AbstractTechnological advancement makes the world a global village. Security is an evergreen and everlasting area, because of the continuous threat from Hackers and Crackers. The immense use of software systems has modernized human society in every aspect. Thus, it is crucial to devise new processes, techniques, and tools to support teams in the development of secure code from the early stages of the software development process, while potentially reducing the costs and shortening the time to market. Considering the significance of software security, it is important to consider the security practices from the early phase of the software development life cycle (SDLC), that is, requirements engineering (RE). Hence, this study aims to identify and categorize RE practices important to apply for secure software development (SSD) in a geographically distributed development environment. To study the RE practices concerning SSD, we conducted a questionnaire survey with industrial experts in the global software development (GSD) context.Furthermore, the interpretive structure modeling (ISM) approach was applied to evaluate the relationship between the RE security practice core categories. This paper identifies 70 practices and classifies them into 11 fundamental dimensions (categories) to assist GSD organizations in specifying the requirements for SSD. The ISM results show that the “Awareness of Secure Requirement Engineering (SRE)” category has the most decisive influence on the other 10 core categories of the identified RE security practices. With the help of empirical evidence and the ISM approach, this work attempts to identify potential security practices and to give a set of secure RE practices that can be used to improve the security of the software development process.
Read full abstract