skip to main content
10.1145/3530019.3531336acmotherconferencesArticle/Chapter ViewAbstractPublication PageseaseConference Proceedingsconference-collections
research-article

Exploring Security Procedures in Secure Software Engineering: A Systematic Mapping Study

Published: 13 June 2022 Publication History

Abstract

Various new technologies have developed as software security solutions have become more critical. One of the essential parts of software quality is the product's security. Though providing examples covering all phases of secure software development is necessary, very few of these situations have been documented. More than a few approaches have been proposed and implemented to handle software security, but only a few of them provide valid evidence for developing secure software applications. This paper presents the results of a Systematic Mapping Study (SMS), which was carried out to determine the existence of software security metrics, tools, standards, and security-related research topics mainly discussed and addressed. A total of 116 studies were chosen for inclusion in this review. Selected studies led us to discover 55 Secure Software Engineering (SSE) metrics, 68 SSE tools, 33 SSE standards, and 12 SSE research topics that have been discussed and addressed. This effort will aid software development firms in better understanding existing security measures employed in creating secure software. It can also serve as a foundation for researchers to build and create new software security solutions and identify new research directions.

References

[1]
Y. Lee, and G. Lee, “HW-CDI: Hard-Wired Control Data Integrity,” IEEE Access, vol. 7, pp. 10811-10822, 2019.
[2]
Hu. Xinwen, Yi. Zhuang, Cao. Zining, Ye. Tong, and L. Mi, “Modeling and validation for embedded software confidentiality and integrity,” in 12th International Conference on Intelligent Systems and Knowledge Engineering (ISKE), Nanjing, China, January 2018, pp. 1-6.
[3]
L. Bracciale, P. Loreti, A. Detti, R. Paolillo, and N. B. Melazzi, “Lightweight Named Object: an ICN-based Abstraction for IoT Device Programming and Management,” IEEE Internet of Things Journal, pp. 1-11, 2019.
[4]
Abdul-Karim. Nor. Shahriza, Albuolayan. Arwa, Saba. Tanzila, and R. Amjad, “The practice of secure software development in SDLC:an investigation through existing model and a casestudy,” Security and Communication Network, vol. 9, no. 18, pp. 5333–5345, December 2016.
[5]
M. Zhang, X. d. C. d. Carnavalet, L. Wang, and A. Ragab, “Large-Scale Empirical Study of Important Features Indicative of Discovered Vulnerabilities to Assess Application Security,” IEEE Transactions on Information Forensics and Security, pp. 1-12, 2019.
[6]
G. McGraw, “Six Tech Trends Impacting Software Security,” Computer, vol. 50, no. 5, pp. 100-102, 2017.
[7]
Li. Jin, Zhang. Yinghui, Chen. Xiaofeng, and X. Yang, “Secure attribute-based data sharing for resource-limited users in cloud computing,” Computers & Security, vol. 72, pp. 1-12, January, 2018.
[8]
Berghe. Alexander. vanden, Scandariato. Riccardo, Yskout. Koen, and J. Wouter, “Design notations for secure software: a systematic literature review,” Software System Model, vol. 16, no. 3, pp. 809–831, 2017.
[9]
Z. A. Maher, H. Shaikh, M. S. Khan, A. Arbaaeen, and A. Shah, "Factors Affecting Secure Software Development Practices Among Developers - An Investigation." pp. 1-6.
[10]
Srivastava. Amit. Kumar, and K. Shishir, “An effective computational technique for taxonomic position of security vulnerability in software development,” Journal of Computational Science, vol. 25, pp. 388-396, March, 2018.
[11]
Mellado. Daniel, Blanco. Carlos, Luis. E. Sánchez, and F.-M. Eduardo, “A systematic review of security requirements engineering,” Computer Standards & Interfaces, vol. 32, pp. 153–165, 2010.
[12]
Velásquez. Ignacio, Caro. Angélica, and R. Alfonso, “Authentication schemes and methods: A systematic literature review,” Information and Software Technology, vol. 94, pp. 30-37, February 2018.
[13]
Syed. Romilla, Rahafrooz. Maryam, and K. J. M, “What it takes to get retweeted: An analysis of software vulnerability messages,” Computers in Human Behavior, vol. 80, pp. 207-215, March, 2018.
[14]
G. E. Rodríguez, J. G. Torres, P. Flores, and D. E. Benavides, “Cross-site scripting (XSS) attacks and mitigation: A survey,” Computer Networks, vol. 166, pp. 106960, 2020/01/15/, 2020.
[15]
M. De Stefano, E. Iannone, F. Pecorelli, and D. A. Tamburri, “Impacts of software community patterns on process and product: An empirical study,” Science of Computer Programming, vol. 214, pp. 102731, 2022/02/01/, 2022.
[16]
H. Zhang, and K. Sakurai, “A Survey of Software Clone Detection From Security Perspective,” IEEE Access, vol. 9, pp. 48157-48173, 2021.
[17]
M. Tatam, B. Shanmugam, S. Azam, and K. Kannoorpatti, “A review of threat modelling approaches for APT-style attacks,” Heliyon, vol. 7, no. 1, pp. e05969, 2021/01/01/, 2021.
[18]
K. Rindell, J. Ruohonen, J. Holvitie, S. Hyrynsalmi, and V. Leppänen, “Security in agile software development: A practitioner survey,” Information and Software Technology, vol. 131, pp. 106488, 2021/03/01/, 2021.
[19]
S. Rafi, M. A. Akbar, W. Yu, A. Alsanad, A. Gumaei, and M. U. Sarwar, “Exploration of DevOps testing process capabilities: An ISM and fuzzy TOPSIS analysis,” Applied Soft Computing, vol. 116, pp. 108377, 2022/02/01/, 2022.
[20]
Kitchenham. Barbara A, David. Budgen b, and O. P. Brereton, “Using mapping studies as the basis for further research – A participant-observer case study,” Information and Software Technology, vol. 53, pp. 638–651, 2011.
[21]
Petersen. K, Feldt. R, Mujtaba. S, and M. M, “Systematic mapping studies in software engineering,” in Proceedings of the 12th International Conference on Evaluation and Assessment in Software Engineering, Swinton, UK, 2008, pp. 68–77.
[22]
R. M. Parizi, K. Qian, H. Shahriar, F. Wu, and L. Tao, "Benchmark Requirements for Assessing Software Security Vulnerability Testing Tools." pp. 825-826.
[23]
N. R. Mead, and G. McGraw, “A portal for software security,” IEEE Security & Privacy, vol. 3, no. 4, pp. 75-79, 2005.
[24]
K. R. Ahmad, and k. S. Ullah, "A preliminary structure of software security assurance model." pp. 137-140.
[25]
Sharma. Anuradha, and M. P. Kumar, “Aspects of Enhancing Security in Software Development Life Cycle,” Advances in Computational Sciences and Technology, vol. 10, no. 2, pp. 203-210, 2017.
[26]
Ammar. Mahmoud, Russello. Giovanni, and C. Bruno, “Internet of Things: A survey on the security of IoT frameworks,” Journal of Information Security and Applications, vol. 38, pp. 8-27, February 2018.
[27]
G. McGraw, “Software security,” IEEE Security & Privacy, vol. 2, no. 2, pp. 80 - 83, Aug 2004.
[28]
M. Nabil. Mohammed, Niazi. Mahmood, Alshayeb. Mohammad, and M. Sajjad, “Exploring Software Security Approaches in Software Development Lifecycle: A Systematic Mapping Study,” Computer Standards & Interfaces, vol. 50, pp. 107-115, February 2017.
[29]
Batchkova. Idilia, and A. Iskra, “Improving the software development life cycle in process control using UML/SysML,” IFAC Proceedings Volumes, vol. 44, no. 1, pp. 14133-14138, January 2011.
[30]
Aslanyan. Zaruhi, Nielson. Flemming, and P. David, “Quantitative Verification and Synthesis of Attack-Defence Scenarios,” in IEEE 29th Computer Security Foundations Symposium (CSF), Lisbon, Portugal, 2016, pp. 105 - 119.
[31]
Nguyen. Tuong. Huan, Grundy. John, and A. Mohamed, “Integrating goal-oriented and use case-based requirements engineering: The missing link,” in ACM/IEEE 18th International Conference on Model Driven Engineering Languages and Systems (MODELS), Ottawa, ON, Canada, 2015, pp. 328 - 337.
[32]
Vassilios. G. Vassilakis, Mouratidis. Haralambos, Panaousis. Emmanouil, Ioannis. D. Moscholios, and M. D. Logothetis, “Security requirements modelling for virtualized 5G small cell networks,” in 24th International Conference on Telecommunications (ICT), Limassol, Cyprus, 2017, pp. 337 - 362.
[33]
F.-B. Eduardo, Security Patterns in Practice: Designing Secure Architectures Using Software Patterns, 1st ed.: Wiley Publishing, 2013.
[34]
D. Xu, and K. Nygard, “Threat-driven modeling and verification of secure software using aspect-oriented Petri nets,” IEEE Transactions on Software Engineering vol. 32, no. 4, pp. 265–278, 2006.
[35]
Lipner. Steve, and H. Michael. "The Trustworthy Computing Security Development Lifecycle," https://msdn.microsoft.com/en-us/library/ms995349.aspx.
[36]
D. Mellado, E. Fernandez-Medina, and M. A. Piattini, “Common criteria based security requirements engineering process for the development of secure information systems,” Computer Standards & Interfaces, vol. 29, no. 2, pp. 244–253, 2007.
[37]
Apvrille. A, and P. M., “Secure software development by example,” IEEE Security & Privacy, vol. 3, no. 4, pp. 10-17, 2005.
[38]
Moffett. J. D, Haley. C. B, and N. B, Core security requirements artifacts, Technical report 2004/23, Open University, 2004.
[39]
G. Dan. "Introduction to the CLASP Process. Build Security in," <http://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/requirements/548.html>.
[40]
Haley. C. B, Laney. R, Moffett. J. D, and N. B., “Security requirements engineering: a framework for representation and analysis,” IEEE Transactions on Software Engineering, vol. 34, no. 1, pp. 133-152, 2008.
[41]
Mead. N. R, Houg. E. D, and S. T. R, Security quality requirements engineering (SQUARE) Methodology, Technical Report: CMU/SEI-2005-TR-009, Software Engineering Institution, Carnegie Mellon Univversity, 2005.
[42]
K. Petersen, S. Vakkalanka, and L. Kuzniarz, “Guidelines for conducting systematic mapping studies in software engineering: An update,” Information and Software Technology, vol. 64, pp. 1-18, 2015/08/01/, 2015.
[43]
K. S. U. Khan. Rafiq. Ahmad, Idris. Mohd. Yazid, "Systematic Mapping Study Protocol For Secure Software Engineering." pp. 367-374.
[44]
R. A. Khan, S. U. Khan, M. Ilyas, and M. Y. Idris, “The State of the Art on Secure Software Engineering: A Systematic Mapping Study,” in Proceedings of the Evaluation and Assessment in Software Engineering, Trondheim, Norway, 2020, pp. 487–492.
[45]
R. A. Khan, S. U. Khan, H. U. Khan, and M. Ilyas, “Systematic Mapping Study on Security Approaches in Secure Software Engineering,” IEEE Access, vol. 9, pp. 19139-19160, 2021.
[46]
R. A. Khan, S. U. Khan, H. U. Khan, and M. Ilyas, “Systematic Literature Review on Security Risks and its Practices in Secure Software Development,” IEEE Access, vol. 10, pp. 5456-5481, 2022.
[47]
R. A. Khan, and S. U. Khan, “A preliminary structure of software security assurance model,” in Proceedings of the 13th International Conference on Global Software Engineering, Gothenburg, Sweden, 2018, pp. 137–140.
[48]
S. Rafi, M. A. Akbar, S. Mahmood, A. Alsanad, and A. Alothaim, “Selection of DevOps best test practices: A hybrid approach using ISM and fuzzy TOPSIS analysis,” Journal of Software: Evolution and Process, vol. n/a, no. n/a, pp. e2448.
[49]
M. A. Akbar, K. Smolander, S. Mahmood, and A. Alsanad, “Toward successful DevSecOps in software development organizations: A decision-making framework,” Information and Software Technology, vol. 147, pp. 106894, 2022/07/01/, 2022.
[50]
M. A. Akbar, A. Alsanad, S. Mahmood, and A. Alothaim, “A Multicriteria Decision Making Taxonomy of IOT Security Challenging Factors,” IEEE Access, vol. 9, pp. 128841-128861, 2021.

Cited By

View all
  • (2025)5G Networks Security Mitigation Model: An ANN-ISM Hybrid ApproachIEEE Open Journal of the Communications Society10.1109/OJCOMS.2025.35297176(881-925)Online publication date: 2025
  • (2025)A Fuzzy‐AHP Decision‐Making Framework for Optimizing Software Maintenance and Deployment in Information Security SystemsJournal of Software: Evolution and Process10.1002/smr.275837:1Online publication date: 16-Jan-2025
  • (2023)Green cloud computing adoption challenges and practices: a client’s perspective-based empirical investigationCognition, Technology and Work10.1007/s10111-023-00734-625:4(427-446)Online publication date: 11-Aug-2023
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
EASE '22: Proceedings of the 26th International Conference on Evaluation and Assessment in Software Engineering
June 2022
466 pages
ISBN:9781450396134
DOI:10.1145/3530019
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 June 2022

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Secure Software Development
  2. Secure Software Engineering
  3. Software Security
  4. Systematic Mapping Study

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Conference

EASE 2022

Acceptance Rates

Overall Acceptance Rate 71 of 232 submissions, 31%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)53
  • Downloads (Last 6 weeks)5
Reflects downloads up to 17 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2025)5G Networks Security Mitigation Model: An ANN-ISM Hybrid ApproachIEEE Open Journal of the Communications Society10.1109/OJCOMS.2025.35297176(881-925)Online publication date: 2025
  • (2025)A Fuzzy‐AHP Decision‐Making Framework for Optimizing Software Maintenance and Deployment in Information Security SystemsJournal of Software: Evolution and Process10.1002/smr.275837:1Online publication date: 16-Jan-2025
  • (2023)Green cloud computing adoption challenges and practices: a client’s perspective-based empirical investigationCognition, Technology and Work10.1007/s10111-023-00734-625:4(427-446)Online publication date: 11-Aug-2023
  • (2023)Factors influencing sustainability aspects in crowdsourced software development: A systematic literature reviewJournal of Software: Evolution and Process10.1002/smr.2630Online publication date: 8-Nov-2023

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format.

HTML Format

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media