Abstract
Secure software practices are gradually gaining relevance among software practitioners and researchers. This is happening because today more than ever software is becoming part of our lives and cybercrimes are constantly appearing. Despite its importance, its current practice in the software industry is still scarce. Indeed, software security problems are divided 50/50 between bugs and flaws. In particular, it remains a significant challenge for software practitioners in small software companies. Therefore, there is a need to support small companies in changing their existing ways of work to integrate these new and unfamiliar practices. The aim of this study is twofold. First, to help building an awareness of the software security process among practitioners in small companies. Second, to help the integration of these practices with software implementation process of ISO/IEC 29110 which results in an extension of the latter with additional activities identified from the industry best practices. Nevertheless, the extension proposal is to be performed selectively, based on the value of the software as an asset to the stakeholders and on stakeholders needs.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
O’Connor, R.V., Colomo-Palacios, R.: Security awareness in the software arena. In: Engemann, K. (ed.) Routledge Companion to Risk, Crisis and Security in Business. Routledge (2017)
Salini, P., Kanmani, S.: Survey and analysis on security requirements engineering. Comput. Electr. Eng. 38, 1785–1797 (2012)
Gollmann, D.: Computer security. Wiley Interdiscip. Rev. Comput. Stat. 2, 544–554 (2010)
Garfinkel, S.L.: The cybersecurity risk. Commun. ACM 55, 29–32 (2012)
Heffley, J., Meunier, P.: Can source code auditing software identify common vulnerabilities and be used to evaluate software security? In: 37th Annual Hawaii International Conference on System Sciences, pp. 1–10 (2004)
Suby, M., Dickson, F.: Global Information Security Workforce Study. Frost & Sullivan (2015)
Ponemon Institute LLC: 2016 Cost of Data Breach Study: Global Analysis (2016)
Gartner Says Worldwide Information Security Spending Will Grow 7.9 Percent to Reach $81.6 Billion in 2016. http://www.gartner.com/newsroom/id/3404817
Allen, J.H., Barnum, S., Ellison, R.J., McGraw, G., Mead, N.R.: Software Security Engineering: A Guide for Project Managers. Addison-Wesley Professional, Boston (2008)
Mano, P.: Official (ISC)2 Guide to the CSSLP. CRC Press, Boca Raton (2015)
Daud, M.I.: Secure Software Development Model: A Guide for Secure Software Life Cycle. Presented at the Proceedings of the International MutiConference on Engineers and Computer Scientists (IMECS), Hong Kong (2010)
McGraw, G.: Software Security: Building Security. Addison-Wesley Professional, Boston (2006)
Chess, B., Arkin, B.: Software security in practice. IEEE Secur. Priv. 9, 89–92 (2011)
Laporte, C.Y., O’Connor, R.V.: Systems and software engineering standards for very small entities: accomplishments and overview. Computer 49, 84–87 (2016)
Sánchez-Gordón, M.-L., O’Connor, R.V.: Understanding the gap between software process practices and actual practice in very small companies. Softw. Qual. J. 24, 549–570 (2015)
Sanchez-Gordon, M.-L., O’Connor, R.V., Colomo-Palacios, R.: Evaluating VSEs viewpoint and sentiment towards the ISO/IEC 29110 standard: a two country grounded theory study. In: Rout, T., O’Connor, Rory V., Dorling, A. (eds.) SPICE 2015. CCIS, vol. 526, pp. 114–127. Springer, Cham (2015). doi:10.1007/978-3-319-19860-6_10
Grover, M., Durham, N.C., Cummings, J., Janicki, T.: Moving beyond coding: why secure coding should be implemented. J. Inf. Syst. Appl. Res. 9(1), 38–46 (2016)
O’Connor, R.V., Laporte, C.Y.: The evolution of the ISO/IEC 29110 set of standards and guides. Int. J. Inf. Technol. Syst. Approach IJITSA 10, 1–21 (2017)
ISO: Software engineering – Lifecycle profiles for Very Small Entities (VSEs) Part 5-1-2: Management and engineering guide: Generic profile group: Basic Profile, Geneva (2011)
Baldassarre, M.T., Caivano, D., Pino, F.J., Piattini, M., Visaggio, G.: Harmonization of ISO/IEC 9001:2000 and CMMI-DEV: from a theoretical comparison to a real case application. Softw. Qual. J. 20, 309–335 (2011)
Sanchez-Gordón, M.-L., Colomo-Palacios, R., Herranz, E.: Gamification and human factors in quality management systems: mapping from octalysis framework to ISO 10018. In: Kreiner, C., O’Connor, Rory V., Poth, A., Messnarz, R. (eds.) EuroSPI 2016. CCIS, vol. 633, pp. 234–241. Springer, Cham (2016). doi:10.1007/978-3-319-44817-6_19
Haralambos, M., Giorgini, P.: Integrating Security and Software Engineering: Advances and Future Visions: Advances and Future Visions. Idea Group Inc (IGI) (2006)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Sánchez-Gordón, ML., Colomo-Palacios, R., Sánchez, A., de Amescua Seco, A., Larrucea, X. (2017). Towards the Integration of Security Practices in the Software Implementation Process of ISO/IEC 29110: A Mapping. In: Stolfa, J., Stolfa, S., O'Connor, R., Messnarz, R. (eds) Systems, Software and Services Process Improvement. EuroSPI 2017. Communications in Computer and Information Science, vol 748. Springer, Cham. https://doi.org/10.1007/978-3-319-64218-5_1
Download citation
DOI: https://doi.org/10.1007/978-3-319-64218-5_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-64217-8
Online ISBN: 978-3-319-64218-5
eBook Packages: Computer ScienceComputer Science (R0)