A Survey on Design Methods for Secure Software Development
Keywords:Software, Security, Software Development Life Cycle
Software provide services that may come with some vulnerabilities or risks. Attackers perform actions that break security of system through threats and cause a failure. To avoid security vulnerability, there are many security-specific concepts that should be determined as requirements during software development life cycle in order to deliver a strong and secure software. This paper first, survey a number of existing processes, life cycle and methodologies needed for developing secure software based on the related published works. It starts by presenting the most relevant Secure Software Development Lifecycles, a comparison between the main security features for each process is proposed. The results of the comparison will give the software developer with a guideline which will help on selecting the best secure process. Second, the paper list a set of the most widely used specification languages with the advantages and disadvantages for each.
 McGraw, G., Software Security: Building Security In, Addison Wesley, 2006
 Verdon, D. and McGraw, G., â€œRisk Analysis in Software Design,â€ IEEE Security and Privacy, IEEE CS Press, 2004, volume 2, number 4, pages 79-84.
 Lipner, S., â€œThe Trustworthy Computing Security Development Lifecycle,â€ In Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC â€˜04), Tucson, Arizona, USA, 2004, IEEE CS Press, pages 2-13.
 Flechais, I., Mascolo, C., and Sasse, M. A., â€œIntegrating Security and Usability into the Requirements and Design Process,â€ International Journal of Electronic Security and Digital Forensics, Inderscience Publishers, Geneva, Switzerland, 2007, volume 1, number 1, pages 12-26.
 Sodiya, A. S., Onashoga, S. A., and Ajayi, O. B., â€œTowards Building Secure Software Systems,â€ Issues in Informing Science and Information Technology, Informing Science Institute, California, USA, 2006, volume 3, pages 635-646.
 Mead, N. R., Hough, E., and Stehney, T. â€œSecurity Quality Requirements Engineering (SQUARE) Methodology,â€ Technical Report CMU/SEI-2005-TR-009, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania, USA, 2005.
 Yu,W. D. and Le, K., â€œTowards a Secure Software Development Lifecycle with SQUARE+R,â€ In Proceedings of the 36th International Conference on Computer Sofwtare and Applications Workshops, Izmir, Turkey, 2012, pages 565-570
 Jain, S.and Ingle, M., â€œTechno-Management View of Secured Software Development,â€ In Proceedings of the 6th International Conference on Software Engineering (CONSEG), Indore, India, 2012, pages 1-6.
 British Standard Institute, Information technology -- Security techniques -- Management of information and communications technology security -- Part 1: Concepts and models for information and communications technology security management BS ISO/IEC 13335-1-2004
 A. Apvrille and M. Pourzandi, â€œSecure Software Development by Example,â€ IEEE Security and Privacy, IEEE CS Press, 2005, vol. 3, no. 4, pp. 10-17.
 Noopur Davis, â€œSecure Software Development Life Cycle Processes: A Technology Scouting Reportâ€, December 2005, Software Engineering Process Management
 Lipner, Steve & Howard, Michael. The Trustworthy Computing Security Development Lifecycle. http://msdn.microsoft.com/security/default.aspx?pull=/library /en-us/dnsecure/html/sdl.asp (2005).
 Sanjai Gupta, Md Faisal, Mohammed Hussain,â€ SECURE SOFTWARE DEVELOPMENT PROCESS FOR EMBEDDED SYSTEMS CONTROLâ€, International Journal of Engineering Sciences & Emerging Technologies, Dec. 2012., ISSN: 2231 â€“ 6604, Volume 4, Issue 1, pp: 133-143 Â©IJESET
 Abrahamsson, P., Warsta, J., Siponen, M.T. & Ronkainen, J., (2003), New directions on agile methods: A comparative analysis. International Conference on Software Engineering.
 Beznosov, Konstantin. eXtreme Security Engineering: On Employing XP Practices to Achieve â€˜Good Enough Securityâ€™ without Defining It. http://konstantin.beznosov.net/professional/papers /eXtreme_Security_Engineering.html (2003).
 Mehrez Essafi, Lamia Labed, and Henda Ben Ghezala, â€œS2D-ProM: A Strategy Oriented Process Model for Secure Software Developmentâ€, In Proc. of the 2nd International Conference on Software Engineering Advances (ICSEAâ€™07), Cap Esterel, French Riviera, France, 2007, p. 24.
 OWASP Foundation, "OWASP CLASP v1.2 Comprehensive, Lightweight Application Security Process", OWASP. November 9, 2007.
 Li, W. and Chiueh, T., â€œAutomated Format String Attack Prevention for Win32/X86 Binaries,â€ In Proceedings of the 23rd Annual Computer Security Applications Conference (ACSACâ€™07), Miami, Florida, USA, Dec 2007, pages 398409
 Peine, H., â€œRules of Thumb for Developing Secure Software: Analyzing and Consolidating Two Proposed Sets of Rules,â€ In Proceedings of the 3rd International Conference on Availability, Reliability and Security (ARESâ€™08), Barcelona, Spain, 2008, IEEE CS Press, pages 1204-1209.
 Saltzer, J. H., and Schroeder, M. D., â€œThe Protection of Information in Computer Systems,â€ Proceedings of the IEEE, IEEE Press, 1975, volume 63, number 9, pages 1278-1308.
 Viega, J. and McGraw, G., Building Secure Software, Addison Wesley, 2002.
 Howard, M. and LeBlanc, D., Writing Secure Code 2nd Edition, Microsoft Press, 2003.
 Khan, M. U. and Zulkernine, M., â€œOn Selecting Appropriate Development Processes and Requirement Engineering Methods for Secure Software,â€ In Proceedings of the 4th IEEE International Workshop on Security, Trust, and Privacy for Software Applications (STPSA 2009), Seattle, Washington, USA, 2009, IEEE CS Press, volume 2, pages 353-358.
 Khan, M. U. and Zulkernine, M., â€œActivity and Artifact Views of a Secure Software Development Process,â€ In Proceedings of the International Workshop on Software Security Process (SSPâ€™09), Vancouver, Canada, 2009, IEEE CS Press, volume 3, pages 399-404.
 Khan, M. U. and Zulkernine, M., â€œQuantifying Security in Secure Software Development Phases,â€ In Proceedings of the 2nd IEEE International Workshop on Secure Software Engineering (IWSSEâ€™08), Turku, Finland, 2008, IEEE CS Press, pages 955-960.
 D.P. Gilliam, T.L. Wolfe, J.S. Sherif, and M. Bishop, â€œSoftware Security Checklist for the Software Life Cycle,â€ In Proc. of the 12th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICEâ€™03), Linz, Austria, IEEE CS Press, 2003, pp. 243-248.
 D. Gilliam, J. Powell, E. Haugh, and M. Bishop, â€œAddressing Software Security Risk and Mitigations in the Life Cycle,â€ In Proc. of the 28th Annual NASA Goddard Software Engineering Workshop (SEWâ€™03), Greenbelt, Maryland, USA, 2003, pp. 201-206.
 G. McGraw, â€œTesting for Security During Development: Why we should Scrap Penetrate-and-Patch,â€ IEEE Aerospace and Electronic Systems, IEEE CS Press, 1998, vol. 13, no. 4, pp. 13-15.
 L. Futcher and R.v. Solms, â€œSecSDM: A Model for Integrating Security into the Software Development Life Cycle,â€ In IFIP International Federation for Information Processing, Volume 237, Proc. of the 5th World Conference on Information Security Education, Springer, 2007, pp. 41-48
 I. Flechais, M.A. Sasse, and S.M.V. Hales, â€œBringing Security Home: A Process for Developing Secure and Usable Systems,â€ In Proc. of the New Security Paradigms Workshop (NSPWâ€™07), Ascona, Switzerland, ACM Press, 2003, pp. 49-57.
 J. Gregoire, K. Buyens, B. De Win, R. Scandariato, and W. Joosen, â€œOn the Secure Software Development Process: CLASP and SDL Compared,â€ In Proc. of the 3rd International Workshop on Software Engineering for Secure Systems (SESSâ€™07), Minneapolis, Minnesota, USA, IEEE CS Press, 2007, pp. 1-1.
 Hall, Anthony & Chapman, Roderick. â€œCorrectness by Construction: Developing a Commercial Secure System.â€ IEEE Software 19, 1 (January/February 2002): 18â€“25.
 Ross, Philip E. â€œThe Exterminators: A Small British Firm Shows That Software Bugs Arenâ€™t Inevitable.â€ IEEE Spectrum 42, 9 (September 2005): 36â€“41.
 S.T. Eckmann, G. Vigna, and R.A. Kemmerer, â€œSTATL: An Attack Language for State-Based Intrusion Detection,â€ Journal of Computer Security, IOS Press, Amsterdam, 2002, vol. 10, no. 1/2, pp. 71-104.
 Md Swawibe Ul Alam,â€ Survey of Speciï¬cation Languages for Cloud Securityâ€,
 T. Lodderstedt, D.A. Basin, and J. Doser, â€œSecureUML: A UML-Based Modeling Language for Model Driven Security,â€ In Proc. of the 5th International Conference on the Unified Modeling Language (UMLâ€™02), Dresden, Germany, Springer, 2002, LNCS 2460/2002, pp. 426-441.
 M. Hussein and M. Zulkernine, â€œUMLintr: a UML profile for specifying intrusions,â€ In Proceedings of the 13th IEEE International Conference and Workshop on the Engineering of Computer-Based Systems, Potsdam, Germany, IEEE CS Press, 2006, pp. 279â€“286.
 Microsoft. ASML. https://www.microsoft.com/en-us/research/project/ asml-abstract-state-machine-language/, 2000. [Online; accessed 06-March-2017].
 M. Raihan and M. Zulkernine. Asmlsec: An extension of abstract state machine language for attack scenario speciï¬cation. In Availability, Reliability and Security, 2007. ARES 2007. The Second International Conference on, pages 775â€“782. IEEE, 2007.
 M. Graves and M. Zulkernine, â€œBridging the Gap: Software Specification Meets Intrusion Detector,â€ In Proc. of the 4th Annual Conference on Privacy, Security and Trust (PSTâ€™06), Ontario, Canada, pp. 265-274.
 Snort, www.snort.org. Last Accessed March 2009
 Michael Felderer, Matthias BuÂ¨chler, Martin Johns, Achim D. Brucker, Ruth Breu, Alexander Pretschner, â€œSecurity Testing: A Surveyâ€, Survey. In: Memon, A., (ed.) Advances in Computers, Volume 101. Elsevier , Cambridge, MA, USA , pp. 1-51. ISBN 9780128051580
 M. Gallaher and B. Kropp. The economic impacts of inadequate infrastructure for software testing. Technical Report Planning Report 02-03, National Institute of Standards & Technology, May 2002.
 G. Buehrer, B. W. Weide, and P. A. G. Sivilotti. Using parse tree validation to prevent sql injection attacks. In Proceedings of the 5th International Workshop on Software Engineering and Middleware, SEM â€™05, pages 106â€“113, New York, NY, USA, 2005. ACM
 K. Scarfone, M. Souppaya, A. Cody, and A. Orebaugh. Technical Guide to Information Security Testing and Assessment. Special Publication 800-115, National Institute of Standards and Technology (NIST), 2008.
 B. P. Miller, L. Fredriksen, and B. So. An empirical study of the reliability of unix utilities. Commun. ACM, 33(12):32â€“44, Dec. 1990.
 M. Felderer and E. Fourneret. A systematic classiï¬cation of security regression testing approaches. International Journal on Software Tools for Technology Transfer, pages 1â€“15, 2015.
 S. Yoo and M. Harman. Regression testing minimisation, selection and prioritisation: A survey. Software Testing, Veriï¬cation, and Reliability, 1(1):121â€“141, 2010.
 Abdullah Saad AL-Malaise AL-Ghamdi, â€œA Survey on Software Security Testing Techniquesâ€, International Journal of Computer Science and Telecommunications [Volume 4, Issue 4, April 2013]