 399-404.
[26] Khan, M. U. and Zulkernine, M., “Quantifying Security in Secure Software Development Phases,†In Proceedings of the 2nd IEEE International Workshop on Secure Software Engineering (IWSSE’08), Turku, Finland, 2008, IEEE CS Press, pages 955-960.
[27] D.P. Gilliam, T.L. Wolfe, J.S. Sherif, and M. Bishop, “Software Security Checklist for the Software Life Cycle,†In Proc. of the 12th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE’03), Linz, Austria, IEEE CS Press, 2003, pp. 243-248.
[28] D. Gilliam, J. Powell, E. Haugh, and M. Bishop, “Addressing Software Security Risk and Mitigations in the Life Cycle,†In Proc. of the 28th Annual NASA Goddard Software Engineering Workshop (SEW’03), Greenbelt, Maryland, USA, 2003, pp. 201-206.
[29] G. McGraw, “Testing for Security During Development: Why we should Scrap Penetrate-and-Patch,†IEEE Aerospace and Electronic Systems, IEEE CS Press, 1998, vol. 13, no. 4, pp. 13-15.
[30] L. Futcher and R.v. Solms, “SecSDM: A Model for Integrating Security into the Software Development Life Cycle,†In IFIP International Federation for Information Processing, Volume 237, Proc. of the 5th World Conference on Information Security Education, Springer, 2007, pp. 41-48
[31] I. Flechais, M.A. Sasse, and S.M.V. Hales, “Bringing Security Home: A Process for Developing Secure and Usable Systems,†In Proc. of the New Security Paradigms Workshop (NSPW’07), Ascona, Switzerland, ACM Press, 2003, pp. 49-57.
[32] J. Gregoire, K. Buyens, B. De Win, R. Scandariato, and W. Joosen, “On the Secure Software Development Process: CLASP and SDL Compared,†In Proc. of the 3rd International Workshop on Software Engineering for Secure Systems (SESS’07), Minneapolis, Minnesota, USA, IEEE CS Press, 2007, pp. 1-1.
[33] Hall, Anthony & Chapman, Roderick. “Correctness by Construction: Developing a Commercial Secure System.†IEEE Software 19, 1 (January/February 2002): 18–25.
[34] Ross, Philip E. “The Exterminators: A Small British Firm Shows That Software Bugs Aren’t Inevitable.†IEEE Spectrum 42, 9 (September 2005): 36–41.
[35] S.T. Eckmann, G. Vigna, and R.A. Kemmerer, “STATL: An Attack Language for State-Based Intrusion Detection,†Journal of Computer Security, IOS Press, Amsterdam, 2002, vol. 10, no. 1/2, pp. 71-104.
[36] Md Swawibe Ul Alam,†Survey of Speciï¬cation Languages for Cloud Securityâ€,
[37] T. Lodderstedt, D.A. Basin, and J. Doser, “SecureUML: A UML-Based Modeling Language for Model Driven Security,†In Proc. of the 5th International Conference on the Unified Modeling Language (UML’02), Dresden, Germany, Springer, 2002, LNCS 2460/2002, pp. 426-441.
[38] M. Hussein and M. Zulkernine, “UMLintr: a UML profile for specifying intrusions,†In Proceedings of the 13th IEEE International Conference and Workshop on the Engineering of Computer-Based Systems, Potsdam, Germany, IEEE CS Press, 2006, pp. 279–286.
[39] Microsoft. ASML. https://www.microsoft.com/en-us/research/project/ asml-abstract-state-machine-language/, 2000. [Online; accessed 06-March-2017].
[40] M. Raihan and M. Zulkernine. Asmlsec: An extension of abstract state machine language for attack scenario speciï¬cation. In Availability, Reliability and Security, 2007. ARES 2007. The Second International Conference on, pages 775–782. IEEE, 2007.
[41] M. Graves and M. Zulkernine, “Bridging the Gap: Software Specification Meets Intrusion Detector,†In Proc. of the 4th Annual Conference on Privacy, Security and Trust (PST’06), Ontario, Canada, pp. 265-274.
[42] Snort, www.snort.org. Last Accessed March 2009
[43] Michael Felderer, Matthias Bu¨chler, Martin Johns, Achim D. Brucker, Ruth Breu, Alexander Pretschner, “Security Testing: A Surveyâ€, Survey. In: Memon, A., (ed.) Advances in Computers, Volume 101. Elsevier , Cambridge, MA, USA , pp. 1-51. ISBN 9780128051580
[44] M. Gallaher and B. Kropp. The economic impacts of inadequate infrastructure for software testing. Technical Report Planning Report 02-03, National Institute of Standards & Technology, May 2002.
[45] G. Buehrer, B. W. Weide, and P. A. G. Sivilotti. Using parse tree validation to prevent sql injection attacks. In Proceedings of the 5th International Workshop on Software Engineering and Middleware, SEM ’05, pages 106–113, New York, NY, USA, 2005. ACM
[46] K. Scarfone, M. Souppaya, A. Cody, and A. Orebaugh. Technical Guide to Information Security Testing and Assessment. Special Publication 800-115, National Institute of Standards and Technology (NIST), 2008.
[47] B. P. Miller, L. Fredriksen, and B. So. An empirical study of the reliability of unix utilities. Commun. ACM, 33(12):32–44, Dec. 1990.
[48] M. Felderer and E. Fourneret. A systematic classiï¬cation of security regression testing approaches. International Journal on Software Tools for Technology Transfer, pages 1–15, 2015.
[49] S. Yoo and M. Harman. Regression testing minimisation, selection and prioritisation: A survey. Software Testing, Veriï¬cation, and Reliability, 1(1):121–141, 2010.
[50] Abdullah Saad AL-Malaise AL-Ghamdi, “A Survey on Software Security Testing Techniquesâ€, International Journal of Computer Science and Telecommunications [Volume 4, Issue 4, April 2013]
Downloads
Published
2017-12-15
How to Cite
M.Surakhi, O., Hudaib, A., AlShraideh, M., & Khanafseh, M. (2017). A Survey on Design Methods for Secure Software Development. INTERNATIONAL JOURNAL OF COMPUTERS &Amp; TECHNOLOGY, 16(7), 7047–7064. https://doi.org/10.24297/ijct.v16i7.6467
Issue
Section
Research Articles
