Maturity model for secure software testing

Abstract

AbstractSecurity is an essential attribute of high‐quality software. However, effectively incorporating security practices into different phases of the software development life cycle (SDLC) remains challenging. Owing to less mature secure testing processes, organizations are prone to ineffective testing practices for defect detection, including severe security‐related failures. Thus, in this study, we present a maturity model for secure software testing (MMSST) to assist software development organizations in improving the secure testing of software applications. We conducted a multivocal literature review and identified 68 primary studies from the formal and gray literature. Then, based on the available evidence, 27 process areas were identified to develop the proposed MMSST. The MMSST includes five main categories: governance, contrive and design, execution, deployment and configuration, and mature. The MMSST was subsequently evaluated using case studies related to practical environments. Results demonstrate that the proposed MMSST is useful for estimating the maturity level of an organization with respect to the secure testing phase of the SDLC. The participants of the case studies also agreed that the proposed MMSST is useful in terms of structure, user satisfaction, and ease of use. We believe that the proposed MMSST can help organizations evaluate and improve software security testing practices. In addition, the proposed MMSST is expected to provide researchers and industry practitioners with an effective foundation for developing new secure testing approaches and tools.