Advertisement

Towards the Integration of Security Practices in the Software Implementation Process of ISO/IEC 29110: A Mapping

  • Mary-Luz Sánchez-Gordón
  • Ricardo Colomo-Palacios
  • Alex Sánchez
  • Antonio de Amescua Seco
  • Xabier Larrucea
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 748)

Abstract

Secure software practices are gradually gaining relevance among software practitioners and researchers. This is happening because today more than ever software is becoming part of our lives and cybercrimes are constantly appearing. Despite its importance, its current practice in the software industry is still scarce. Indeed, software security problems are divided 50/50 between bugs and flaws. In particular, it remains a significant challenge for software practitioners in small software companies. Therefore, there is a need to support small companies in changing their existing ways of work to integrate these new and unfamiliar practices. The aim of this study is twofold. First, to help building an awareness of the software security process among practitioners in small companies. Second, to help the integration of these practices with software implementation process of ISO/IEC 29110 which results in an extension of the latter with additional activities identified from the industry best practices. Nevertheless, the extension proposal is to be performed selectively, based on the value of the software as an asset to the stakeholders and on stakeholders needs.

Keywords

Software security CSSLP S-SDLC Small companies VSE ISO/IEC 29110 

References

  1. 1.
    O’Connor, R.V., Colomo-Palacios, R.: Security awareness in the software arena. In: Engemann, K. (ed.) Routledge Companion to Risk, Crisis and Security in Business. Routledge (2017)Google Scholar
  2. 2.
    Salini, P., Kanmani, S.: Survey and analysis on security requirements engineering. Comput. Electr. Eng. 38, 1785–1797 (2012)CrossRefGoogle Scholar
  3. 3.
    Gollmann, D.: Computer security. Wiley Interdiscip. Rev. Comput. Stat. 2, 544–554 (2010)CrossRefGoogle Scholar
  4. 4.
    Garfinkel, S.L.: The cybersecurity risk. Commun. ACM 55, 29–32 (2012)CrossRefGoogle Scholar
  5. 5.
    Heffley, J., Meunier, P.: Can source code auditing software identify common vulnerabilities and be used to evaluate software security? In: 37th Annual Hawaii International Conference on System Sciences, pp. 1–10 (2004)Google Scholar
  6. 6.
    Suby, M., Dickson, F.: Global Information Security Workforce Study. Frost & Sullivan (2015)Google Scholar
  7. 7.
    Ponemon Institute LLC: 2016 Cost of Data Breach Study: Global Analysis (2016)Google Scholar
  8. 8.
    Gartner Says Worldwide Information Security Spending Will Grow 7.9 Percent to Reach $81.6 Billion in 2016. http://www.gartner.com/newsroom/id/3404817
  9. 9.
    Allen, J.H., Barnum, S., Ellison, R.J., McGraw, G., Mead, N.R.: Software Security Engineering: A Guide for Project Managers. Addison-Wesley Professional, Boston (2008)Google Scholar
  10. 10.
    Mano, P.: Official (ISC)2 Guide to the CSSLP. CRC Press, Boca Raton (2015)Google Scholar
  11. 11.
    Daud, M.I.: Secure Software Development Model: A Guide for Secure Software Life Cycle. Presented at the Proceedings of the International MutiConference on Engineers and Computer Scientists (IMECS), Hong Kong (2010)Google Scholar
  12. 12.
    McGraw, G.: Software Security: Building Security. Addison-Wesley Professional, Boston (2006)Google Scholar
  13. 13.
    Chess, B., Arkin, B.: Software security in practice. IEEE Secur. Priv. 9, 89–92 (2011)CrossRefGoogle Scholar
  14. 14.
    Laporte, C.Y., O’Connor, R.V.: Systems and software engineering standards for very small entities: accomplishments and overview. Computer 49, 84–87 (2016)CrossRefGoogle Scholar
  15. 15.
    Sánchez-Gordón, M.-L., O’Connor, R.V.: Understanding the gap between software process practices and actual practice in very small companies. Softw. Qual. J. 24, 549–570 (2015)Google Scholar
  16. 16.
    Sanchez-Gordon, M.-L., O’Connor, R.V., Colomo-Palacios, R.: Evaluating VSEs viewpoint and sentiment towards the ISO/IEC 29110 standard: a two country grounded theory study. In: Rout, T., O’Connor, Rory V., Dorling, A. (eds.) SPICE 2015. CCIS, vol. 526, pp. 114–127. Springer, Cham (2015). doi: 10.1007/978-3-319-19860-6_10 CrossRefGoogle Scholar
  17. 17.
    Grover, M., Durham, N.C., Cummings, J., Janicki, T.: Moving beyond coding: why secure coding should be implemented. J. Inf. Syst. Appl. Res. 9(1), 38–46 (2016) Google Scholar
  18. 18.
    O’Connor, R.V., Laporte, C.Y.: The evolution of the ISO/IEC 29110 set of standards and guides. Int. J. Inf. Technol. Syst. Approach IJITSA 10, 1–21 (2017)Google Scholar
  19. 19.
    ISO: Software engineering – Lifecycle profiles for Very Small Entities (VSEs) Part 5-1-2: Management and engineering guide: Generic profile group: Basic Profile, Geneva (2011)Google Scholar
  20. 20.
    Baldassarre, M.T., Caivano, D., Pino, F.J., Piattini, M., Visaggio, G.: Harmonization of ISO/IEC 9001:2000 and CMMI-DEV: from a theoretical comparison to a real case application. Softw. Qual. J. 20, 309–335 (2011)CrossRefGoogle Scholar
  21. 21.
    Sanchez-Gordón, M.-L., Colomo-Palacios, R., Herranz, E.: Gamification and human factors in quality management systems: mapping from octalysis framework to ISO 10018. In: Kreiner, C., O’Connor, Rory V., Poth, A., Messnarz, R. (eds.) EuroSPI 2016. CCIS, vol. 633, pp. 234–241. Springer, Cham (2016). doi: 10.1007/978-3-319-44817-6_19 CrossRefGoogle Scholar
  22. 22.
    Haralambos, M., Giorgini, P.: Integrating Security and Software Engineering: Advances and Future Visions: Advances and Future Visions. Idea Group Inc (IGI) (2006)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Mary-Luz Sánchez-Gordón
    • 1
  • Ricardo Colomo-Palacios
    • 2
  • Alex Sánchez
    • 3
  • Antonio de Amescua Seco
    • 1
  • Xabier Larrucea
    • 4
  1. 1.Computer Science DepartmentUniversidad Carlos III de MadridMadridSpain
  2. 2.Faculty of Computer SciencesØstfold University CollegeHaldenNorway
  3. 3.LogicStudioPanama CityPanama
  4. 4.TecnaliaBizkaiaSpain

Personalised recommendations