Integrating Software Lifecycle Process Standards with Security Engineering
Introduction
As organizations’ computing environments are increasingly exposed to security risks with their reliance on the Internet, ironclad safeguards for information systems have become essential. The development of secure information systems is counted as one of the top priorities in today’s businesses [1], [2], [3]. There has been improvement in both the software lifecycle process standard (SLPS) and the security engineering (SE) approach1 for both military and industrial software development. In SE, efforts have been made to define and elaborate its activities for more secure information systems. However, the stakeholders in the development of secure information systems are still at odds without predefined guidelines for the integration of the activities and deliverables of SLPS with the SE activities (Figure 1). This conflict has caused project delay, morale deterioration and a less secure system development. Many researchers [4], [5] warn that this separation of the SE activities from the system development engineering activities has led to an unsecured system, as each group develops a secure IS to meet its own objective.
This paper proposes an integration model that interweaves all the process activities and deliverables of SLPS with SE activities, taking IEEE/EIA 12207 as an example of SLPS. Higginbotham and Maley [6] pointed out that by integrating SE process into system development, system developers can satisfy acquirers’ concerns and acquirers can be satisfied with the quality of security services offered. We developed such an integration model by improving upon a pre-established SE model and integrating it with IEEE/EIA 12207 through a Delphi analysis. Thirty-three experts worked for over three months in the development of this model [7].
Instead of adopting a predefined SE model such as the Security System Engineering Capability Maturity Model (SSE-CMM) [8], we developed a new SE model for this study. We chose to do so because the objective of this study was to provide integration guidelines covering as many of the SE activities that can be applicable to a software development life cycle as possible. For this purpose, it was important to integrate all the SE activities, both managerial and technical, that have been identified in various studies into an overall SE model. This decision was based on the assumption that integrating the most effective SE activities into the software development life cycle will ensure the development of the most secure system technologically possible.
We expect the integration model to provide practical guidelines for the development of secure information systems. Such guidelines will provide stakeholders with a better understanding of how SLPS is related with SE activities, thereby reducing conflicts to a minimum. This paper is organized as follows: In section II, we briefly explain IEEE/EIA 12207, the SE approach and the SE model used for the integration. In section III, we describe the Delphi analysis results, the integration model of IEEE/EIA 12207, and the SE approach. We conclude by assessing how this study contributes to security engineering research.
Section snippets
IEEE/EIA 12207
IEEE/EIA 12207, a Software Lifecycle Process Standard, officially introduced in 1998, has become the de facto model of both industry and military software development projects in the United States [9], superceding both the previous military standard (MIL-STD-4982) and the industry standard (ISO/IEC 122073). It defines the role of acquirer, supplier, developer, operator and
Results
The results of the analysis are shown in Figure 4 and Appendix A. Three issues were raised after our first round of Delphi analysis. First, noting that the questionnaire included only the primary processes of IEEE/EIA 12207, 21 experts suggested incorporating two of its non-primary processes: organizational and supporting processes which were not included in the first round questionnaire. They suggested that these two processes allow more unambiguous mapping between the IEEE model and some of
Integration with other Security models
Although we developed an integration model based on IEEE/EIA 12207, we can generalize and integrate this model with other security models. Here we suggest general guidelines for such attempts in the future. We believe that further studies in this area will further enhance our knowledge of SE in system development.
Conclusion
This study has presented a model that integrates all the process activities and data items of IEEE/EIA 12207 with the security engineering activities from a pre-established SE model that synthesizes 25 SE activities [8]. We developed the integration model through a Delphi analysis with 33 software engineering, project management, and security experts. In the course of the analysis, we have resolved a number of discrepancies and have been able to reach a high consensus on the model among the
References (23)
- Friedman, B., Kahn, P. H. Jr, and Howe, D.C. “Trust online” Communications of the ACM, Vol. 43(12), pp. 34–40,...
- Hinde, S., “Privacy and security — The drivers for growth of E-commerce”, Computers & Security, Vol. 17(6), pp.475–478,...
- Talwatte, G “E-commerce is key to global competitiveness — but is there anyone you can trust in the online world?”...
- Baskerville, R., “The Developmental Duality of Information Systems Security,” Journal of Management Systems, Vol. 4(1),...
- Baskerville, R., “Information Systems Security Design Methods: Implications for Information Systems Development,” ACM...
- SSE-CMM Project, Systems SE Capability Maturity Model-Version 2.0, April 1999,...
- Higginbotham, M. D., Maley, J., Milheizler, A.J., and Suskie, B.J., “Integrating Information SE with System Engineering...
- Lee, Y., Lee, C., and Lee, Z. “A Study of Integrating the Security Engineering Process into the Software Lifecycle...
- IEEE, IEEE/EIA 12207 — Industry Implementation of International Standard ISO/IEC 12207,...
- Moore, J.W., IEEE/EIA 12207 as the foundation for enterprise software processes,” Proceedings of 16th Annual Pacific...
Cited by (19)
Employees' in-role and extra-role information security behaviors from the P-E fit perspective
2023, Computers and SecurityEngineering secure systems: Models, patterns and empirical validation
2018, Computers and SecurityCitation Excerpt :In addition to guidelines for modeling security aspects, the framework offers verification based on a formal approach for the produced models (Grandy et al., 2006). In addition to the above approaches, Lee et al. (Lee et al., 2002; 2000) propose an integration model for integrating security engineering approaches into software lifecycle standards, mapping the concepts of the software lifecycle (IEEE 12207) to security engineering concepts (a set of concepts collected from various security engineering approaches (Lee et al., 2000)). The approach attempts to provide an understanding to stakeholders of where and when security activities intervene and interact with standard process lifecycle activities.
Security for Machine Learning-based Software Systems: A Survey of Threats, Practices, and Challenges
2024, ACM Computing SurveysCIA-level driven secure SDLC framework for integrating security into SDLC process
2022, Journal of Ambient Intelligence and Humanized ComputingFirefly Optimization Technique for Software Quality Prediction
2022, Lecture Notes in Networks and Systems