research-article

Towards a successful secure software acquisition

Authors:

Faisal Alnaseef,

Sajjad Mahmood,

Mohammad Alshayeb,

Irfan AhmadAuthors Info & Claims

Volume 164, Issue C

https://doi.org/10.1016/j.infsof.2023.107315

Published: 01 December 2023 Publication History

Abstract

Context

Security is a critical attribute of software quality. Organizations invest considerable sums of money in protecting their assets. Despite investing in secure infrastructure, organizations remain prone to security risks and cyberattacks that exploit security flaws. Many factors contribute to the challenges related to software security, e.g., the exponential increase in Internet-enabled applications, threats from hackers, and the susceptibility of inexperienced Internet users. Moreover, organizations tend to procure off-the-shelf software from third-party suppliers. However, gaining a complete understanding of ways to assess suppliers’ readiness to provide secure software before selecting a supplier is imperative.

Objective

We have developed a readiness model for secure software acquisition (RMSSA) to help software organizations select suppliers who can provide secure software.

Method

We employed state-of-the-art techniques based on systematic literature review to determine the best practices undertaken by organizations in terms of acquiring secure software, which depends on six core security knowledge areas: confidentiality, integrity, availability, authorization, authentication, and accountability.

Results

We evaluated the RMSSA theoretically and in a practical environment based on three case studies with software organizations. Our findings can guide software organizations in selecting the supplier who can develop secure software.

Conclusion

The proposed RMSSA can be used to evaluate suppliers’ readiness to provide secure software.

References

[1]

G. McGraw, B. Chess, A Software Security Framework: Working Towards a Realistic Maturity Model, Inform IT Network, Pearson Education, Informit. Indiana, USA, 2008.

[2]

Mohaddes Deylami, H., Ardekani, I., Muniyandi, R.C. and Sarrafzadeh, H. 2015. Effects of software security on software development life cycle and related security issues.

[3]

G. McGraw, Managing software security risks, Computer (Long Beach Calif) 35 (4) (2002) 99–101.

[4]

B. Farbey, A. Finkelstein, Software acquisition: a business strategy analysis, in: Proceedings Fifth IEEE International Symposium on Requirements Engineering, 2001, pp. 76–83.

[5]

S. Bygren, G. Carrier, T. Maher, P. Maurer, D. Smiley, R. Spiewak, C. Sweed, Applying the fundamentals of quality to software acquisition, in: 2012 IEEE International Systems Conference SysCon 2012, 2012, pp. 1–6.

[6]

S.J. Choi, W. Scacchi, Modeling and simulating software acquisition process architectures, J. Syst. Softw. 59 (3) (2001) 343–354.

[7]

Khan, R.A., Khan, S.U., Khan, H.U. and Ilyas, M.J.i.A. 2022. Systematic literature review on security risks and its practices in secure software development, 10 5456–5481.

[8]

M. Paul, Official (ISC) 2 Guide to the CSSLP CBK, CRC Press, 2013.

[9]

Tucker, M.A. 2015. TE Framework: a Framework for Securing COTs Applications. Sandia National Lab.(SNL-NM), Albuquerque, NM (United States).

[10]

Jones, J. 2014. Software acquisition: reducing risks, Defense AT&L. Nov-Dec. Accessed May.

[11]

L MA, Developing dependability requirements engineering for secure and safe information systems with knowledge acquisition for automated specification, J. Softw. Eng. Appl. 10 (02) (2017) 211–244.

[12]

K.M. Khan, J H, A tool support for secure software integration, Int. J. Secure Softw. Eng. 1 (2) (2010) 35–56.

[13]

A. Homescu, T. J, S. Crane, S. Brunthaler, P. Larsen, M Franz, Large-scale automated software diversity—program evolution redux, IEEE Trans. Dependable Secure Comput. 14 (2) (2017) 158–171.

[14]

Tøndel I.A., J M., Cruzes D.S., Moe N.B. . 2017. Risk centric activities in secure software development in Public Organ. Int. J. Secure Softw. Eng. 8 (4). 1–30.

[15]

E. Starrett, Software acquisition in the army, Software Technology Support Center HILL AFB UT (2007).

[16]

O. Demirors, E. Demirors, A. Tarhan, Managing instructional software acquisition, Softw. Proc. Improve. Pract. 6 (4) (2001) 189–203.

[17]

T. Bhatti, Acquisition (Purchasing) of ERP systems from organizational buying behavior perspective, Int. J. Bus. Soc. Res. 4 (5) (2014) 33–46.

[18]

P. Nelson, W. Richmond, A. Seidmann, Two dimensions of software acquisition, Commun. ACM 39 (7) (1996) 29–35.

[19]

R. Palanisamy, J. Verville, C. Bernadas, N. Taskin, An empirical study on the influences on the acquisition of enterprise software decisions: a practitioner's perspective, J. Enterprise Inform. Manage. (2010).

[20]

D. Baca, B. Carlsson, K. Petersen, L. Lundberg, Improving software security with static automated code analysis in an industry setting, Softw. Pract. Exper. 43 (3) (2013) 259–279.

[21]

J. Vom Brocke, A. Hevner, A. Maedche, Introduction to design science research, Design science research, Cases (2020) 1–13.

[22]

J. Venable, J. Pries-Heje, R. Baskerville, FEDS: a framework for evaluation in design science research, Eur. J. Inform. Syst. 25 (2016) 77–89.

[23]

R.K. Yin, Case Study research: Design and Methods, sage, 2009.

[24]

F. Daneshgar, G. L, L. Worasinchai, An investigation of “build vs. buy” decision for software acquisition by small to medium enterprises, Inf. Softw. Technol. 55 (10) (2013) 1741–1750.

[25]

M.K. Daskalantonakis, Achieving higher SEI levels, IEEE Softw. 11 (4) (1994) 17–24.

[26]

Humayun, M., Niazi, M., Jhanjhi, N.Z., Mahmood, S., Alshayeb, M.J.S.P. and Experience. 2023. Toward a readiness model for secure software coding, 53 (4). 1013–1035.

[27]

Y. Mufti, M. Niazi, M. Alshayeb, S.J.I.A. Mahmood, A readiness model for security requirements engineering, IEEE Access 6 (2018) 28611–28631.

[28]

Niazi, M., Mahmood, S., Alshayeb, M.J.J.o.S.E. and Process. 2020. GLOB: a global project management readiness framework, 32 (12). e2302.

[29]

L. Futcher, R. Von Solms, Guidelines for secure software development, in: Proceedings of the 2008 annual research conference of the South African Institute of Computer Scientists and Information Technologists on IT research in developing countries: riding the wave of technology, 2008, pp. 56–65.

[30]

F JR, Software acquisition capability maturity model (SA-CMM), Encyclop. Softw. Eng. (2002) Published online January 15, 2002.

[31]

A. Strauss, J. Corbin, Basics of Qualitative Research: Techniques and Procedures for Developing Grounded Theory, Sage publishing, 2014.

[32]

P. Clipsham, et al., Proposing a multi-agency development framework, Softw. Qual. J. 19 (2) (2011) 381–391.

Cited By

Index Terms

Towards a successful secure software acquisition

Index terms have been assigned to the content through auto-classification.

Recommendations

Secure software engineering teaching modules
InfoSecCD '06: Proceedings of the 3rd annual conference on Information security curriculum development

We are designing a course in secure software engineering that will teach students how to incorporate security throughout the software development lifecycle. The class will serve as a capstone for a new graduate certificate in secure software ...
Security Engineering Approach to Support Software Security
SERVICES '10: Proceedings of the 2010 6th World Congress on Services

As information security and privacy become increasingly important to organizations, the demand grows for software development processes that assure information integrity, availability, and confidentiality. Unfortunately, despite the investments made in ...
Integrating security activities into the software development life cycle and the software quality assurance process

Security concerns should be an integral part of the entire planning, development, and operation of a computer application. Inadequacies in the design and operation of computer applications are very frequent source of security vulnerabilities associated ...

Comments

Information & Contributors

Information

Published In

cover image Information and Software Technology

Information and Software Technology Volume 164, Issue C

Dec 2023

366 pages

ISSN:0950-5849

Issue’s Table of Contents

Elsevier B.V.

Publisher

Butterworth-Heinemann

United States

Publication History

Published: 01 December 2023

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

0
Total Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 25 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

View Options

View options

Figures

Tables

Media

View Issue’s Table of Contents