The document summarizes research on securing software development stages using aspect-orientation concepts. It proposes a model called the Aspect-Oriented Software Security Development Life Cycle (AOSSDLC) which incorporates security activities into each stage of the software development life cycle. The model aims to efficiently integrate security as a cross-cutting concern using aspect orientation. It is concluded that aspect orientation allows security features to be installed without changing the existing software structure, providing benefits over other approaches.
Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...CSCJournals
Software Reliability is the probability of failure-free software operation for a specified period of time in a specified environment. Cyber threats on software security have been prevailing and have increased exponentially, posing a major challenge on software reliability in the cyber physical systems (CPS) environment. Applying patches after the software has been developed is outdated and a major security flaw. However, this has posed a major software reliability challenge as threat actors are exploiting unpatched and insecure software configuration vulnerabilities that are not identified at the design phase. This paper aims to investigate the SDLC approach to software reliability and quality assurance challenges in CPS security. To demonstrate the applicability of our work, we review existing security requirements engineering concepts and methodologies such as TROPOS, I*, KAOS, Tropos and Secure Tropos to determine their relevance in software security. We consider how the methodologies and function points are used to implement constraints to improve software reliability. Finally, the function points concepts are implemented into the CPS security components. The results show that software security threats in CPS can be addressed by integrating the SRE approach and function point analysis in the development to improve software reliability.
This document discusses an ontology-based context-sensitive software security knowledge management modeling approach. It begins with an introduction describing the need for secure software development practices and security management systems. It then reviews related work incorporating ontologies and context modeling for software security. The proposed method involves an ontology-based context model with two parts: a software security domain model and an application context model. It describes the components of each model and establishes a hierarchical relationship between them. Finally, it discusses criteria for context-driven security modeling, including usability and quality. The overall aim is to develop a framework that assists practitioners in software security analysis and decision making based on application context.
Security has always been a great concern for all software systems due to the increased incursion of the wireless devices in recent years. Generally software engineering processes tries to compel the security measures during the various design phases which results into an inefficient measure. So this calls for a new process of software engineering in which we would try to give a proper framework for integrating the security requirements with the SDLC, and in this requirement engineers must discover all the security requirements related to a particular system, so security requirement could be analyzed and simultaneously prioritized in one go. In this paper we will present a new technique for prioritizing these requirement based on the risk measurement techniques. The true security requirements should be easily identified as early as possible so that these could be systematically analyzed and then every architecture team can choose the most appropriate mechanism to implement them.
ESSENTIAL ACTIVITIES FOR SECURE SOFTWARE DEVELOPMENTijesajournal
Diverse types of software are used in almost all sectors of businesses in the modern world. They provide mechanisms that enable buyers and sellers to interact virtually, reduce manual work in businesses and institutions as well as make work a lot easier. Increased demand for software has led to the increased investment that has subsequently attracted numerous security attacks. Millions of resources are held in various software worldwide, cyber-attack criminals have made a career in breaching software security for selfish gains, thus necessitating the development and establishment of secure software. Through a literature review, the work introduces concepts and terms used in secure software development, presents the best practices and provides a review of the models that could be used. Confidentiality, integrity, availability, and non-repudiation are secure software terms that mean it should be secret, safe, and accessible and keeps a record of every activity undertaken. The proposed work advocates for several best practices among them the creation of a secure perimeter that limits access to key segments or parts of the system in addition to reducing attacking surface or rather reducing the opportunities available for cyber-attack. In regard to the engineering of software, the paper recommends that system requirements must be established before the software is created. Additional engineering ought to be done after the system has been evaluated just before the official launch. Moreover, the paper recommends the adoption of strategies that are used by renowned software models such as Microsoft Software Development Life-cycle among others. Those models have put secure software strategies throughout the life-cycle of software development. They recognize the need to put secure engineering systems during the design and utilization of the software because new methods of breaching software security come up every new day. The paper concludes by noting that continued collaborative efforts to guarantee more secure software is still a demanding need. Adherence to basic secure software development and utilization is essential in addition to developing additional engineering that maintains the integrity, confidentially and accessibility of the software.
Software reusabilitydevelopment through NFL approach For identifying security...IJECEIAES
In component based software reusability development process, the software developers have to choose the best components which are self adaptive future to overcome the functional errors, framework mismatches, violation of user level privacy issues and data leakage feasibilities. The software developers can build high quality software applications by taking the consideration of the reusable components which are more suitable to provide high level data security and privacy. This paper has proposing the neural based fuzzy framework based approach to estimate the reusable components which are directly and indirectly involve the security and privacy to improve the quality of the software system. This approach has considered the twenty effecting factors and fifty three attribute matrices. It has formed with three stages of execution scenarios. The first stage has executed with eleven effecting factors and eighteen attribute matrices for identification of supporting software reusability components, the second stage has executed with four effecting factors and thirty five attribute matrices for identification of subinternal relationships in terms of security-privacy, and the third stage has executed with eight effecting factors and six attribute matrices for identification of sub of sub-internal relationships in terms of security risk estimation. This analytical finding proposes a fuzzy logic model to evaluate the most feasible effecting factors that influence the enterprise level data security-privacy practices at real time environment.
Agile development methods are commonly used to iteratively develop the information systems and they can
easily handle ever-changing business requirements. Scrum is one of the most popular agile software
development frameworks. The popularity is caused by the simplified process framework and its focus on
teamwork. The objective of Scrum is to deliver working software and demonstrate it to the customer faster
and more frequent during the software development project. However the security requirements for the
developing information systems have often a low priority. This requirements prioritization issue results in
the situations where the solution meets all the business requirements but it is vulnerable to potential
security threats.
The major benefit of the Scrum framework is the iterative development approach and the opportunity to
automate penetration tests. Therefore the security vulnerabilities can be discovered and solved more often
which will positively contribute to the overall information system protection against potential hackers.
In this research paper the authors propose how the agile software development framework Scrum can be
enriched by considering the penetration tests and related security requirements during the software
development lifecycle. Authors apply in this paper the knowledge and expertise from their previous work
focused on development of the new information system penetration tests methodology PETA with focus on
using COBIT 4.1 as the framework for management of these tests, and on previous work focused on
tailoring the project management framework PRINCE2 with Scrum.
The outcomes of this paper can be used primarily by the security managers, users, developers and auditors.
The security managers may benefit from the iterative software development approach and penetration tests
automation. The developers and users will better understand the importance of the penetration tests and
they will learn how to effectively embed the tests into the agile development lifecycle. Last but not least the
auditors may use the outcomes of this paper as recommendations for companies struggling with
penetrations testing embedded in the agile software development process.
This document discusses challenges in software reliability and proposes approaches to improve reliability predictions and measurements. It addresses issues like:
1. The difficulty of modeling software reliability due to the complexity and interdependence of software failures, unlike independent hardware failures.
2. Challenges with software reliability growth models (SRGMs) due to unrealistic assumptions and lack of operational profile data.
3. The need for consistent, unified definitions of software metrics and measurements to better assess reliability.
4. Questions around how well testing effectiveness metrics like code coverage actually correlate with detecting defects and reliability. The relationship between code coverage and reliability is not clearly causal.
Improving software reliability predictions requires addressing these issues by developing more realistic
IRJET- A Study on Software Reliability ModelsIRJET Journal
This document summarizes various software reliability models and metrics for evaluating reliability. It discusses existing reliability models, their pros and cons in terms of effort required and whether defect counts are finite. Commonly used metrics to measure reliability are also outlined, including product, project management, process, and failure metrics. The conclusion states that while many models use machine learning, reliability prediction could be further optimized by combining machine learning and fuzzy logic. Future work is proposed to focus on using these techniques to predict reliability in a more effective way.
Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...CSCJournals
Software Reliability is the probability of failure-free software operation for a specified period of time in a specified environment. Cyber threats on software security have been prevailing and have increased exponentially, posing a major challenge on software reliability in the cyber physical systems (CPS) environment. Applying patches after the software has been developed is outdated and a major security flaw. However, this has posed a major software reliability challenge as threat actors are exploiting unpatched and insecure software configuration vulnerabilities that are not identified at the design phase. This paper aims to investigate the SDLC approach to software reliability and quality assurance challenges in CPS security. To demonstrate the applicability of our work, we review existing security requirements engineering concepts and methodologies such as TROPOS, I*, KAOS, Tropos and Secure Tropos to determine their relevance in software security. We consider how the methodologies and function points are used to implement constraints to improve software reliability. Finally, the function points concepts are implemented into the CPS security components. The results show that software security threats in CPS can be addressed by integrating the SRE approach and function point analysis in the development to improve software reliability.
This document discusses an ontology-based context-sensitive software security knowledge management modeling approach. It begins with an introduction describing the need for secure software development practices and security management systems. It then reviews related work incorporating ontologies and context modeling for software security. The proposed method involves an ontology-based context model with two parts: a software security domain model and an application context model. It describes the components of each model and establishes a hierarchical relationship between them. Finally, it discusses criteria for context-driven security modeling, including usability and quality. The overall aim is to develop a framework that assists practitioners in software security analysis and decision making based on application context.
Security has always been a great concern for all software systems due to the increased incursion of the wireless devices in recent years. Generally software engineering processes tries to compel the security measures during the various design phases which results into an inefficient measure. So this calls for a new process of software engineering in which we would try to give a proper framework for integrating the security requirements with the SDLC, and in this requirement engineers must discover all the security requirements related to a particular system, so security requirement could be analyzed and simultaneously prioritized in one go. In this paper we will present a new technique for prioritizing these requirement based on the risk measurement techniques. The true security requirements should be easily identified as early as possible so that these could be systematically analyzed and then every architecture team can choose the most appropriate mechanism to implement them.
ESSENTIAL ACTIVITIES FOR SECURE SOFTWARE DEVELOPMENTijesajournal
Diverse types of software are used in almost all sectors of businesses in the modern world. They provide mechanisms that enable buyers and sellers to interact virtually, reduce manual work in businesses and institutions as well as make work a lot easier. Increased demand for software has led to the increased investment that has subsequently attracted numerous security attacks. Millions of resources are held in various software worldwide, cyber-attack criminals have made a career in breaching software security for selfish gains, thus necessitating the development and establishment of secure software. Through a literature review, the work introduces concepts and terms used in secure software development, presents the best practices and provides a review of the models that could be used. Confidentiality, integrity, availability, and non-repudiation are secure software terms that mean it should be secret, safe, and accessible and keeps a record of every activity undertaken. The proposed work advocates for several best practices among them the creation of a secure perimeter that limits access to key segments or parts of the system in addition to reducing attacking surface or rather reducing the opportunities available for cyber-attack. In regard to the engineering of software, the paper recommends that system requirements must be established before the software is created. Additional engineering ought to be done after the system has been evaluated just before the official launch. Moreover, the paper recommends the adoption of strategies that are used by renowned software models such as Microsoft Software Development Life-cycle among others. Those models have put secure software strategies throughout the life-cycle of software development. They recognize the need to put secure engineering systems during the design and utilization of the software because new methods of breaching software security come up every new day. The paper concludes by noting that continued collaborative efforts to guarantee more secure software is still a demanding need. Adherence to basic secure software development and utilization is essential in addition to developing additional engineering that maintains the integrity, confidentially and accessibility of the software.
Software reusabilitydevelopment through NFL approach For identifying security...IJECEIAES
In component based software reusability development process, the software developers have to choose the best components which are self adaptive future to overcome the functional errors, framework mismatches, violation of user level privacy issues and data leakage feasibilities. The software developers can build high quality software applications by taking the consideration of the reusable components which are more suitable to provide high level data security and privacy. This paper has proposing the neural based fuzzy framework based approach to estimate the reusable components which are directly and indirectly involve the security and privacy to improve the quality of the software system. This approach has considered the twenty effecting factors and fifty three attribute matrices. It has formed with three stages of execution scenarios. The first stage has executed with eleven effecting factors and eighteen attribute matrices for identification of supporting software reusability components, the second stage has executed with four effecting factors and thirty five attribute matrices for identification of subinternal relationships in terms of security-privacy, and the third stage has executed with eight effecting factors and six attribute matrices for identification of sub of sub-internal relationships in terms of security risk estimation. This analytical finding proposes a fuzzy logic model to evaluate the most feasible effecting factors that influence the enterprise level data security-privacy practices at real time environment.
Agile development methods are commonly used to iteratively develop the information systems and they can
easily handle ever-changing business requirements. Scrum is one of the most popular agile software
development frameworks. The popularity is caused by the simplified process framework and its focus on
teamwork. The objective of Scrum is to deliver working software and demonstrate it to the customer faster
and more frequent during the software development project. However the security requirements for the
developing information systems have often a low priority. This requirements prioritization issue results in
the situations where the solution meets all the business requirements but it is vulnerable to potential
security threats.
The major benefit of the Scrum framework is the iterative development approach and the opportunity to
automate penetration tests. Therefore the security vulnerabilities can be discovered and solved more often
which will positively contribute to the overall information system protection against potential hackers.
In this research paper the authors propose how the agile software development framework Scrum can be
enriched by considering the penetration tests and related security requirements during the software
development lifecycle. Authors apply in this paper the knowledge and expertise from their previous work
focused on development of the new information system penetration tests methodology PETA with focus on
using COBIT 4.1 as the framework for management of these tests, and on previous work focused on
tailoring the project management framework PRINCE2 with Scrum.
The outcomes of this paper can be used primarily by the security managers, users, developers and auditors.
The security managers may benefit from the iterative software development approach and penetration tests
automation. The developers and users will better understand the importance of the penetration tests and
they will learn how to effectively embed the tests into the agile development lifecycle. Last but not least the
auditors may use the outcomes of this paper as recommendations for companies struggling with
penetrations testing embedded in the agile software development process.
This document discusses challenges in software reliability and proposes approaches to improve reliability predictions and measurements. It addresses issues like:
1. The difficulty of modeling software reliability due to the complexity and interdependence of software failures, unlike independent hardware failures.
2. Challenges with software reliability growth models (SRGMs) due to unrealistic assumptions and lack of operational profile data.
3. The need for consistent, unified definitions of software metrics and measurements to better assess reliability.
4. Questions around how well testing effectiveness metrics like code coverage actually correlate with detecting defects and reliability. The relationship between code coverage and reliability is not clearly causal.
Improving software reliability predictions requires addressing these issues by developing more realistic
IRJET- A Study on Software Reliability ModelsIRJET Journal
This document summarizes various software reliability models and metrics for evaluating reliability. It discusses existing reliability models, their pros and cons in terms of effort required and whether defect counts are finite. Commonly used metrics to measure reliability are also outlined, including product, project management, process, and failure metrics. The conclusion states that while many models use machine learning, reliability prediction could be further optimized by combining machine learning and fuzzy logic. Future work is proposed to focus on using these techniques to predict reliability in a more effective way.
ECONOMIC OUTPUT UNDER THE CONDITIONS OF SOCIAL FREEDOM IN SOFTWARE DEVELOPMENTijseajournal
Software developers organize their work autonomously. Agile development approaches give freedom to developers. However, the discussion about economy often leads to the comparison with manu-facturing processes which are tightly organised. If developers spend too much time on inefficient activities, the performance might decrease. The worst example could be breaks. Breaks could be seen as a reason for
economic problems by the management. This paper investigates the impact of breaks on the overall performance in software development. The investigations assume that if developers make pauses in a normal manner, this has not a negative impact on the profitability. In practice, the human-centric development process brings together a business process and a social process. The interaction of both processes was simulated. Due to the execution of 1.500 simulations, we obtained information on the economic progression of the development process under the influence of
breaks. We determined the impact of breaks on the overall profitability. This investigation contributes to the discussion of freedom in software development. It helps man-agers to
assess if employees who make breaks harm the profitability. This could lead to the imple-mentation of further business constraints.
This document discusses how continuous delivery of software is putting pressure on security teams to keep up with frequent releases. It describes how leading companies are using Fortify's application security solutions to scan more applications faster, better prioritize issues, and integrate security testing throughout development. By shifting security left to earlier phases, these companies find and fix vulnerabilities sooner, reducing remediation time and allowing for faster software delivery cycles to support business needs. The document surveys software security operations at several large financial, energy, and technology companies to evaluate how Fortify helps with scan setup, performance, triaging, remediation, and scalability.
Developing secure software using Aspect oriented programmingIOSR Journals
This document discusses using aspect-oriented programming (AOP) to develop more secure software by separating security concerns from core application logic. It provides motivation for this approach by explaining how security code can become tangled and scattered in object-oriented programs. The document then introduces AOP and AspectJ, using access control as an example of how AOP can improve modularity of a cross-cutting security concern. Specifically, it describes representing access control state using a pushdown automaton updated by AOP aspects.
SECURITY FOR DEVOPS DEPLOYMENT PROCESSES: DEFENSES, RISKS, RESEARCH DIRECTIONSijseajournal
DevOps is an emerging collection of software management practices intended to shorten time to market for
new software features and to reduce the risk of costly deployment errors. In this paper we examine the security implications of two of the key DevOps practices, automation of the deployment pipeline using a deployment toolchain and infrastructure-as-code to specify the environment of the eployed software. We focus on identifying what changes when an organization moves from manual deployments to DevOps
automated deployment processes.We reviewed the literature and conducted three case studies using simple configurations of common DevOps tools. This allowed us to identify specific:
• Positive influences on security where automation enhances defenses.
• Negative influences, where automation enables different kinds of attacks and increases the attack
surface.
• Research directions that look promising to support this new approach to software management.
• Recommendations for DevOps adopters
Software metric analysis methods for product developmentiaemedu
This document discusses various software metrics and methods for analyzing metrics to improve the software development process. It begins with an introduction to software metrics and their importance for project management. It then describes common software development phases and associated metrics that can be collected at each phase, such as lines of code, defects, and staff hours. The document proceeds to explain different types of charts and diagrams that can be used to analyze and visualize metrics data, including pie charts, Pareto diagrams, histograms, line charts, scatter plots, radar diagrams, and control charts. These various analysis methods help identify areas for process improvement and determine whether changes have resulted in desired outcomes.
Software metric analysis methods for product development maintenance projectsIAEME Publication
This document discusses various software metrics and methods for analyzing metrics to improve the software development process. It begins with an introduction to software metrics and their importance for project management. It then describes common software development phases and associated metrics that can be collected at each phase. The remainder of the document focuses on different methods for analyzing metrics, including pie charts, Pareto diagrams, bar charts, line charts, scatter diagrams, radar diagrams, and control charts. These analysis methods help identify areas for process improvement and determine if changes have led to desired outcomes.
IMPLEMENTATION OF MOSRE FRAMEWORK FOR A WEB APPLICATION - A CASE STUDYijwscjournal
The Security Engineering discipline has become more and more important in the recent years. Security requirements engineering is essential to assure the Quality of the resulting software. An increasing part of the communication and sharing of information in our society utilize Web Applications. Last two years have
seen a significant surge in the amount of Web Application specific vulnerabilities that are disclosed to the public because of the importance of Security Requirements Engineering for Web based systems and as it is still underestimated. Integration of Web and object technologies offer a foundation for expanding the Web to a new generation of applications. In this paper, we outline our proposed Model- Oriented Security Requirement Engineering (MOSRE) Framework for Web Applications. By applying Object-Oriented technologies and modeling to Security Requirement phase. So the completeness, consistency, traceability and reusability of Security Requirements can be cost effectively improved. We implemented our MOSRE Framework for E-Voting Application and set of Security Requirements are identified.
STRUCTURAL COMPLEXITY ATTRIBUTE CLASSIFICATION FRAMEWORK (SCACF) FOR SASSY CA...ijseajournal
This document discusses the relationship between software complexity and security. It notes that while complexity is an essential part of software, numerous studies have shown that increased complexity can introduce bugs and vulnerabilities. The document provides an extensive literature review on the topics of software complexity, sources of vulnerabilities, and reasons for the growing number of disclosed vulnerabilities. It argues that complexity is one of the main reasons for vulnerabilities in software systems and that maintaining low complexity and simple designs is vital for security.
Software security risk mitigation using object oriented design patternseSAT Journals
Abstract It is now well known that requirement and the design phase of software development lifecycle are the phases where security incorporation yields maximum benefits.In this paper, we have tried to tie security requirements, security features and security design patterns together in a single string. It is complete process that will help a designer to choose the most appropriate security design pattern depending on the security requirements. The process includes risk analysis methodology at the design phase of the software that is based on the common criteria requirement as it is a wellknown security standard that is generally used in the development of security requirements. Risk mitigation mechanisms are proposed in the form of security design patterns. Exhaustive list of most reliable and well proven security design patterns is prepared and their categorization is done on the basis of attributes like data sensitivity, sector, number of users etc. Identified patterns are divided into three levels of security. After the selection of security requirement, the software designer can calculate the percentage of security features contribution and on the basis of this percentage; design pattern level can be selected and applied.
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology.
IJCER (www.ijceronline.com) International Journal of computational Engineerin...ijceronline
This document provides a selective survey of software reliability models. It discusses both static models used in early development stages and dynamic models used later. For static models, it describes a phase-based model and predictive development life cycle model. For dynamic models, it outlines reliability growth models, including binomial, Poisson, and other classes. It also presents a case study of incorporating code changes as a covariate into reliability modeling during testing of a large telecommunications system. The document concludes by advocating for wider use of statistical software reliability models to improve development and testing processes.
SAFECode’s latest “Software Security Guidance for Agile Practitioners” White...EMC
This document provides security-focused stories and associated tasks for Agile development teams to incorporate security considerations into their processes. It contains 36 stories organized by role (architect, developer, tester) with mappings to security best practices and common weaknesses. It also lists 17 ongoing operational security tasks and 12 advanced tasks typically requiring security expertise. The goals are to translate secure development practices into an Agile-friendly format and provide a starting point for teams to build security into their workflows and reduce security debt.
SECURITY VIGILANCE SYSTEM THROUGH LEVEL DRIVEN SECURITY MATURITY MODELIJCSEIT Journal
Success of any software system largely looms upon its vigilance efficiency that prompts organizations to
meet the set of objectives in the arena of networks. In the highly competitive world, everything appears to
be vulnerable; information system is also not an exception to this fact. The security of information system
has become a cause of great concern. On the contrary, till time the software security engineers are trying
hard to develop fully protected and highly secured information systems but all these developments are at
nascent stages. It is quite revelling that in the earlier research studies, little attention is paid to highlight an
accurate status of the security alertness for developed software. Hence, keeping all these factors at the
backdrop, this paper is an attempt to propose a holistic Security Maturity Model (SMM), in which five
levels/stars have been developed, driven on the strength of the security vigilance occurring at the various
stages for any software. SMM is in its conceptual stage; the detailed steps will certainly require time to be
developed so that every software system can reap out the benefits of this model. To categorize/discriminate
the level of potency, SMM will be highlighted through appropriate ranking/star system. It is hoped that if
SMM will be followed in its true letter and sprit; undoubtedly, this will restore the clients’ trust and
confidence on the software as well as their corresponding vendors. Moreover, this will also enable software
industry to follow transparent and ethical practices.
A Review on Software Mining: Current Trends and MethodologiesIJERA Editor
With the evolution of Software Mining, it has enabled to play a crucial role in the day to day activities .By empowering the software with the data mining methods it aids to all the software developers and the managers at all the managerial levels to use it as a tool so that the relative software engineering data (in the form of code, design documents, bug reports) to visualize the project‟s status of evolution and progress. To add on, further all the mining methods and algorithms help to device the models to develop any fault prone real time system for the real world more prior to the testing phase or the evolution phase. Also , in this review paper it will highlight the different methodologies for software mining along with its extension as a tool for fault tolerance and as well as a bibliography with the special prominence on mining the software engineering information.
A maintainability enhancement procedureijseajournal
In mobile communications age, environment changes rapidly, the requirements change is the software
project must face challenge. Able to overcome the impact of requirements change, software development
risk can be effectively decreased. In order to reduce software requirements change risk, the paper
investigates the major software development models and recommends the adaptable requirements change
software development. Agile development applied the Iterative and Incremental Development (IID)
approach, focuses on workable software and client communication. In software development, agile
development is a very suitable approach to handle the requirements change. However, agile development
maintenance existed many defects that include development documents control, user story inspection and
CM system. The maintenance defects of agile development should be improved. Analysing and collecting
the critical quality factors of agile development maintainability, in this paper proposes the Agile
Development Maintainability Measurement (ADMM) model. Based on ADMM model, the Agile
Development Maintainability Enhancement (ADME) procedure can be defined and deployed for reducing
the risk of requirements change.
Comparitive Analysis of Secure SDLC ModelsIRJET Journal
The document compares three secure software development lifecycle (SDLC) models: McGraw's Touchpoints, OWASP's CLASP, and Microsoft's Security Development Lifecycle (SDL). It summarizes each model, noting that Touchpoints has 7 activities, CLASP has 24 activities, and SDL has 16 core activities. The document then compares the models based on number of activities, activity dependence, nature (heavyweight vs lightweight), and suitability for organization size. Overall, it provides a high-level overview and comparison of three approaches to incorporating security practices into the SDLC.
A SECURITY EVALUATION FRAMEWORK FOR U.K. E-GOVERNMENT SERVICES AGILE SOFTWARE...IJNSA Journal
This study examines the traditional approach to software development within the United Kingdom Government and the accreditation process. Initially we look at the Waterfall methodology that has been used for several years. We discuss the pros and cons of Waterfall before moving onto the Agile Scrum methodology. Agile has been adopted by the majority of Government digital departments including the Government Digital Services. Agile, despite its ability to achieve high rates of productivity organized in short, flexible, iterations, has faced security professionals’ disbelief when working within the U.K. Government. One of the major issues is that we develop in Agile but the accreditation process is conducted using Waterfall resulting in delays to go live dates. Taking a brief look into the accreditation process that is used within Government for I.T. systems and applications, we focus on giving the accreditor the assurance they need when developing new applications and systems. A framework has been produced by utilising the Open Web Application Security Project’s (OWASP) Application Security Verification Standard (ASVS). This framework will allow security and Agile to work side by side and produce secure code.
A SECURITY EVALUATION FRAMEWORK FOR U.K. E-GOVERNMENT SERVICES AGILE SOFTWARE...IJNSA Journal
The document discusses software development methodologies used by the UK government, specifically comparing the traditional Waterfall methodology to the more modern Agile Scrum methodology. It notes that while Agile has been adopted for development, the accreditation process still follows Waterfall, creating delays. The document then proposes a security framework based on OWASP's Application Security Verification Standard that could allow secure development within Agile sprints and provide assurance for accreditors.
Using Fuzzy Clustering and Software Metrics to Predict Faults in large Indust...IOSR Journals
This document describes a study that uses fuzzy clustering and software metrics to predict faults in large industrial software systems. The study uses fuzzy c-means clustering to group software components into faulty and fault-free clusters based on various software metrics. The study applies this method to the open-source JEdit software project, calculating metrics for 274 classes and identifying faults using repository data. The results show 88.49% accuracy in predicting faulty classes, demonstrating that fuzzy clustering can be an effective technique for fault prediction in large software systems.
A SYSTEMATIC LITERATURE REVIEW ON SECURE SOFTWARE DEVELOPMENT AGILE PERSPECT...Hannah Baker
This document presents a systematic literature review on secure software development from an agile perspective. It reviews how security activities can be integrated into agile processes while still allowing for the quick development cycles that are core to agility. The review identifies security parameters that can be used within agile processes to develop secure applications. It observes that while integrating security into agile development poses challenges, evidence shows that a combination approach can benefit organizations using agile methodologies to create secure software.
A Resiliency Framework For An Enterprise CloudJeff Nelson
The document summarizes a research paper that proposes a resiliency framework called the Cloud Computing Adoption Framework (CCAF) for enterprise clouds. CCAF includes four major emerging services - software resilience, service components, guidelines, and real case studies - that are designed to improve an organization's security when adopting cloud computing. The framework was validated through a large survey that provided user requirements to guide the system's design and development. CCAF aims to illustrate how software resilience and security can be improved for enterprises moving to the cloud.
This article examines the emerging need for software assurance. As defense contractors continue to develop systems for the Department of Defense (DoD) those systems must meet stringent requirements for deployment. However as over half of the vulnerabilities are found at the application layer organizations must ensure that proper mechanisms are in place to ensure the integrity, availability, and confidentiality of the code is maintained. Download paper at https://www.researchgate.net/publication/255965523_Integrating_Software_Assurance_into_the_Software_Development_Life_Cycle_(SDLC)
ECONOMIC OUTPUT UNDER THE CONDITIONS OF SOCIAL FREEDOM IN SOFTWARE DEVELOPMENTijseajournal
Software developers organize their work autonomously. Agile development approaches give freedom to developers. However, the discussion about economy often leads to the comparison with manu-facturing processes which are tightly organised. If developers spend too much time on inefficient activities, the performance might decrease. The worst example could be breaks. Breaks could be seen as a reason for
economic problems by the management. This paper investigates the impact of breaks on the overall performance in software development. The investigations assume that if developers make pauses in a normal manner, this has not a negative impact on the profitability. In practice, the human-centric development process brings together a business process and a social process. The interaction of both processes was simulated. Due to the execution of 1.500 simulations, we obtained information on the economic progression of the development process under the influence of
breaks. We determined the impact of breaks on the overall profitability. This investigation contributes to the discussion of freedom in software development. It helps man-agers to
assess if employees who make breaks harm the profitability. This could lead to the imple-mentation of further business constraints.
This document discusses how continuous delivery of software is putting pressure on security teams to keep up with frequent releases. It describes how leading companies are using Fortify's application security solutions to scan more applications faster, better prioritize issues, and integrate security testing throughout development. By shifting security left to earlier phases, these companies find and fix vulnerabilities sooner, reducing remediation time and allowing for faster software delivery cycles to support business needs. The document surveys software security operations at several large financial, energy, and technology companies to evaluate how Fortify helps with scan setup, performance, triaging, remediation, and scalability.
Developing secure software using Aspect oriented programmingIOSR Journals
This document discusses using aspect-oriented programming (AOP) to develop more secure software by separating security concerns from core application logic. It provides motivation for this approach by explaining how security code can become tangled and scattered in object-oriented programs. The document then introduces AOP and AspectJ, using access control as an example of how AOP can improve modularity of a cross-cutting security concern. Specifically, it describes representing access control state using a pushdown automaton updated by AOP aspects.
SECURITY FOR DEVOPS DEPLOYMENT PROCESSES: DEFENSES, RISKS, RESEARCH DIRECTIONSijseajournal
DevOps is an emerging collection of software management practices intended to shorten time to market for
new software features and to reduce the risk of costly deployment errors. In this paper we examine the security implications of two of the key DevOps practices, automation of the deployment pipeline using a deployment toolchain and infrastructure-as-code to specify the environment of the eployed software. We focus on identifying what changes when an organization moves from manual deployments to DevOps
automated deployment processes.We reviewed the literature and conducted three case studies using simple configurations of common DevOps tools. This allowed us to identify specific:
• Positive influences on security where automation enhances defenses.
• Negative influences, where automation enables different kinds of attacks and increases the attack
surface.
• Research directions that look promising to support this new approach to software management.
• Recommendations for DevOps adopters
Software metric analysis methods for product developmentiaemedu
This document discusses various software metrics and methods for analyzing metrics to improve the software development process. It begins with an introduction to software metrics and their importance for project management. It then describes common software development phases and associated metrics that can be collected at each phase, such as lines of code, defects, and staff hours. The document proceeds to explain different types of charts and diagrams that can be used to analyze and visualize metrics data, including pie charts, Pareto diagrams, histograms, line charts, scatter plots, radar diagrams, and control charts. These various analysis methods help identify areas for process improvement and determine whether changes have resulted in desired outcomes.
Software metric analysis methods for product development maintenance projectsIAEME Publication
This document discusses various software metrics and methods for analyzing metrics to improve the software development process. It begins with an introduction to software metrics and their importance for project management. It then describes common software development phases and associated metrics that can be collected at each phase. The remainder of the document focuses on different methods for analyzing metrics, including pie charts, Pareto diagrams, bar charts, line charts, scatter diagrams, radar diagrams, and control charts. These analysis methods help identify areas for process improvement and determine if changes have led to desired outcomes.
IMPLEMENTATION OF MOSRE FRAMEWORK FOR A WEB APPLICATION - A CASE STUDYijwscjournal
The Security Engineering discipline has become more and more important in the recent years. Security requirements engineering is essential to assure the Quality of the resulting software. An increasing part of the communication and sharing of information in our society utilize Web Applications. Last two years have
seen a significant surge in the amount of Web Application specific vulnerabilities that are disclosed to the public because of the importance of Security Requirements Engineering for Web based systems and as it is still underestimated. Integration of Web and object technologies offer a foundation for expanding the Web to a new generation of applications. In this paper, we outline our proposed Model- Oriented Security Requirement Engineering (MOSRE) Framework for Web Applications. By applying Object-Oriented technologies and modeling to Security Requirement phase. So the completeness, consistency, traceability and reusability of Security Requirements can be cost effectively improved. We implemented our MOSRE Framework for E-Voting Application and set of Security Requirements are identified.
STRUCTURAL COMPLEXITY ATTRIBUTE CLASSIFICATION FRAMEWORK (SCACF) FOR SASSY CA...ijseajournal
This document discusses the relationship between software complexity and security. It notes that while complexity is an essential part of software, numerous studies have shown that increased complexity can introduce bugs and vulnerabilities. The document provides an extensive literature review on the topics of software complexity, sources of vulnerabilities, and reasons for the growing number of disclosed vulnerabilities. It argues that complexity is one of the main reasons for vulnerabilities in software systems and that maintaining low complexity and simple designs is vital for security.
Software security risk mitigation using object oriented design patternseSAT Journals
Abstract It is now well known that requirement and the design phase of software development lifecycle are the phases where security incorporation yields maximum benefits.In this paper, we have tried to tie security requirements, security features and security design patterns together in a single string. It is complete process that will help a designer to choose the most appropriate security design pattern depending on the security requirements. The process includes risk analysis methodology at the design phase of the software that is based on the common criteria requirement as it is a wellknown security standard that is generally used in the development of security requirements. Risk mitigation mechanisms are proposed in the form of security design patterns. Exhaustive list of most reliable and well proven security design patterns is prepared and their categorization is done on the basis of attributes like data sensitivity, sector, number of users etc. Identified patterns are divided into three levels of security. After the selection of security requirement, the software designer can calculate the percentage of security features contribution and on the basis of this percentage; design pattern level can be selected and applied.
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology.
IJCER (www.ijceronline.com) International Journal of computational Engineerin...ijceronline
This document provides a selective survey of software reliability models. It discusses both static models used in early development stages and dynamic models used later. For static models, it describes a phase-based model and predictive development life cycle model. For dynamic models, it outlines reliability growth models, including binomial, Poisson, and other classes. It also presents a case study of incorporating code changes as a covariate into reliability modeling during testing of a large telecommunications system. The document concludes by advocating for wider use of statistical software reliability models to improve development and testing processes.
SAFECode’s latest “Software Security Guidance for Agile Practitioners” White...EMC
This document provides security-focused stories and associated tasks for Agile development teams to incorporate security considerations into their processes. It contains 36 stories organized by role (architect, developer, tester) with mappings to security best practices and common weaknesses. It also lists 17 ongoing operational security tasks and 12 advanced tasks typically requiring security expertise. The goals are to translate secure development practices into an Agile-friendly format and provide a starting point for teams to build security into their workflows and reduce security debt.
SECURITY VIGILANCE SYSTEM THROUGH LEVEL DRIVEN SECURITY MATURITY MODELIJCSEIT Journal
Success of any software system largely looms upon its vigilance efficiency that prompts organizations to
meet the set of objectives in the arena of networks. In the highly competitive world, everything appears to
be vulnerable; information system is also not an exception to this fact. The security of information system
has become a cause of great concern. On the contrary, till time the software security engineers are trying
hard to develop fully protected and highly secured information systems but all these developments are at
nascent stages. It is quite revelling that in the earlier research studies, little attention is paid to highlight an
accurate status of the security alertness for developed software. Hence, keeping all these factors at the
backdrop, this paper is an attempt to propose a holistic Security Maturity Model (SMM), in which five
levels/stars have been developed, driven on the strength of the security vigilance occurring at the various
stages for any software. SMM is in its conceptual stage; the detailed steps will certainly require time to be
developed so that every software system can reap out the benefits of this model. To categorize/discriminate
the level of potency, SMM will be highlighted through appropriate ranking/star system. It is hoped that if
SMM will be followed in its true letter and sprit; undoubtedly, this will restore the clients’ trust and
confidence on the software as well as their corresponding vendors. Moreover, this will also enable software
industry to follow transparent and ethical practices.
A Review on Software Mining: Current Trends and MethodologiesIJERA Editor
With the evolution of Software Mining, it has enabled to play a crucial role in the day to day activities .By empowering the software with the data mining methods it aids to all the software developers and the managers at all the managerial levels to use it as a tool so that the relative software engineering data (in the form of code, design documents, bug reports) to visualize the project‟s status of evolution and progress. To add on, further all the mining methods and algorithms help to device the models to develop any fault prone real time system for the real world more prior to the testing phase or the evolution phase. Also , in this review paper it will highlight the different methodologies for software mining along with its extension as a tool for fault tolerance and as well as a bibliography with the special prominence on mining the software engineering information.
A maintainability enhancement procedureijseajournal
In mobile communications age, environment changes rapidly, the requirements change is the software
project must face challenge. Able to overcome the impact of requirements change, software development
risk can be effectively decreased. In order to reduce software requirements change risk, the paper
investigates the major software development models and recommends the adaptable requirements change
software development. Agile development applied the Iterative and Incremental Development (IID)
approach, focuses on workable software and client communication. In software development, agile
development is a very suitable approach to handle the requirements change. However, agile development
maintenance existed many defects that include development documents control, user story inspection and
CM system. The maintenance defects of agile development should be improved. Analysing and collecting
the critical quality factors of agile development maintainability, in this paper proposes the Agile
Development Maintainability Measurement (ADMM) model. Based on ADMM model, the Agile
Development Maintainability Enhancement (ADME) procedure can be defined and deployed for reducing
the risk of requirements change.
Comparitive Analysis of Secure SDLC ModelsIRJET Journal
The document compares three secure software development lifecycle (SDLC) models: McGraw's Touchpoints, OWASP's CLASP, and Microsoft's Security Development Lifecycle (SDL). It summarizes each model, noting that Touchpoints has 7 activities, CLASP has 24 activities, and SDL has 16 core activities. The document then compares the models based on number of activities, activity dependence, nature (heavyweight vs lightweight), and suitability for organization size. Overall, it provides a high-level overview and comparison of three approaches to incorporating security practices into the SDLC.
A SECURITY EVALUATION FRAMEWORK FOR U.K. E-GOVERNMENT SERVICES AGILE SOFTWARE...IJNSA Journal
This study examines the traditional approach to software development within the United Kingdom Government and the accreditation process. Initially we look at the Waterfall methodology that has been used for several years. We discuss the pros and cons of Waterfall before moving onto the Agile Scrum methodology. Agile has been adopted by the majority of Government digital departments including the Government Digital Services. Agile, despite its ability to achieve high rates of productivity organized in short, flexible, iterations, has faced security professionals’ disbelief when working within the U.K. Government. One of the major issues is that we develop in Agile but the accreditation process is conducted using Waterfall resulting in delays to go live dates. Taking a brief look into the accreditation process that is used within Government for I.T. systems and applications, we focus on giving the accreditor the assurance they need when developing new applications and systems. A framework has been produced by utilising the Open Web Application Security Project’s (OWASP) Application Security Verification Standard (ASVS). This framework will allow security and Agile to work side by side and produce secure code.
A SECURITY EVALUATION FRAMEWORK FOR U.K. E-GOVERNMENT SERVICES AGILE SOFTWARE...IJNSA Journal
The document discusses software development methodologies used by the UK government, specifically comparing the traditional Waterfall methodology to the more modern Agile Scrum methodology. It notes that while Agile has been adopted for development, the accreditation process still follows Waterfall, creating delays. The document then proposes a security framework based on OWASP's Application Security Verification Standard that could allow secure development within Agile sprints and provide assurance for accreditors.
Using Fuzzy Clustering and Software Metrics to Predict Faults in large Indust...IOSR Journals
This document describes a study that uses fuzzy clustering and software metrics to predict faults in large industrial software systems. The study uses fuzzy c-means clustering to group software components into faulty and fault-free clusters based on various software metrics. The study applies this method to the open-source JEdit software project, calculating metrics for 274 classes and identifying faults using repository data. The results show 88.49% accuracy in predicting faulty classes, demonstrating that fuzzy clustering can be an effective technique for fault prediction in large software systems.
A SYSTEMATIC LITERATURE REVIEW ON SECURE SOFTWARE DEVELOPMENT AGILE PERSPECT...Hannah Baker
This document presents a systematic literature review on secure software development from an agile perspective. It reviews how security activities can be integrated into agile processes while still allowing for the quick development cycles that are core to agility. The review identifies security parameters that can be used within agile processes to develop secure applications. It observes that while integrating security into agile development poses challenges, evidence shows that a combination approach can benefit organizations using agile methodologies to create secure software.
A Resiliency Framework For An Enterprise CloudJeff Nelson
The document summarizes a research paper that proposes a resiliency framework called the Cloud Computing Adoption Framework (CCAF) for enterprise clouds. CCAF includes four major emerging services - software resilience, service components, guidelines, and real case studies - that are designed to improve an organization's security when adopting cloud computing. The framework was validated through a large survey that provided user requirements to guide the system's design and development. CCAF aims to illustrate how software resilience and security can be improved for enterprises moving to the cloud.
This article examines the emerging need for software assurance. As defense contractors continue to develop systems for the Department of Defense (DoD) those systems must meet stringent requirements for deployment. However as over half of the vulnerabilities are found at the application layer organizations must ensure that proper mechanisms are in place to ensure the integrity, availability, and confidentiality of the code is maintained. Download paper at https://www.researchgate.net/publication/255965523_Integrating_Software_Assurance_into_the_Software_Development_Life_Cycle_(SDLC)
ITERATIVE AND INCREMENTAL DEVELOPMENT ANALYSIS STUDY OF VOCATIONAL CAREER INF...ijseajournal
Software development process presents various types of models with their corresponding phases required to be accordingly followed in delivery of quality products and projects. Despite the various expertise and skills of systems analysts, designers, and programmers, systems failure is inevitable when a suitable development process model is not followed. This paper focuses on the Iterative and Incremental Development (IID)model and justified its role in the analysis and design software systems. The paper adopted the qualitative research approach that justified and harnessed the relevance of IID in the context of systems analysis and design using the Vocational
Career Information System (VCIS) as a case study. The paper viewed the IID as a change-driven software development process model. The results showed some system specification, functional specification of system and design specifications that can be used in implementing the VCIS using the IID model. Thus, the paper concluded that in systems analysis and design, it is imperative to consider a suitable development process that reflects the engineering mind-set, with heavy emphasis on good analysis and design for quality assurance.
IMPLEMENTATION OF MOSRE FRAMEWORK FOR A WEB APPLICATION - A CASE STUDYijwscjournal
The Security Engineering discipline has become more and more important in the recent years. Security requirements engineering is essential to assure the Quality of the resulting software. An increasing part of the communication and sharing of information in our society utilize Web Applications. Last two years have seen a significant surge in the amount of Web Application specific vulnerabilities that are disclosed to the public because of the importance of Security Requirements Engineering for Web based systems and as it is still underestimated. Integration of Web and object technologies offer a foundation for expanding the Web to a new generation of applications. In this paper, we outline our proposed Model- Oriented Security Requirement Engineering (MOSRE) Framework for Web Applications. By applying Object-Oriented technologies and modeling to Security Requirement phase. So the completeness, consistency, traceability and reusability of Security Requirements can be cost effectively improved. We implemented our MOSRE Framework for E-Voting Application and set of Security Requirements are identified.
A REVIEW OF SECURITY INTEGRATION TECHNIQUE IN AGILE SOFTWARE DEVELOPMENTijseajournal
Agile software development has gained a lot of popularity in the software industry due to its iterative and
incremental approach as well as user involvement. Agile has also been criticized due to lack of its ability to
deliver secure software. In this paper, extensive literature has been performed, in order to highlight the
existing security issues in agile software development. Majority of challenges reported in literature,
occurred due to lack of involvement of security expert. Improving security of a software system without
damaging the real essence of Agile can achieved with the continuous involvement of security engineer
throughout development lifecycle with its defined role and responsibilities.
The document discusses different aspects of designing an information system, including business processes, usability, graphic design, and analytical design. It states that the design must satisfy business needs, be easy to navigate, have visual appeal, and clearly represent quantitative information. It also discusses how the systems development life cycle (SDLC) was created in response to increasing computer complexity in the 1950s-60s to provide a structured development process, and how security is now integrated throughout the SDLC rather than just in testing.
Secured cloud support for global softwareijseajournal
This document summarizes a research paper that proposes a methodology called TSPS (Theory/SWEBOK/Project Security) to improve software engineering education. The methodology aims to collaborate between academic and industrial practices. It involves students working on projects with guidance from both mentors and industry practitioners. Data from literature reviews on software security engineering education is analyzed. A cloud-based system is developed to securely store project documents by encrypting and splitting files across multiple cloud nodes. The methodology and secure cloud storage approach are concluded to provide strategies to mitigate risks in software projects and benefit both education and industry.
DESQA a Software Quality Assurance FrameworkIJERA Editor
In current software development lifecycles of heterogeneous environments, the pitfalls businesses have to face are that software defect tracking, measurements and quality assurance do not start early enough in the development process. In fact the cost of fixing a defect in a production environment is much higher than in the initial phases of the Software Development Life Cycle (SDLC) which is particularly true for Service Oriented Architecture (SOA). Thus the aim of this study is to develop a new framework for defect tracking and detection and quality estimation for early stages particularly for the design stage of the SDLC. Part of the objectives of this work is to conceptualize, borrow and customize from known frameworks, such as object-oriented programming to build a solid framework using automated rule based intelligent mechanisms to detect and classify defects in software design of SOA. The implementation part demonstrated how the framework can predict the quality level of the designed software. The results showed a good level of quality estimation can be achieved based on the number of design attributes, the number of quality attributes and the number of SOA Design Defects. Assessment shows that metrics provide guidelines to indicate the progress that a software system has made and the quality of design. Using these guidelines, we can develop more usable and maintainable software systems to fulfill the demand of efficient systems for software applications. Another valuable result coming from this study is that developers are trying to keep backwards compatibility when they introduce new functionality. Sometimes, in the same newly-introduced elements developers perform necessary breaking changes in future versions. In that way they give time to their clients to adapt their systems. This is a very valuable practice for the developers because they have more time to assess the quality of their software before releasing it. Other improvements in this research include investigation of other design attributes and SOA Design Defects which can be computed in extending the tests we performed.
Safety-driven Software Product Line architectures Design, A Survey PaperEditor IJCATR
Software architecture design is an important step of software development. Currently, there are various design methods
available and each is focusing on certain perspective of architecture design. Especially, quality-based methods have received a lot of
attentions and have been well developed for single system architecture design. However, the use of quality-based design methods is
limited in software product line (SPL) because of the complexity and variabilities existing in SPL architecture. With the increasing
attention to software safety, improving software safety has already become a more important issue, especially for safety-critical
systems. This study aims at surveying existing research on Software Product Line Architecture (SPLA) design based on quality
attributes, and to give an overview of the intersection of the areas of software product line architecture design and Safety Driven
Design in order to classifying existing work, and discover open issues for further research. Also this study investigates safety analysis
at the architectural level, and Safety-based Software Product Line Architecture Design (SSPLAD) approaches. Safety-driven software
product line architecture design seems to be a ‘‘discussion” topic. The study shows that there are a large number of SPLA design
methods. However, the use of safety-based design methods is limited in software product lines (SPL) due to the variability property
that can potentially result in a large number of possible systems and because of the complexity existing in safety attribute itself.
A survey of predicting software reliability using machine learning methodsIAESIJAI
In light of technical and technological progress, software has become an urgent need in every aspect of human life, including the medicine sector and industrial control. Therefore, it is imperative that the software always works flawlessly. The information technology sector has witnessed a rapid expansion in recent years, as software companies can no longer rely only on cost advantages to stay competitive in the market, but programmers must provide reliable and high-quality software, and in order to estimate and predict software reliability using machine learning and deep learning, it was introduced A brief overview of the important scientific contributions to the subject of software reliability, and the researchers' findings of highly efficient methods and techniques for predicting software reliability.
A SYSTEMATIC LITERATURE REVIEW ON SECURITY INDICATORS FOR OPEN-SOURCE ENTERPR...ijseajournal
Open-source enterprise resource planning (ERP) software has become a preferred alternative for modern
organizations due to its affordable cost, availability and ease of access. Open-source software allows
access to customizable code which in most instances may have security loop holes due to the nature of its
releases. The study is motivated by need for accountability and security assurance by stakeholders and the
need for justification of investments towards information security. The objective was to analyse security
indicators for open-source resource planning software. Papers and journals published between 2017 and
2021 from IEEE, ACM, Springer, arXiv, Wiley online library and EBSCO were reviewed. Out of the
publications generated through the Google search, 62 publications were selected by reading the title,
abstract, introduction and full text. Results indicate un-updated software, full access rights, inadequate
training, failure to comply, single authentication and unauthorized software as some of the factors that
indicate open-source enterprise resource planning software security. In conclusion effectiveness of
mitigation measures to address these factors shows security or insecurity. Notably, there is need to institute
security control measures and metrics for the identified factors to help assess security posture of
enterprises during ERP software implementation. We recommend the design of security a measurement
framework and definition of a metrics suite for assessing open-source ERP software security
SECURETI: ADVANCED SDLC AND PROJECT MANAGEMENT TOOL FOR TI(PHILIPPINES)ijcsit
There are essential security considerations in the systems used by semiconductor companies like TI. Along
with other semiconductor companies, TI has recognized that IT security is highly crucial during web
application developers' system development life cycle (SDLC). The challenges faced by TI web developers
were consolidated via questionnaires starting with how risk management and secure coding can be
reinforced in SDLC; and how to achieve IT Security, PM and SDLC initiatives by developing a prototype
which was evaluated considering the aforementioned goals. This study aimed to practice NIST strategies
by integrating risk management checkpoints in the SDLC; enforce secure coding using static code analysis
tool by developing a prototype application mapped with IT Security goals, project management and SDLC
initiatives and evaluation of the impact of the proposed solution. This paper discussed how SecureTI was
able to satisfy IT Security requirements in the SDLC and PM phases.
There are essential security considerations in the systems used by semiconductor companies like TI. Along
with other semiconductor companies, TI has recognized that IT security is highly crucial during web
application developers' system development life cycle (SDLC). The challenges faced by TI web developers
were consolidated via questionnaires starting with how risk management and secure coding can be
reinforced in SDLC; and how to achieve IT Security, PM and SDLC initiatives by developing a prototype
which was evaluated considering the aforementioned goals. This study aimed to practice NIST strategies
by integrating risk management checkpoints in the SDLC; enforce secure coding using static code analysis
tool by developing a prototype application mapped with IT Security goals, project management and SDLC
initiatives and evaluation of the impact of the proposed solution. This paper discussed how SecureTI was
able to satisfy IT Security requirements in the SDLC and PM phases.
1) The document discusses a proposed Vulnerability Management System (VMS) to identify and manage software vulnerabilities.
2) It provides an overview of vulnerability management and discusses related work that has been done in vulnerability databases and tracking systems.
3) The proposed VMS would use morphological inspection and static analysis to assess vulnerabilities, store information in a database, and rank vulnerabilities based on severity. It would consist of a vulnerability scanner, process control platform, and data storage.
Similar to SECURING SOFTWARE DEVELOPMENT STAGES USING ASPECT-ORIENTATION CONCEPTS (20)
SOCRadar's Aviation Industry Q1 Incident Report is out now!
The aviation industry has always been a prime target for cybercriminals due to its critical infrastructure and high stakes. In the first quarter of 2024, the sector faced an alarming surge in cybersecurity threats, revealing its vulnerabilities and the relentless sophistication of cyber attackers.
SOCRadar’s Aviation Industry, Quarterly Incident Report, provides an in-depth analysis of these threats, detected and examined through our extensive monitoring of hacker forums, Telegram channels, and dark web platforms.
How Can Hiring A Mobile App Development Company Help Your Business Grow?ToXSL Technologies
ToXSL Technologies is an award-winning Mobile App Development Company in Dubai that helps businesses reshape their digital possibilities with custom app services. As a top app development company in Dubai, we offer highly engaging iOS & Android app solutions. https://rb.gy/necdnt
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemPeter Muessig
Learn about the latest innovations in and around OpenUI5/SAPUI5: UI5 Tooling, UI5 linter, UI5 Web Components, Web Components Integration, UI5 2.x, UI5 GenAI.
Recording:
https://www.youtube.com/live/MSdGLG2zLy8?si=INxBHTqkwHhxV5Ta&t=0
Using Query Store in Azure PostgreSQL to Understand Query PerformanceGrant Fritchey
Microsoft has added an excellent new extension in PostgreSQL on their Azure Platform. This session, presented at Posette 2024, covers what Query Store is and the types of information you can get out of it.
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian CompaniesQuickdice ERP
Explore the seamless transition to e-invoicing with this comprehensive guide tailored for Saudi Arabian businesses. Navigate the process effortlessly with step-by-step instructions designed to streamline implementation and enhance efficiency.
Microservice Teams - How the cloud changes the way we workSven Peters
A lot of technical challenges and complexity come with building a cloud-native and distributed architecture. The way we develop backend software has fundamentally changed in the last ten years. Managing a microservices architecture demands a lot of us to ensure observability and operational resiliency. But did you also change the way you run your development teams?
Sven will talk about Atlassian’s journey from a monolith to a multi-tenanted architecture and how it affected the way the engineering teams work. You will learn how we shifted to service ownership, moved to more autonomous teams (and its challenges), and established platform and enablement teams.
8 Best Automated Android App Testing Tool and Framework in 2024.pdfkalichargn70th171
Regarding mobile operating systems, two major players dominate our thoughts: Android and iPhone. With Android leading the market, software development companies are focused on delivering apps compatible with this OS. Ensuring an app's functionality across various Android devices, OS versions, and hardware specifications is critical, making Android app testing essential.
When it is all about ERP solutions, companies typically meet their needs with common ERP solutions like SAP, Oracle, and Microsoft Dynamics. These big players have demonstrated that ERP systems can be either simple or highly comprehensive. This remains true today, but there are new factors to consider, including a promising new contender in the market that’s Odoo. This blog compares Odoo ERP with traditional ERP systems and explains why many companies now see Odoo ERP as the best choice.
What are ERP Systems?
An ERP, or Enterprise Resource Planning, system provides your company with valuable information to help you make better decisions and boost your ROI. You should choose an ERP system based on your company’s specific needs. For instance, if you run a manufacturing or retail business, you will need an ERP system that efficiently manages inventory. A consulting firm, on the other hand, would benefit from an ERP system that enhances daily operations. Similarly, eCommerce stores would select an ERP system tailored to their needs.
Because different businesses have different requirements, ERP system functionalities can vary. Among the various ERP systems available, Odoo ERP is considered one of the best in the ERp market with more than 12 million global users today.
Odoo is an open-source ERP system initially designed for small to medium-sized businesses but now suitable for a wide range of companies. Odoo offers a scalable and configurable point-of-sale management solution and allows you to create customised modules for specific industries. Odoo is gaining more popularity because it is built in a way that allows easy customisation, has a user-friendly interface, and is affordable. Here, you will cover the main differences and get to know why Odoo is gaining attention despite the many other ERP systems available in the market.
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdfVALiNTRY360
Salesforce Healthcare CRM, implemented by VALiNTRY360, revolutionizes patient management by enhancing patient engagement, streamlining administrative processes, and improving care coordination. Its advanced analytics, robust security, and seamless integration with telehealth services ensure that healthcare providers can deliver personalized, efficient, and secure patient care. By automating routine tasks and providing actionable insights, Salesforce Healthcare CRM enables healthcare providers to focus on delivering high-quality care, leading to better patient outcomes and higher satisfaction. VALiNTRY360's expertise ensures a tailored solution that meets the unique needs of any healthcare practice, from small clinics to large hospital systems.
For more info visit us https://valintry360.com/solutions/health-life-sciences
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j
Dr. Jesús Barrasa, Head of Solutions Architecture for EMEA, Neo4j
Découvrez les dernières innovations de Neo4j, et notamment les dernières intégrations cloud et les améliorations produits qui font de Neo4j un choix essentiel pour les développeurs qui créent des applications avec des données interconnectées et de l’IA générative.
Flutter is a popular open source, cross-platform framework developed by Google. In this webinar we'll explore Flutter and its architecture, delve into the Flutter Embedder and Flutter’s Dart language, discover how to leverage Flutter for embedded device development, learn about Automotive Grade Linux (AGL) and its consortium and understand the rationale behind AGL's choice of Flutter for next-gen IVI systems. Don’t miss this opportunity to discover whether Flutter is right for your project.
Do you want Software for your Business? Visit Deuglo
Deuglo has top Software Developers in India. They are experts in software development and help design and create custom Software solutions.
Deuglo follows seven steps methods for delivering their services to their customers. They called it the Software development life cycle process (SDLC).
Requirement — Collecting the Requirements is the first Phase in the SSLC process.
Feasibility Study — after completing the requirement process they move to the design phase.
Design — in this phase, they start designing the software.
Coding — when designing is completed, the developers start coding for the software.
Testing — in this phase when the coding of the software is done the testing team will start testing.
Installation — after completion of testing, the application opens to the live server and launches!
Maintenance — after completing the software development, customers start using the software.
openEuler Case Study - The Journey to Supply Chain Security
SECURING SOFTWARE DEVELOPMENT STAGES USING ASPECT-ORIENTATION CONCEPTS
1. International Journal of Software Engineering & Applications (IJSEA), Vol.9, No.6, November 2018
57DOI:10.5121/ijsea.2018.9605
SECURING SOFTWARE DEVELOPMENT STAGES
USING ASPECT-ORIENTATION CONCEPTS
Aws A. Magableh and Anas M. R. AlSobeh
Department of Computer Information Systems
Faculty of Computer Science and Information Technology
Yarmouk University,Irbid, Jordan
ABSTRACT
In the past 10 years, the research community has produced a significant number of design notations to
represent security properties and concepts in a design artifact. The need to improve the security of software
has become a key issue for developers.The security function needs to be incorporated into the software
development process at the requirement, analysis, design, and implementation stages as doing so may help
to smooth integration and to protect systems from attack. Security affects all aspects ofa software program,
which makes the incorporation of security features a crosscutting concern. Therefore, this paper looks at
the feasibility and potential advantages of employing an aspect orientation approach in the software
development lifecycle to ensure efficient integration of security.These notations are aimed at documenting
and analyzing security in a software design model. It also proposes a model called the Aspect-Oriented
Software Security Development Life Cycle (AOSSDLC), which covers arrange of security activities and
deliverables for each development stage. It is concluded that aspect orientation is one of the best options
available for installing security features not least because of the benefit that no changes need to be made to
the existing software structure.
KEYWORDS
Aspect Orientation, AO, Aspect-Oriented Programming, AOP, SSDL,Software Security Development Life
Cycle, Security, Notation, Software Design.
1. INTRODUCTION
The software development life cycle (SDLC) of an information system (IS)consists of four main
stages:planning, creating, testing, and deployment. It has also been described as involving a
requirement, design, coding, and documentation phase. The SDLC is applicable to a variety of
configurations because an IS can comprise just hardware, just software, or both [3]. Given the
current global situation and the heightened need for security in both industry and government as
well as in personal life, are search area that is growing in importance is the enhancement of the
SDLC to include the implementation of the security software development life cycle (SSDLC).
Some of the recent security threats and attack reports can be found in [19]and [20]. A more
comprehensive analysis of the exploits, vulnerabilities, and malware based on data from Internet
service providers and over 600 million computers worldwide can be found in [1]. Figure 1
illustrates the attacks that focused on applications during the period of 2016.According to [1],
“Disclosures of vulnerabilities in applications other than web browsers and operating system
applications decreased slightly in first half of 2016, but remained the most common type of
vulnerability during the period, accounting for 45.8 per cent of all disclosures for the period.”
2. International Journal of Software Engineering & Applications (IJSEA), Vol.9, No.6, November 2018
58
Figure 1: Example of a Microsoft Security Intelligence Report[1]
Thus, it can be said that security is the main requirement of all users, especially those in charge of
critical infrastructure. Therefore it is crucial that software vendors address the issue of security
threats head on.However, creating software that is ever more secureis a huge challenge [2].
Nevertheless, software vendors must endeavour to do so in order to maintain society’s trust in
computers in this digital era One of the key steps that software vendors and their collaborators
need to take is to shift to a substantially more secure SDLC process that places a greater emp
hasison security in order to reduce the amount of vulnerabilities in all stages of the process–from
requirement to documentation–and that attempts to reduce such vulnerabilities as early in the
SDLC as practicable.
The SSDLC helps developers build more secure software and address security compliance
requirements. It is created by adding security-related activities to any stage of the software
development process by incorporating the concept of a spec orientation (AO) into the SDLC, as
shown in Figure 2.
Figure 2: Inclusion of security activities in the SDLC
The two main goals of this study are to identify the techniques currently being used to enhance
the security of the SDLC through an in-depth review of the literature and to propose a model to
enhance the security of software development. The main objective of this study is to utilize the
strength of AO and its concepts to enhance software development security. This work aims also to
eject security activity into SDLC with less amount of impact on the standard process of
development. The study was guided by two research questions: “What is the practical
3. International Journal of Software Engineering & Applications (IJSEA), Vol.9, No.6, November 2018
59
applicability of existing models for a secure software development life cycle?”and “How can
aspect orientation enhance SSDLC?”
The remainder of this paper organized as follows: section 2 provides an overview of the key
concepts addressed in this paper. Section 3 explains the methodology used in this research.
Section 4reviewsrelated works. Section 5 explains the proposed aspect-oriented software security
development life cycle (AOSSDLC) model, and finally, section 6 contains a conclusion and
suggestions for future work.
2.OVER VIEW AND BACKGROUND
Before discussing the research methodology, an overview of the key concepts of AO and SSDLC
is provided in order to clarify their contribution to the main aimof this study.
2.1. A SPECT-ORIENTATION CONCEPTS
A research team headed by Gregor Kiczales at Palo Alto Research Center coined the term
‘aspect-oriented’ when they were developing aspect-oriented programming (AOP) as well as
AOP language (AspectJ),a language that is now very popular among developers working in Java
[21]. Just as object-oriented (OO) programming [22] before it resulted in a wide range of OO
development methodologies [23], AOP has engendereda growing number of software engineering
technologies such as AO development methods, modelling techniques that are usually based on
the principles of unified modelling language (UML) [24], and assessment technologies to test the
effectiveness of AO approaches. Nowadays, the term‘aspect-oriented software development
(AOSD)’is used to refer to an array of software development techniques that support the
modularization of aspects (also known as crosscutting concerns)throughout an entire software
system [25]. This modularization covers requirement engineering, business process management,
analysis and design, and programming. Aspect orientationoffersa systematic means by which to
modularize crosscutting concerns which, as the name implies, has an effect on the other concerns.
More often than not, crosscutting concerns cannot be smoothly or completely decomposed from
the rest of the system in the design or in the implementation phase, which means that, at
implementation, scattered code (code duplication) and/or tangled code (significant dependencies
between concerns) can appear. Figure 3 illustrates both of these problems:Figure 3(a) shows how
the logging aspect code can get scattered and duplicated in other concerns while Figure 3(b)
shows how that same code can become tangled up in one concern.
Figure 3: Code scattering and code tangling
4. International Journal of Software Engineering & Applications (IJSEA), Vol.9, No.6, November 2018
60
2.2. SOFTWARE SECURITY DEVELOPMENT LIFE CYCLE
During the SSDLC the processes of software development are modified by embedding activities
that result in enhanced software security. This section summarizes these activities and the ways in
which they are incorporated into a SDLC in general terms. Here,the SDLC consists of
requirement, analysis, design, and implementation.Also, it should be noted that the modifications
are not designed to completely change the developmental process, but to add cleared liverables
for software security. Moreover, the software architecture should be designed in such a way that
the software is able protect not only itself but the datait processes [2]. Hence it is important that
designers assume that security faults will exist in a system and that software should therefore run
with the least privileges. Services that are not regularly needed should be disabled by default or
made accessible to just a few users or distinct groups of users [2]. Also, tools and guidance should
be provided with software at deployment to help users and administrators use it securely, and
updates should be easy to deploy. The implementation of security measures in the SDLC is not
limited to the above; it needs to be considered in the requirement, implementation,verification and
release stages as well.
3. OVERVIEW OF RESEARCH METHODOLOGY
The aim of this study is to characterize the existing notations and associated techniques in the
field of secure SDLC. This is achieved by means of aconventional analysis of the relevant
literature. As mentioned before, the study addresses three research questions.As mentioned in the
introduction, this study attempts to answer the following questions:
RQ1: What is the practical applicability of existing models for a secure software
development life cycle?
RQ: How can aspect orientation enhance the SSDLC?
RQ3: What would be the impact of employing AO and its concepts to enhance the
security of the SDLC?
In order to find answers to the above questions, we analysed a large number of research papers
that were published during the period January 2003to November 2017. The year 2003was chosen
as the start date because it was during that year that publications on the security of the software
development life cycle began to appear.The papers were collected by using three complementary
search methods in order to achieve the maximum coverage of the domain. First, we performed a
manual search of the proceedings of several conferences which are particularly relevant to the
SDLC. Second, we searched through a number of digital libraries. Third, we performed a
snowballing search [34] on the papers collated by the first two search methods. Snow balling
involves retrieving papers that are cited by the considered papers and papers that cite the
considered paper as a reference. For forward snowballing, we used the bibliographies of the
identified papers. Google Scholar was used to perform backward snowballing.
4.LITERATURE REVIEW
Before presenting the proposed model,this section reports the results of our review of literature
that was undertaken to discover whether any of the existing models use AO in the SSDLC.
Literature review consists of reviewing, extracting and evaluating and then analyzing and
5. International Journal of Software Engineering & Applications (IJSEA), Vol.9, No.6, November 2018
61
interpreting the studies that are relevant to this research. Most research starts with a literature
review. However, unless a literature review is fair, it is of little scientific value [4]. With the
extended article of this work, we will be adoptinga systematic literature review approach [5] we
were able to find the best and most-cited works that are relevant to the research question posed by
this study, i.e.What would be the impact of employing AO and its concepts to enhance the security
of the SDLC? It is worth noting that research on the use of AO to improve the security of the
SDLC is quite scarce. This section is exploring major works and categories of works that have
been done to employ security in SDL. The main focusing of this work is on different aspect of
securing the SDLC which includes confidentiality, integrity, availability, auditability, privacy
access control, authentication, logging.
4.1.MICROSOFT SECURITY DEVELOPMENT LIFE CYCLE (MSSDLC)
One of the first initiatives in relation to the SSDLC was the MSSDLC proposed by Microsoft,
which works in line with the phases of a classic SDLC. Microsoft proposed some of the best
security practices to fit with each stage of its classical SDLC, which is shown in Figure 4 [6].
Figure 4: Classical software development life cycleofMicrosoft[6]
For the training stage, which is the initial stage of the classic SDLC at the company, Microsoft
proposed some core security training to secure the other upcoming stages and focused particularly
on the issue of privacy. At the stage of Requirements, Microsoft proposed quality gates and
privacy risk assessment to determine on the privacy impact rating. The same thing goes to the
other stages, for the design phase, Microsoft proposed quite a few security practices such as threat
modelling and attach surface analysis. As for implementation, they suggested using approved
tools, deprecating unsafe functions and performing static analysis. For all stages, best practices
were applied to ensure the highest possible levels of security. Figure 5 provides a summary of the
main security activities Microsoft deployed for each SDLC stage [10].
Figure 5: Secure software development process model of Microsoft[10]
6. International Journal of Software Engineering & Applications (IJSEA), Vol.9, No.6, November 2018
62
4.2.MODEL-DRIVEN ARCHITECTURE FOR THE SECURE SOFTWARE DEVELOPMENT
LIFE CYCLE
A model is a crucial component of the design process in many engineering disciplines,including
software engineering, as it represents a real system or entity and enables developers to test a
proposal or prototype before expending a significant sum on the real thing[10]. To facilitate the
software engineering process, the Object Management Group (OMG) developed model-driven
architecture (MDA) (The OMG describes itself as an international, open membership, non-profit
computer industry consortium and it came into being in 1989.)It is essentially a methodology that
helps to specify software system specifications regardless of the hardware and platforms being
used for the implementation. In MDA, there are three default models (CIM, PIM, and PSM), as
shown in Figure 6 [7]. The concept has been involved in model-driven security (MDS), which can
model security requirements at a high level of abstraction.
Figure 6: Structure of model-driven architecture[11]
Following the MDA for SDLC proposed in [9], an architecture known as MDA-SDLC was
proposed [8], which considers security requirements, security models and system requirements
and modelling throughout the SLDC stages. It illustrates the main roles and responsibilities along
with technical skills set needed for requirements and software model requirement. At design
model, architectural model and pattern model is suggested. The rest of stages contain few more
activities suggested at each stage as illustrated in Figure 7.
Figure 7: Overview of architecture of MDA SDLC [8]
7. International Journal of Software Engineering & Applications (IJSEA), Vol.9, No.6, November 2018
63
4.3.FORMAL METHODOLOGIES FOR DEVELOPING SECURE SOFTWARE SYSTEMS
A number of formal methodologies have been proposed to aid in the development of secure
software systems and they cover several different SDL stages. The methodologies are
mathematically based on specifications that represent software system behaviours. The
specifications themselves employ a formal syntax and can be used to garner key information
about a software system. Developers can produce software programs in a formal manner by using
a formal methodology [7]. An illustration of a typical formal methodology is provided in Figure
8.
With respect to the SDLC, there are two types of formal methodology that can be employed: the
software security assessment instrument method and the construction method. The first type in
volves the development and use of tools and a variety of information resources to ensure the
security of software, for example by using model checkers. The second type uses a range of
formal methodologies for the entire SLC, including formal description language for the system
specification and unequivocal programming language and bug prevention fixes, whiche nables
analysis of the software to be very stringent in even the earliest stages of software development.
Figure 8: Application of typical formal methodology to SDL
4.4.ASPECT-ORIENTED MODELLING FOR REPRESENTING AND INTEGRATING SECURITY
CONCERNS IN UML
This study suggests a new way of specifying security aspects in UML and, moreover, itenables
security aspects to be systematically and automatically woven into UML. The main aimis to
identify and deal with security-related concerns and model them during the design stage of the
SDLC.To do this, it uses the class diagram as one of the UML design diagrams. Figure 9 shows
the security aspect by using the class diagram.
8. International Journal of Software Engineering & Applications (IJSEA), Vol.9, No.6, November 2018
64
Figure 9: Class diagram of security aspect
Secure UML[35] [36] is more specific and geared toward role-based access control only. It seems
like ‘popularity‘favors these two extremes rather than notations in the middle ground.Secure
UML, in contrast, merges its security design language with the design language that is used to
design the system into a so-called dialect language. UML is used as the concrete language for the
security concerns, and the authors only demonstrate this approach using design languages which
are subsets of UML (in particular, Component UML and Controller UML). Moreover, Secure
SOA uses the Secure UML dialect mechanism to merge Fundamental Modeling Concepts (FMC)
[36].
Other approaches, such as [14],implement a risk management analysis in order to incorporate
security into the SDLC. Other related works such as [27-32]have attempted to improve security
by using AOP at the SDLC implementation stage. Moreover, among these works [27] and [28]
have also proposed a method to integrate security using AOP at the implementation stage, while
[29] and [30] have investigated aspectizing security at the programming stage. Additionally, [31]
and [32] have considered using AO Ponly during the programming stage to ensure that the system
is trustworthy during the development process.Generally, less attention has been given to utilizing
the benefits of AO and its related concepts for other (earlier)SDLC stages as a means to improve
the security of software. However, it makes sense to employ AO as early as possible in the SDLC,
otherwise it might be too late to address all the security dimensions.
5. ASPECT-ORIENTED SOFTWARE SECURITY DEVELOPMENT LIFE CYCLE
This section focuses on describing the architecture of the AOSSDLC proposed in this paper. As
mentioned in the introduction, finding ways to ensure the highest level of security during the
development of complex software systems isnow more critical than ever because software now
pervades almost all aspects of our lives both professional and personal. As pectorientation has
been shown to be effective in dealing with the crosscutting nature of security requirements so it
could be particularly useful not only when developing and designing applications but also when
implementing them. In our work, we aim to bring different fields together to discover whether the
AO concept can be successfully utilized to improve SDLC security and consequently reduce
security-related attacks and vulnerabilities. We will work on proposing a UML bases norat9oin
and non-UML based notation to evolve the security sub types into different stages of
SDLC.Figure 10 shows how we see the various fields linking together.
9. International Journal of Software Engineering & Applications (IJSEA), Vol.9, No.6, November 2018
65
Figure 10: AOSSDLC areas of collaboration
Perhaps the major benefit of using AO is that it can weave any kind of crosscutting concern,
including security and security-related concerns, into a system, even if they are scattered and
tangled [26] throughout the system, without having an adverse effect another concerns. Moreover,
this weaving process can occur at any stage in the SDLC. In other words, adding or removing
aspects in any stage of the SDLC becomes less problematic and less time
consuming[15][17]. One more dimension to consider which motivated this work is that, the
evolving field of securing SDLC [1] [8]. Having said that, it was essential to investigate and
explore the ability to connecting these topics with each other to come up with relativity reliable
secure software development life cycle depending on AO. Our proposed model, the AOSSDLC
combines these advantages and addresses these issues. Figure 11 illustrates the application areas
of the proposed model.
Figure 11: Application areas of proposed AOSSDLC model
In the design, development and implementation of a secure system the security-related properties
in the system should be abstracted out of the main system to improve clarity, maintainability,
manageability and reuse [18]. Also, where legacy source code has identified or potential security
vulnerabilities the code should be patched by adding the smallest possible amount of new code
and ideally the original code should not be changed. In addition,where appropriate, it should be
10. International Journal of Software Engineering & Applications (IJSEA), Vol.9, No.6, November 2018
66
possible to reuse security-related properties in a range of applications [28]. It is note worthy that
all the above can be achieved by using AO [18] because AO automatically checks for errors in
security-sensitive calls, automatically logs data on security concerns, replaces generic code with
secure code and specifies privileges, abstracts some concerns, replaces concerns with the
minimum changes necessary and its changes are reusable in any stage of the SDLC. Thus, it
becomes clear why our model is designed in accordance with the concept of AO in order to
attempt to integrate the above mentioned highly desirable security-related activities into the
SDLC. In AO there are two kinds of crosscutting concerns (aspect concepts) that applicable to
any stage of the SDLC: dynamic crosscutting and static crosscutting. They can both be utilized to
embed security-related crosscutting concerns into any part of SDLC. These types of crosscutting
are described in brief in the following subsections.
5.1. DYNAMIC CROSSCUTTING OF AOSSDLC
Dynamic crosscutting is a technique that allows points to be defined and changes (pieces of
code)to be recommended in the SDLC coding stage of the dynamic execution of a program. Our
proposition extends this dynamic crosscutting technique to other SDL stages. Our proposed
modelutilized the dynamic crosscutting sub concepts join point, point cut, and advice not only in
the programming stage but in all the other SDLC stages as well in order to include dynamic
security-related crosscutting concerns in the SDLC. In the AOSSDLC model, join points are
predictable points in the execution of a program, and they are the points at which security activity
must be added at a specific SDLC stage to ensure the security of the software. It is the point cutin
the AOSSDLC model that is designed to identify and select the join points where the security
activity needs to be added. When the model gives advice this refers to the model identifying the
actual security activity that needs to be injected and executed when a join point is reached.Figure
12 illustrates the proposed AOSSDLC model.
Figure 12: AOSSDLCmodel
Join points are predictable point in the execution; it would represent the point where we would
need to add the security activity at a specific SDL stage.Pointcut of AOSSDL is designed to
11. International Journal of Software Engineering & Applications (IJSEA), Vol.9, No.6, November 2018
67
identify and select join points where the security activity will be added. Advice of AOSSDL is the
actual security activity to be injected and executed when a join point is reached.
5.2. STATIC CROSSCUTTING IN THE AOSSDLC
Static crosscutting is an inter-type declaration that can add attributes and/or methods to an
existing structure. It is a powerful technique because it provides the developer with the capability
to add new attributes and operations to a class or aspect, as well as a whole range of other
declarations that affect the static-type hierarchy.In our proposed model, we use it to add attributes
to a specific classification in the SDLC.
5.3. ASPECT WEAVING STEP
In this model, it is the weaving of the security aspects into the SDLC that makes the SDLC
secure. This is done mainly by the following generic steps:
• Locating the security join points, which involves identifying the locations at which the
SDLC stage/activity and the security requirements/design aspects inter act; analysing the
vulnerabilities of and the threats posed to the software based on the security requirements
and security design; and specifying the security join point setting for the connectors in the
SDLC.
• Constructing security advice, for which actions are defined in order to enforce security in
the required SDLC stage through locating the join points that have the same vulnerability
and grouping them together as a point cut.
• Weaving the security aspect into the SDLC in order to incorporate the security aspect into
the SDLC,this involves systematically searching for join points so that the security
advice/aspect can inject the required security behaviours into the SDLC in the correct
places.
From a comparison of the proposed model with those in the literature, it would seem that the
proposed model is better structured because not only does it have clear steps for defining changes
in security at specific points in the SDLC stages, it also contains a weaving step to enable the
injection of aspect changes. Moreover, the proposed model is based on a bottom-up technique that
maps the AOP elements (such as AspectJ) so that they can beem bedded into the early stages of
the SDLC.
5.4. APPLICATION OF THE A OSSDLC
The AOSSDLC model shows how the aspects are used and woven to inject achange and a
modification at any stage of the SDLC without the need to work manually on the change. Figure
13 illustrates how AO is used in each stage.
12. International Journal of Software Engineering & Applications (IJSEA), Vol.9, No.6, November 2018
68
Figure 13: AO in the SDLC stages
Due to the limitation of space, here we illustrate how AO can be used in the requirement stage of
the SDLC only. Ifthe requirements have already been elicited from the clients, no major changes
should need to be made to the actual requirements. Where a change does need to be made to a
specific part of the natural text/requirement this will result in a change to another requirement
because all requirements are connected and traceable. When there is a need to make such a
change manually, the AOSSDLC model suggests utilizing the dynamic concept and structure of
the aspects and aspect weaving, as shown in Figure 14.
13. International Journal of Software Engineering & Applications (IJSEA), Vol.9, No.6, November 2018
69
Figure 14: Example of using of aspect orientation to make a change at the requirement stage of the software
development life cycle
In light of the above discussion, we believe that this study was able to achieve its main objectives
of identifying what models are currently being used to secure the SDLC and how AO can be used
to make the software development process more secure.
6. CONCLUSION AND FUTURE WORK
In this paper we present the SSDLC process for safety and security. This process helps a security
designer to elicit security requirement followed by security design, through security designers’
workbench and security testing, with secured deployment through security test.This paper
proposed an AO-based model for embedding security activities in the SDLC. Our ultimate aimis
to develop a model that is practical and extensible for different SSDLCs and research projects.
Our next step is to apply the AOSSDLC model to some real-life case studies, which will help us
in assessing its performance in terms of how it deals with threats, the nature of its limitations, and
its potential for scalability. The results, outcomes and feedback will be used to enhance the model
and improve its feasibility and, consequently, promote its usage.We also intend to investigate the
usage of AO in the so-called agile SDLC because this type of development life cycle has less
stringent guidelines for the initial stages of development and then adjustments are made as and
when needed throughout the remainder of the process,which is AO kind of behaviour where it
does not affect any other processes and stages.
14. International Journal of Software Engineering & Applications (IJSEA), Vol.9, No.6, November 2018
70
REFERENCES
[1] Microsoft. Microsoft security intelligence report: July-December 2016.
http://www.microsoft.com/technet/ security/default.mspx, 2016
[2] Http://msdn.microsoft.com/en-us/library/ms995349.aspx#sdl2_topic1_1, retrieved July 2017
[3] Selecting a Development Approach, Retrieved May 2017.
[4] Ebse, B. & Charters, S. 2007. Guidelines for Performing Systematic Literature Reviews in Software
Engineering.
[5] Maryati, Y. 2011. Systematic Review Hand-on Workshop. Research Center of Software Technology
and management, Faculty of information and Technology, UKM.
[6] Howard, M., &Lipner, S. (2006). The security development life cycle (Vol. 8). Redmond: Microsoft
Press.
[7] Sasikala D, The Most Common Methodologies for Secure Software Development, International
Journal of Multidisciplinary Research and Development, Volume 3; Issue 3; March 2016; Page No.
194-197
[8] Muhammad Asad, Shafique Ahmed, Model Driven Architecture for Secure Software Development
Life Cycle, International Journal of Computer Science and Information Security (IJCSIS), Vol. 14,
No. 6, June 2016
[9] Zhendong Ma, Christian Wagner, Arndt Bonitz, and Thomas Bleier , Model-driven Secure
Development Life cycle, International Journal of Security and Its Applications Vol. 6 No. 2, April,
2012
[10] Microsoft, Security Development Life cycle SDL Process Guidance Version 5.2, May23, 2012
[11] F. Truyen, "The Fast Guide to Model Driven Architecture; The Basics of Model Driven Architecture,"
Cephas Consulting Corp , 2006
[12] Eoin Keary, Jim Manico, "Secure Development Life cycle," in OWASP, Hamburg
[13] Richard Kissel, Kevin Stine , Matthew Scholl , Hart Rossman , Jim Fahlsing , Jessica Gulick,
"Security Considerations in the System Development Life Cycle," National Institute of Standards and
Technology , Gaithersburg, 2008 .
[14] Bart De Win , Riccardo Scandariato, Koen Buyens, Johan Gre´goire, WouterJoosen, On the secure
software development process: CLASP, SDL and Touchpoints compared, Information and Software
Technology 51 (2009) 1152–1171
[15] Georg, G., Ray, I., and France, R., “Using Aspects to Design a Secure System”, In Proc. 8th IEEE
Int’l Conf. on Eng. of Complex Computer Systems (ICECCS’02), pp. 117-128, 2002.
[16] Shah, V. and F. Hill, "An Aspect-Oriented Framework", In Proc. DARPA Info.Survivability Conf.
and Exposition (DISCEX'03), pp. 22-24, 2003.
[17] Yu, H. et.al., “Secure Software Architectures Design by Aspect Orientation”, In Proc. 10th Int’l Conf.
on Eng. of Complex Computer Sys (ICECCS’05), pp. 45-57, 2005.
[18] Viega, J., Bloch, J.T., and P. Chandra, "Applying Aspect Oriented Programming to Security", In
Cutter IT Journal, 14(2):31-31, 2001.
[19] Symatec, Internet Security Threat Report, Volume 21, April 2016
[20] Cisco, Cisco Annual Cybersecurity Report 2017 Infographic
[21] Schwanninger, C., &Joosen, W. (2011).Transactions on Aspect-Oriented Software Development VIII
(Vol. 6580). S. Katz, & M. Mezini (Eds.). Springer Science & Business Media.
[22] Smith, B. (2015). Object-Oriented Programming. In Advanced ActionScript 3(pp. 1-23). Apress.
[23] Avison, D., & Fitzgerald, G. (2003). Information systems development: methodologies, techniques
and tools. McGraw Hill.
[24] Magableh, A., Shukur, Z., & Ali, N. M. (2013). Aspectual UML approach to support AspectJ
[25] Filman, R., Elrad, T., Clarke, S., &Akşit, M. (2004). Aspect-oriented software development. Addison-
Wesley Professional.
[26] Groher, I., &Voelter, M. (2007, March). XWeave: models and aspects in concert. In Proceedings of
the 10th international workshop on Aspect-oriented modeling (pp. 35-40).ACM.
[27] De B. Win, B. Vanhaute, B. De Decker, "Security through Aspect-Oriented Programming", Advances
in Network and Distributed Systems Security, pp. 125-138, 2001.
[28] DehlingerJ. and N. V. Subramanian.Architecting Secure Software Systems Using an Aspect-Oriented
Approach: A Survey of Current Research. Technical report, Iowa State University, 2006
[29] De Win, Bart, WouterJoosen, and Frank Piessens."Developing secure applications through aspect-
oriented programming." Aspect-Oriented Software Development (2005): 633-650.
15. International Journal of Software Engineering & Applications (IJSEA), Vol.9, No.6, November 2018
71
[30] Marchand de Kerchove, F., Noyé, J., &Südholt, M. (2013, March). Aspectizingjavascriptsecurity.In
Proceedings of the 3rd workshop on Modularity in systems software (pp. 7-12).ACM.
[31] Safonov, V. O. (2008). Using aspect-oriented programming for trustworthy software development
(Vol. 5).John Wiley & Sons.
[32] Mourad, A., Laverdière, M. A., &Debbabi, M. (2008). An aspect-oriented approach for the systematic
security hardening of code. computers & security, 27(3), 101-11
[33] Mouheb, D., Talhi, C., Nouh, M., Lima, V., Debbabi, M., Wang, L., Pourzandi, M.: Aspect-Oriented
Modeling for Representing and Integrating Security Concerns in UML. In: R.Y. Lee, O. Ormandjieva,
A. Abran, C. Constantinides (eds.) Proceedings of the ACIS Conference onSoftware Engineering
Research, Management, and Applications, Studies in Computational Intelligence, vol. 296,pp. 197–
213. Springer (2010)
[34] A. van den Berghe, R. Scandariato, K. Yskout, W. Joosen, "Design notations for secure software: a
systematic literature review", Software & Systems Modeling, 2015.
[35] Keller, F., Wendt, S.: FMC: An approach towards architecturecentricsystem development. In:
Proceedings of 10th IEEE InternationalConference andWorkshop on the Engineering of Computer-
Based Systems, 2003, pp. 173–182. IEEE (2003)
[36] Matuleviˇcius, R., Dumas, M.: A Comparison of SecureUML andUMLsec for Role-Based Access
Control. In: Databases and InformationSystems, pp. 171–185 (2010)