ABSTRACT
Building more secure software is a recent concern for software engineers due to increasing incidences of data breaches and other types of cyber attacks. However, software security, through the introduction of specialized practices in the software development life cycle, leads to an increase in the development cost. Although there are many studies on software cost models, few address the additional costs required to build secure software. We conducted a systematic review in the form of a mapping study to classify and analyze the literature related to the impact of security in software development costs. Our search strategy strove to achieve high completeness by the identification of a quasi-gold-standard set of papers, which we then used to establish a search string and retrieve papers from research databases automatically. The application of inclusion/exclusion criteria resulted in a final set of 54 papers, which were categorized according to the approach to software security cost analysis. Perform Security Review, Apply Threat Modeling, and Perform Security Testing were the three most frequent activities related to cost, and Common Criteria was the most applied standard. We also identified ten approaches to estimating software security costs for development projects; however, their validation remains a challenge, which could be addressed in future studies.
- N. A. S. Abdullah, R. Abdullah, M. H. Selamat, and A. Jaafar. 2010. Extended function point analysis prototype with security costing estimation. In 2010 International Symposium on Information Technology, Vol. 3. 1297--1301.Google Scholar
- Nur Atiqah Sia Abdullah, Rusli Abdullah, Mohd Hasan Selamat, and Azmi Jaafar. 2011. User Acceptance for Extended Function Point Analysis in Software Security Costing. In Software Engineering and Computer Systems (ICSECS). Springer, Berlin, Heidelberg, 346--360.Google Scholar
- Jenny Abramov, Arnon Sturm, and Peretz Shoval. 2012. Evaluation of the Pattern-based method for Secure Development (PbSD): A controlled experiment. Information and Software Technology 54, 9 (Sept. 2012), 1029--1043. Google ScholarDigital Library
- J. Arunagiri, S. Rakhi, and K. P. Jevitha. 2016. A Systematic Review of Security Measures for Web Browser Extension Vulnerabilities. SpringerLink (2016), 99--112.Google Scholar
- Tigist Ayalew, Tigist Kidane, and Bengt Carlsson. 2013. Identification and Evaluation of Security Activities in Agile Projects. In Secure IT Systems (Lecture Notes in Computer Science), Hanne Riis Nielson and Dieter Gollmann (Eds.). Springer Berlin Heidelberg, 139--153. Google ScholarDigital Library
- D. Baca, M. Boldt, B. Carlsson, and A. Jacobsson. 2015. A Novel Security-Enhanced Agile Software Development Process Applied in an Industrial Setting. In 2015 10th International Conference on Availability, Reliability and Security. 11--19. Google ScholarDigital Library
- Dejan Baca and Bengt Carlsson. 2011. Agile Development with Security Engineering Activities. In Proceedings of the 2011 International Conference on Software and Systems Process (ICSSP '11). ACM, New York, NY, USA, 149--158. Google ScholarDigital Library
- Dejan Baca, Bengt Carlsson, and Lars Lundberg. 2008. Evaluating the Cost Reduction of Static Code Analysis for Software Security. In Proceedings of the Third ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS '08). ACM, New York, NY, USA, 79--88. Google ScholarDigital Library
- Dejan Baca, Bengt Carlsson, Kai Petersen, and Lars Lundberg. 2013. Improving software security with static automated code analysis in an industry setting. Software: Practice and Experience 43, 3 (March 2013), 259--279.Google Scholar
- Dejan Baca and Kai Petersen. 2010. Prioritizing Countermeasures through the Countermeasure Method for Software Security (CM-Sec). In Product-Focused Software Process Improvement (PROFES). Springer, Berlin, Heidelberg, 176--190. Google ScholarDigital Library
- Dejan Baca and Kai Petersen. 2013. Countermeasure graphs for software security risk assessment: An action research. Journal of Systems and Software 86, 9 (2013), 2411--2428. Google ScholarDigital Library
- D. A. Barbosa and S. Sampaio. 2015. Guide to the Support for the Enhancement of Security Measures in Agile Projects. In 2015 6th Brazilian Workshop on Agile Methods (WBMA). 25--31.Google Scholar
- Saleem Basha and Dhavachelvan Ponnurangam. 2010. Analysis of Empirical Software Effort Estimation Models. International Journal of Computer Science and Information Security 7, 3 (April 2010), 68--77. http://arxiv.org/abs/1004.1239arXiv: 1004.1239.Google Scholar
- Punam Bedi, Vandana Gandotra, Archana Singhal, Himanshi Narang, and Sumit Sharma. 2013. Mitigating Multi-threats Optimally in Proactive Threat Management. SIGSOFT Softw. Eng. Notes 38, 1 (Jan. 2013), 1--7. Google ScholarDigital Library
- Barry Boehm, Chris Abts, and Sunita Chulani. 2000. Software development cost estimation approaches --- A survey. Annals of Software Engineering 10, 1 (Nov. 2000), 177--205. Google ScholarDigital Library
- B. Boehm and V. R. Basili. 2001. Top 10 list {software development}. Computer 34, 1 (Jan. 2001), 135--137. Google ScholarDigital Library
- Barry W. Boehm. 1981. Software Engineering Economics (1 edition ed.). Prentice Hall, Englewood Cliffs, N.J. Google ScholarDigital Library
- Amiangshu Bosu, Jeffrey C. Carver, Munawar Hafiz, Patrick Hilley, and Derek Janni. 2014. Identifying the Characteristics of Vulnerable Code Changes: An Empirical Study. In Proceedings of the 22Nd ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE 2014). ACM, New York, NY, USA, 257--268. Google ScholarDigital Library
- S. A. Butler. 2002. Security attribute evaluation method: a cost-benefit approach. In Proceedings of the 24th International Conference on Software Engineering. ICSE 2002. 232--240. Google ScholarDigital Library
- D. Byers and N. Shahmehri. 2009. Prioritisation and Selection of Software Security Activities. In 2009 International Conference on Availability, Reliability and Security. 201--207.Google Scholar
- B. Carlsson and D. Baca. 2005. Software security analysis - execution phase audit. In 31st EUROMICRO Conference on Software Engineering and Advanced Applications. 240--247. Google ScholarDigital Library
- S. Chandra, R. A. Khan, and A. Agrawal. 2009. Security Estimation Framework: Design Phase Perspective. In 2009 Sixth International Conference on Information Technology: New Generations. 254--259. Google ScholarDigital Library
- Golriz Chehrazi, Irina Heimbach, and Oliver Hinz. 2016. The Impact of Security by Design on the Success of Open Source Software. In ECIS 2016 Proceedings. 18. http://aisel.aisnet.org/ecis2016_rp/179Google Scholar
- Raoul Chiesa and Marco De Luca Saggese. 2016. Data Breaches, Data Leaks, Web Defacements: Why Secure Coding Is Important. Proceedings of 4th International Conference in Software Engineering for Defence Applications (2016), 261--271.Google ScholarCross Ref
- Ed Colbert and Dr Barry Boehm. 2008. Cost Estimation for Secure Software & Systems. In ISPA/SCEA 2008 Joint International Conference. The Netherlands, 9.Google Scholar
- Daniela S. Cruzes and T. Dybå. 2011. Recommended Steps for Thematic Synthesis in Software Engineering. In 2011 International Symposium on Empirical Software Engineering and Measurement. 275--284. Google ScholarDigital Library
- Carlo Marcelo Revoredo da Silva, Jose Lutiano Costa da Silva, Ricardo Batista Rodrigues, Leandro Marques do Nascimento, and Vinicius Cardoso Garcia. 2013. Systematic Mapping Study On Security Threats in Cloud Computing. arXiv:1303.6782 {cs} (March 2013). http://arxiv.org/abs/1303.6782 arXiv: 1303.6782.Google Scholar
- Salma Dammak, Faiza Ghozzi Jedidi, and Faiez Gargouri. 2016. Quantifying Security in Web ETL Processes. In Risks and Security of Internet and Systems (Lecture Notes in Computer Science), Costas Lambrinoudakis and Alban Gabillon (Eds.). Springer International Publishing, 160--173.Google Scholar
- Stanislav Dashevskyi, Achim D. Brucker, and Fabio Massacci. 2016. On the Security Cost of Using a Free and Open Source Component in a Proprietary Product. In Engineering Secure Software and Systems. Springer, Cham, 190--206. Google ScholarDigital Library
- G. Deepa and P. Santhi Thilagam. 2016. Securing web applications from injection and logic vulnerabilities: Approaches and challenges. Information and Software Technology 74 (June 2016), 160--180. Google ScholarDigital Library
- G. Georg, K. Anastasakis, B. Bordbar, S. H. Houmb, I. Ray, and M. Toahchoodee. 2010. Verification and Trade-Off Analysis of Security Properties in UML System Models. IEEE Transactions on Software Engineering 36, 3 (May 2010), 338--356. Google ScholarDigital Library
- Matteo Giacalone, Federica Paci, Rocco Mammoliti, Rodolfo Perugino, Fabio Massacci, and Claudio Selli. 2014. Security triage: an industrial case study on the effectiveness of a lean methodology to identify security requirements. In Proceedings of the 8th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement - ESEM '14. ACM Press, Torino, Italy, 1--8. Google ScholarDigital Library
- Spyros T. Halkidis, Alexander Chatzigeorgiou, and George Stephanides. 2009. Moving from Requirements to Design Confronting Security Issues: A Case Study. In On the Move to Meaningful Internet Systems: OTM 2009 (Lecture Notes in Computer Science), Robert Meersman, Tharam Dillon, and Pilar Herrero (Eds.). Springer Berlin Heidelberg, 798--814. Google ScholarDigital Library
- Saman Hedayatpour, Nazri Kama, and Suriayati Chuprat. 2014. Analyzing Security Aspects during Software Design Phase using Attack-based Analysis Model. International Journal of Software Engineering and Its Applications (2014), 14.Google Scholar
- Daniel Hein and Hossein Saiedian. 2009. Secure Software Engineering: Learning from the Past to Address Future Challenges. Information Security Journal: A Global Perspective 18, 1 (Feb. 2009), 8--25. Google ScholarDigital Library
- Chad Heitzenrater, Rainer Bohme, and Andrew Simpson. 2016. The Days Before Zero Day: Investment Models for Secure Software Engineering. 14.Google Scholar
- Chad Heitzenrater and Andrew Simpson. 2016. A Case for the Economics of Secure Software Development. In Proceedings of the 2016 New Security Paradigms Workshop (NSPW '16). ACM, New York, NY, USA, 92--105. Google ScholarDigital Library
- C. Heitzenrater and A. Simpson. 2016. Misuse, Abuse and Reuse: Economic Utility Functions for Characterising Security Requirements. In 2016 11th International Conference on Availability, Reliability and Security (ARES). 572--581.Google Scholar
- C. Heitzenrater and A. Simpson. 2016. Software Security Investment: The Right Amount of a Good Thing. In 2016 IEEE Cybersecurity Development (SecDev). 53--59.Google Scholar
- Chad D Heitzenrater. 2017. Software Security Investment Modelling for Decision-Support. Ph.D. Dissertation. University of Oxford, Oxford. https://ora.ox.ac.uk/catalog/uuid:64ddd45e-87ab-4c92-a085-df2d0d4e22e0/download_file?file_format=pdf&safe_filename=2018.07.12-Dissertation-Heitzenrater-CORRECTIONS.pdf&type_of_work=ThesisGoogle Scholar
- S. H. Houmb, G. Georg, R. France, J. Bieman, and J. Jurjens. 2005. Cost-benefit trade-off analysis using BBN for aspect-oriented risk-driven development. In 10th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS'05). 195--204. Google ScholarDigital Library
- Ali Idri, Mohamed Hosni, and Alain Abran. 2016. Systematic literature review of ensemble effort estimation. Journal of Systems and Software 118, Supplement C (Aug. 2016), 151--175. Google ScholarDigital Library
- Yurina Ito, Hironori Washizaki, Masatoshi Yoshizawa, Yoshiaki Fukazawa, Takao Okubo, Haruhiko Kaiya, Atsuo Hazeyama, Nobukazu Yoshioka, and Eduardo B. Fernandez. 2015. Systematic Mapping of Security Patterns Research. In Proceedings of the 22Nd Conference on Pattern Languages of Programs (PLoP '15). The Hillside Group, USA, 14:1--14:10. http://dl.acm.org/citation.cfm?id=3124497.3124514event-place: Pittsburgh, Pennsylvania. Google ScholarDigital Library
- M. Jorgensen and M. Shepperd. 2007. A Systematic Review of Software Development Cost Estimation Studies. IEEE Transactions on Software Engineering 33, 1 (Jan. 2007), 33--53. Google ScholarDigital Library
- G. Jourdan. 2007. Securing Large Applications Against Command Injections. In 2007 41st Annual IEEE International Carnahan Conference on Security Technology. 69--78.Google Scholar
- N. F. Khan and N. Ikram. 2016. Security Requirements Engineering: A Systematic Mapping (2010-2015). In 2016 International Conference on Software Security and Assurance (ICSSA). 31--36.Google Scholar
- Barbara Kitchenham and Pearl Brereton. 2013. A systematic review of systematic review process research in software engineering. Information and Software Technology 55, 12 (Dec. 2013), 2049--2075. Google ScholarDigital Library
- Barbara Ann Kitchenham, David Budgen, and Pearl Brereton. 2015. Evidence-Based Software Engineering and Systematic Reviews (1 edition ed.). Chapman and Hall/CRC, Boca Raton. Google ScholarDigital Library
- B. A. Kitchenham, E. Mendes, and G. H. Travassos. 2007. Cross versus Within-Company Cost Estimation Studies: A Systematic Review. IEEE Transactions on Software Engineering 33, 5 (May 2007), 316--329. Google ScholarDigital Library
- Leanid Krautsevich, Fabio Martinelli, and Artsiom Yautsiukhin. 2010. Formal Approach to Security Metrics.: What Does "More Secure" Mean for You?. In Proceedings of the Fourth European Conference on Software Architecture: Companion Volume (ECSA '10). ACM, New York, NY, USA, 162--169. Google ScholarDigital Library
- R. Kuhn, M. Raunak, and R. Kacker. 2017. It Doesn't Have to Be Like This: Cybersecurity Vulnerability Trends. IT Professional 19, 6 (Nov. 2017), 66--70.Google Scholar
- Taeho Lee, Taewan Gu, and Jongmoon Baik. 2014. MND-SCEMP: an empirical study of a software cost estimation modeling process in the defense domain. Empirical Software Engineering 19, 1 (Feb. 2014), 213--240. Google ScholarDigital Library
- G. McGraw. 2004. Software security. IEEE Security Privacy 2, 2 (March 2004), 80--83. Google ScholarDigital Library
- Gary McGraw. 2006. Software Security: Building Security In (1 edition ed.). Addison-Wesley Professional, Upper Saddle River, NJ. Google ScholarDigital Library
- A. Mohammad, J. Alqatawna, and M. Abushariah. 2017. Secure software engineering: Evaluation of emerging trends. In 2017 8th International Conference on Information Technology (ICIT). 814--818.Google Scholar
- Nabil M. Mohammed, Mahmood Niazi, Mohammad Alshayeb, and Sajjad Mahmood. 2017. Exploring software security approaches in software development lifecycle: A systematic mapping study. Computer Standards & Interfaces 50 (Feb. 2017), 107--115. Google ScholarDigital Library
- Patrick Morrison, Benjamin H. Smith, and Laurie Williams. 2017. Surveying Security Practice Adherence in Software Development. In Proceedings of the Hot Topics in Science of Security: Symposium and Bootcamp (HoTSoS). ACM, New York, NY, USA, 85--94. Google ScholarDigital Library
- Stephan Neuhaus, Thomas Zimmermann, Christian Holler, and Andreas Zeller. 2007. Predicting Vulnerable Software Components. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS '07). ACM, New York, NY, USA, 529--540. Google ScholarDigital Library
- Phu H. Nguyen, Max Kramer, Jacques Klein, and Yves Le Traon. 2015. An extensive systematic review on the Model-Driven Development of secure systems. Information and Software Technology 68 (Dec. 2015), 62--81. Google ScholarDigital Library
- Mohammed M. Olama and James Nutaro. 2013. Secure it now or secure it later: the benefits of addressing cyber-security from the outset. In Cyber Sensing 2013, Vol. 8757. International Society for Optics and Photonics, 87570L.Google Scholar
- Lotfi Ben Othmane, Golriz Chehrazi, Eric Bodden, Petar Tsalovski, and Achim D. Brucker. 2017. Time for Addressing Software Security Issues: Prediction Models and Impacting Factors. Data Science and Engineering 2, 2 (June 2017), 107--124.Google Scholar
- Lotfi ben Othmane, Golriz Chehrazi, Eric Bodden, Petar Tsalovski, Achim D. Brucker, and Philip Miseldine. 2015. Factors Impacting the Effort Required to Fix Security Vulnerabilities. In Information Security. Springer, Cham, 102--119. Google ScholarDigital Library
- Lotfi ben Othmane, Rohit Ranchal, Ruchith Fernando, Bharat Bhargava, and Eric Bodden. 2015. Incorporating attacker capabilities in risk estimation and mitigation. Computers & Security 51 (2015), 41--61. Google ScholarDigital Library
- Keun-Young Park, Sang-Guun Yoo, and Juho Kim. 2011. Security Requirements Prioritization Based on Threat Modeling and Valuation Graph. In Convergence and Hybrid Information Technology, Vol. 206. Springer Berlin Heidelberg, Berlin, Heidelberg, 142--152.Google Scholar
- David A. Patterson. 2005. 20th Century vs. 21st Century C&C: The SPUR Manifesto. Commun. ACM 48, 3 (March 2005), 15--16. Google ScholarDigital Library
- J. Peeters and P. Dyson. 2007. Cost-Effective Security. IEEE Security Privacy 5, 3 (May 2007), 85--87. Google ScholarDigital Library
- M. Razzazi, M. Jafari, S. Moradi, H. Sharifipanah, M. Damanafshan, K. Fayazbakhsh, and A. Nickabadi. 2006. Common Criteria Security Evaluation: A Time and Cost Effective Approach. In 2006 2nd International Conference on Information Communication Technologies, Vol. 2. 3287--3292.Google Scholar
- Donald J. Reifer, Barry W. Boehm, and Murali Gangadharan. 2003. Estimating the Cost of Security for COTS Software. In COTS-Based Software Systems. Springer, Berlin, Heidelberg, 178--186. Google ScholarDigital Library
- Kalle Rindell, Sami Hyrynsalmi, and Ville Leppänen. 2015. A Comparison of Security Assurance Support of Agile Software Development Methods. In Proceedings of the 16th International Conference on Computer Systems and Technologies (CompSysTech '15). ACM, New York, NY, USA, 61--68. Google ScholarDigital Library
- K. Rindell, S. Hyrynsalmi, and V. Leppänen. 2016. Case Study of Security Development in an Agile Environment: Building Identity Management for a Government Agency. In 2016 11th International Conference on Availability, Reliability and Security (ARES). 556--563.Google Scholar
- Pilar Rodríguez, Alireza Haghighatkhah, Lucy Ellen Lwakatare, Susanna Teppola, Tanja Suomalainen, Juho Eskeli, Teemu Karvonen, Pasi Kuvaja, June M. Verner, and Markku Oivo. 2017. Continuous deployment of software intensive products and services: A systematic mapping study. Journal of Systems and Software 123 (Jan. 2017), 263--291.Google ScholarCross Ref
- Y. Shin, A. Meneely, L. Williams, and J. A. Osborne. 2011. Evaluating Complexity, Code Churn, and Developer Activity Metrics as Indicators of Software Vulnerabilities. IEEE Transactions on Software Engineering 37, 6 (Nov. 2011), 772--787. Google ScholarDigital Library
- Yonghee Shin and Laurie Williams. 2011. An Initial Study on the Use of Execution Complexity Metrics As Indicators of Software Vulnerabilities. In Proceedings of the 7th International Workshop on Software Engineering for Secure Systems (SESS '11). ACM, New York, NY, USA, 1--7. Google ScholarDigital Library
- Yonghee Shin and Laurie Williams. 2013. Can traditional fault prediction models be used for vulnerability prediction? Empirical Software Engineering 18, 1 (Feb. 2013), 25--59.Google ScholarCross Ref
- F. Shull, V. Basili, B. Boehm, A. W. Brown, P. Costa, M. Lindvall, D. Port, I. Rus, R. Tesoriero, and M. Zelkowitz. 2002. What we have learned about fighting defects. In Proceedings Eighth IEEE Symposium on Software Metrics. 249--258. Google ScholarDigital Library
- Alexander van den Berghe, Riccardo Scandariato, Koen Yskout, and Wouter Joosen. 2017. Design notations for secure software: a systematic literature review. Software & Systems Modeling 16, 3 (July 2017), 809--831. Google ScholarDigital Library
- Dilani Wickramaarachchi and Richard Lai. 2017. Effort estimation in global software development - a systematic review. Computer Science and Information Systems 14, 2 (2017), 393--421. http://www.doiserbia.nb.rs/Article.aspx?ID=1820-02141700007W&AspxAutoDetectCookieSupport=1Google ScholarCross Ref
- Laurie Williams. 2010. Agile Software Development Methodologies and Practices. In Advances in Computers, Marvin V. Zelkowitz (Ed.). Advances in Computers, Vol. Volume 80. Elsevier, 1--44. http://www.sciencedirect.com/science/article/pii/S0065245810800014Google Scholar
- Laurie Williams, Michael Gegick, and Andrew Meneely. 2009. Protection Poker: Structuring Software Security Risk Assessment and Knowledge Transfer. In Engineering Secure Software and Systems (Lecture Notes in Computer Science), Fabio Massacci, Samuel T. Redwine, and Nicola Zannone (Eds.). Springer Berlin Heidelberg, 122--134. Google ScholarDigital Library
- L. Williams, A. Meneely, and G. Shipley. 2010. Protection Poker: The New Software Security "Game";. IEEE Security Privacy 8, 3 (May 2010), 14--20. Google ScholarDigital Library
- Claes Wohlin. 2014. Guidelines for Snowballing in Systematic Literature Studies and a Replication in Software Engineering. In Proceedings of the 18th International Conference on Evaluation and Assessment in Software Engineering (EASE '14). ACM, New York, NY, USA, 38:1--38:10. Google ScholarDigital Library
- L. Yang, X. Li, and Y. Yu. 2017. VulDigger: A Just-in-Time and Cost-Aware Tool for Digging Vulnerability-Contributing Changes. In GLOBECOM 2017 - 2017 IEEE Global Communications Conference. 1--7.Google Scholar
- Ye Yang, Jing Du, and Qing Wang. 2015. Shaping the Effort of Developing Secure Software. Procedia Computer Science 44 (2015), 609--618.Google ScholarCross Ref
- He Zhang, Muhammad Ali Babar, and Paolo Tell. 2011. Identifying relevant studies in software engineering. Information and Software Technology 53, 6 (June 2011), 625--637. Google ScholarDigital Library
- J. Zheng, J. Wan, Y. Ren, and H. Guo. 2012. A jump-diffusion approach to modelling software security investment. In 2012 Fifth International Conference on Business Intelligence and Financial Engineering. 274--278. Google ScholarDigital Library
Index Terms
- Costing Secure Software Development: A Systematic Mapping Study
Recommendations
Synthesis of secure software development controls
SIN '15: Proceedings of the 8th International Conference on Security of Information and NetworksA study of the available approaches aimed at mitigating vulnerabilities in the software development, and their applicability during the software compliance evaluation was carried out. Having systematized the standards and guidelines on the development ...
The effects of required security on software development effort
ICSE '20: Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering: Companion ProceedingsProblem: developers are increasingly adopting security practices in software projects in response to cyber threats. Despite the additional effort required to perform those practices, current cost models either do not consider security as an input or ...
Software security in agile software development: a literature review of challenges and solutions
XP '18: Proceedings of the 19th International Conference on Agile Software Development: CompanionThere has been a surge in number of software security threats and vulnerabilities in recent times. At the same time, expectations towards software and data security are growing. Thus there is a need to ensure that security-related tasks are effectively ...
Comments