A Novel Framework for Information Security During the SDLC Implementation Stage: A Systematic Literature Review
Abstract
This research delves into the critical aspects of information security during the implementation stage of the Software Development Life Cycle (SDLC). Using a systematic review of the literature, the study synthesizes the findings of various digital repositories, including IEEE Xplore, ACM Digital Library, Scopus, and ScienceDirect, to outline a comprehensive framework that addresses the unique security challenges of the implementation stage. This research contributes to the field by proposing a novel assurance model for software development vendors, focusing on improving information security measures during the implementation stage. The study's findings reveal 12 key steps organizations can adopt to mitigate security risks and improve information security measures during this critical phase. These steps provide actionable insights and strategies designed to support security protocols effectively. The paper concludes that by incorporating these steps, organizations can significantly improve their security posture, ensuring the integrity and reliability of the software development process, particularly during the implementation stage. This approach not only addresses immediate security concerns but also sets a precedent for future research and practice in secure software development, particularly in the critical implementation stage of the SDLC.
Downloads
References
A. Ramirez, A. Aiello, and S. J. Lincke, “A Survey and Comparison of Secure Software Development Standards,” in 2020 13th CMI Conference on Cybersecurity and Privacy (CMI) - Digital Transformation - Potentials and Challenges(51275), 2020, pp. 1–6, doi: 10.1109/CMI51275.2020.9322704.
J. C. S. Núñez, A. C. Lindo, and P. G. Rodríguez, “A Preventive Secure Software Development Model for a Software Factory: A Case Study,” IEEE Access, vol. 8, pp. 77653–77665, 2020, doi: 10.1109/ACCESS.2020.2989113.
T. Thomas, M. Tabassum, B. Chu, and H. Richter Lipford, Security During Application Development: an Application Security Expert Perspective. 2018.
K. Meridji, K. T. Al-Sarayreh, A. Abran, and S. Trudel, “System security requirements: A framework for early identification, specification and measurement of related software requirements,” Comput. Stand. Interfaces, vol. 66, p. 103346, 2019, doi: https://doi.org/10.1016/j.csi.2019.04.005.
M. Baldassarre, V. Barletta, D. Caivano, and A. Piccinno, Integrating Security and Privacy in HCD-Scrum. 2021.
A. B. Ajmal, M. A. Shah, C. Maple, M. N. Asghar, and S. U. Islam, “Offensive Security: Towards Proactive Threat Hunting via Adversary Emulation,” IEEE Access, vol. 9, pp. 126023–126033, 2021, doi: 10.1109/ACCESS.2021.3104260.
T. Lopez, H. Sharp, T. Tun, A. Bandara, M. Levine, and B. Nuseibeh, “Security Responses in Software Development,” ACM Trans. Softw. Eng. Methodol., Sep. 2022, doi: 10.1145/3563211.
R. A. Khan, S. U. Khan, M. Alzahrani, and M. Ilyas, “Security Assurance Model of Software Development for Global Software Development Vendors,” IEEE Access, vol. 10, pp. 58458–58487, 2022, doi: 10.1109/ACCESS.2022.3178301.
L. N. Q. Do, J. R. Wright, and K. Ali, “Why Do Software Developers Use Static Analysis Tools? A User-Centered Study of Developer Needs and Motivations,” IEEE Trans. Softw. Eng., vol. 48, no. 3, pp. 835–847, 2022, doi: 10.1109/TSE.2020.3004525.
A. Garg, R. K. Kaliyar, and A. Goswami, “PDRSD-A systematic review on plan-driven SDLC models for software development,” in 2022 8th International Conference on Advanced Computing and Communication Systems (ICACCS), 2022, vol. 1, pp. 739–744, doi: 10.1109/ICACCS54159.2022.9785261.
D. Stewart, “Security versus Compliance: An Empirical Study of the Impact of Industry Standards Compliance on Application Security,” Int. J. Softw. Eng. Knowl. Eng., vol. 32, pp. 1–31, Apr. 2022, doi: 10.1142/S0218194022500152.
B. Aljedaani, A. Ahmad, M. Zahedi, and M. A. Babar, “Security Awareness of End-Users of Mobile Health Applications: An Empirical Study,” CoRR, vol. abs/2008.1, 2020, [Online]. Available: https://arxiv.org/abs/2008.13009.
M. Unal and O. Bolukbas, The Acquirements of Digitalization with RPA (Robotic Process Automation) Technology in the Vakif Participation Bank. 2021.
M. Kang and A. Hovav, “Benchmarking Methodology for Information Security Policy (BMISP): Artifact Development and Evaluation,” Inf. Syst. Front., May 2018, doi: 1.1007/s1079.
S. G.C, T. Sake, and . A., “A Systematic Review and Catalog of Security Metric during the Secure Software Development Life Cycle,” Recent Adv. Electr. Electron. Eng. (Formerly Recent Patents Electr. Electron. Eng., vol. 13, Dec. 2020, doi: 10.2174/2352096513999201201121823.
Y. Perdana and D. I. Sensuse, “Knowledge Sharing System Development: A Systematic Literature Review,” in 2021 International Conference on Advanced Computer Science and Information Systems (ICACSIS), 2021, pp. 1–7, doi: 10.1109/ICACSIS53237.2021.9631327.
R. E. Fairley, “Traditional Process Models for System Development,” in Systems Engineering of Software-Enabled Systems, IEEE, 2019, pp. 99–119.
S. Sheikhi and P. Kostakos, “Cyber threat hunting using unsupervised federated learning and adversary emulation,” in 2023 IEEE International Conference on Cyber Security and Resilience (CSR), 2023, pp. 315–320, doi: 10.1109/CSR57506.2023.10224990.
R. Fujdiak et al., “Managing the Secure Software Development,” in 2019 10th IFIP International Conference on New Technologies, Mobility and Security (NTMS), 2019, pp. 1–4, doi: 10.1109/NTMS.2019.8763845.
Michigan Technological University, “System development lifecycle (SDLC): Information Technology: Michigan Tech.” [Online]. Available: https://www.mtu.edu/it/security/policies-procedures-guidelines/information-security-program/system-development-lifecycle/.
A. D. Bhagat, S. Basia, K. Sharma, and P. Vats, “A Survey of Cloud Architectures: Confidentiality, Contemporary State, and Future Challenges,” in 2022 3rd International Conference on Issues and Challenges in Intelligent Computing Techniques (ICICT), 2022, pp. 1–8, doi: 10.1109/ICICT55121.2022.10064580.
T. Eom, J. Hong, S. An, J. Park, and D. Kim, “A Systematic Approach to Threat Modeling and Security Analysis for Software Defined Networking,” IEEE Access, vol. PP, p. 1, Sep. 2019, doi: 10.1109/ACCESS.2019.2940039.
H. Al-Matouq, S. Mahmood, M. Alshayeb, and M. Niazi, “A Maturity Model for Secure Software Design: A Multivocal Study,” IEEE Access, vol. 8, pp. 215758–215776, Jan. 2020, doi: 10.1109/ACCESS.2020.3040220.
C. Quinlan, W. Zikmund, B. Babbin, J. Carr, and M. Griffin, Business Research Methods. 2015.
B. Kitchenham, L. Madeyski, and D. Budgen, “SEGRESS: Software Engineering Guidelines for REporting Secondary Studies,” IEEE Trans. Softw. Eng., vol. PP, p. 1, Jan. 2022, doi: 10.1109/TSE.2022.3174092.
D.-R. Khan, S. U. Khan, and M. Ilyas, Exploring Security Procedures in Secure Software Engineering: A Systematic Mapping Study. 2022.
P. Ralph, “Toward Methodological Guidelines for Process Theories and Taxonomies in Software Engineering,” IEEE Trans. Softw. Eng., vol. 45, no. 7, pp. 712–735, 2019, doi: 10.1109/TSE.2018.2796554.
A. Mousa, M. Karabatak, and T. Mustafa, Database Security Threats and Challenges. 2020.
A. A. R. Farea, C. Wang, E. Farea, and A. B. Alawi, “Cross-Site Scripting (XSS) and SQL Injection Attacks Multi-classification Using Bidirectional LSTM Recurrent Neural Network,” in 2021 IEEE International Conference on Progress in Informatics and Computing (PIC), 2021, pp. 358–363, doi: 10.1109/PIC53636.2021.9687064.
A. Shrivastava, S. Choudhary, and A. Kumar, “XSS vulnerability assessment and prevention in web application,” in 2016 2nd International Conference on Next Generation Computing Technologies (NGCT), 2016, pp. 850–853, doi: 10.1109/NGCT.2016.7877529.
K. Asamoah et al., “Zero-Chain: A Blockchain-Based Identity for Digital City Operating System,” IEEE Internet Things J., vol. PP, p. 1, Apr. 2020, doi: 10.1109/JIOT.2020.2986367.
A. Agrawal et al., “Software Security Estimation Using the Hybrid Fuzzy ANP-TOPSIS Approach: Design Tactics Perspective,” Symmetry (Basel)., vol. 12, pp. 1–21, Apr. 2020, doi: 10.3390/sym12040598.
R. R. Althar, D. Samanta, M. Kaur, A. A. Alnuaim, N. Aljaffan, and M. Aman Ullah, “Software Systems Security Vulnerabilities Management by Exploring the Capabilities of Language Models Using NLP.,” Comput. Intell. Neurosci., vol. 2021, p. 8522839, 2021, doi: 10.1155/2021/8522839.
M. Ganesh, A. Xavier, B. David, M. Sagayam, and A. Elngar, Model Transformation and Code Generation Using a Secure Business Process Model. 2022.
S. Solms and L. Futcher, “Adaption of a Secure Software Development Methodology for Secure Engineering Design,” IEEE Access, vol. PP, p. 1, Jul. 2020, doi: 10.1109/ACCESS.2020.3007355.
M. Siavvas, D. Tsoukalas, M. Jankovic, D. Kehagias, and D. Tzovaras, “Technical debt as an indicator of software security risk: a machine learning approach for software development enterprises,” Enterp. Inf. Syst., Sep. 2020, doi: 10.1080/17517575.2020.1824017.
C.-M. Mathas, C. Vassilakis, N. Kolokotronis, C. C. Zarakovitis, and M.-A. Kourtis, “On the Design of IoT Security: Analysis of Software Vulnerabilities for Smart Grids,” Energies, vol. 14, no. 10. 2021, doi: 10.3390/en14102818.
R. R. Althar, D. Samanta, M. Kaur, D. Singh, and H.-N. Lee, “Automated Risk Management Based Software Security Vulnerabilities Management,” IEEE Access, vol. 10, pp. 90597–90608, 2022, doi: 10.1109/ACCESS.2022.3185069.
M. Jouini, L. Ben Arfa Rabai, and R. Khédri, “A quantitative assessment of security risks based on a multifaceted classification approach,” Int. J. Inf. Secur., vol. 20, Aug. 2021, doi: 10.1007/s10207-020-00515-6.
Z. Sun, K. D. Strang, and F. Pambel, “Privacy and security in the big data paradigm,” J. Comput. Inf. Syst., vol. 60, pp. 1–10, Feb. 2018, doi: 10.1080/08874417.2017.1418631.
A. Khan, F. Khan, J. Khan, J. Khan, and Y. Lee, Identification and Prioritization of Critical Cyber Security Challenges and Practices for Software Vendor Organizations in Software Development: An AHP-Based Systematic Approach. 2022.
A. Khan et al., “Analyzing and Evaluating Critical Challenges and Practices for Software Vendor Organizations to Secure Big Data on Cloud Computing: An AHP-Based Systematic Approach,” IEEE Access, vol. PP, p. 1, Jul. 2021, doi: 10.1109/ACCESS.2021.3100287.
T. Lopez, H. Sharp, A. Bandara, T. Tun, M. Levine, and B. Nuseibeh, “Security Responses in Software Development,” ACM Trans. Softw. Eng. Methodol., vol. 32, no. 3, Apr. 2023, doi: 10.1145/3563211.
K. Rindell, J. Ruohonen, and S. Hyrynsalmi, Surveying Secure Software Development Practices in Finland. 2018.
H. Nina, J. A. Pow-Sang, and M. Villavicencio, “Systematic Mapping of the Literature on Secure Software Development,” IEEE Access, vol. 9, pp. 36852–36867, 2021, doi: 10.1109/ACCESS.2021.3062388.
W. Wang, F. Dumont, N. Niu, and G. Horton, “Detecting Software Security Vulnerabilities Via Requirements Dependency Analysis,” IEEE Trans. Softw. Eng., vol. 48, no. 5, pp. 1665–1675, 2022, doi: 10.1109/TSE.2020.3030745.
M. Alenezi, A. Agrawal, R. Kumar, and R. A. Khan, “Evaluating Performance of Web Application Security Through a Fuzzy Based Hybrid Multi-Criteria Decision-Making Approach: Design Tactics Perspective,” IEEE Access, vol. 8, pp. 25543–25556, 2020, doi: 10.1109/ACCESS.2020.2970784.
N. Alhirabi, O. Rana, and C. Perera, “Security and Privacy Requirements for the Internet of Things: A Survey,” ACM Trans. Internet Things, vol. 2, no. 1, Feb. 2021, doi: 10.1145/3437537.
B. Tavares, M. Keil, C. Sanches, A. Diniz de Souza, and C. Silva, “A Risk Management Tool for Agile Software Development,” vol. 1, p. 1, Dec. 2020, doi: 10.1080/08874417.2020.1839813.
M. T. Baldassarre, V. S. Barletta, D. Caivano, and M. Scalera, “Integrating security and privacy in software development,” Softw. Qual. J., vol. 28, no. 3, pp. 987–1018, Sep. 2020, doi: 10.1007/s11219-020-09501-6.
W. Williams, Creating an Information Security Program from Scratch, 1st ed. CRC Press, 2022.
A. Ali, Y. Hafeez, S. Hussain, and S. Yang, “Role of Requirement Prioritization Technique to Improve the Quality of Highly-Configurable Systems,” IEEE Access, vol. 8, pp. 27549–27573, 2020, doi: 10.1109/ACCESS.2020.2971382.
L. V Astakhova, “Transformation of Strategic Models for Managing Human Risks of Information Security of an Enterprise as an Imperative of the Digital Industry,” Sci. Tech. Inf. Process., vol. 48, no. 2, pp. 71–77, Apr. 2021, doi: 10.3103/S0147688221020027.
M. Alenezi and S. Almuairfi, “Security Risks in the Software Development Lifecycle,” Int. J. Recent Technol. Eng., vol. 8, pp. 7048–7055, Sep. 2019, doi: 10.35940/ijrte.C5374.098319.
X. Chen and Y. Deng, “An Evidential Software Risk Evaluation Model,” Mathematics, vol. 10, p. 2325, Jul. 2022, doi: 10.3390/math10132325.
A. Goutam and V. Tiwari, “Vulnerability Assessment and Penetration Testing to Enhance the Security of Web Application,” in 2019 4th International Conference on Information Systems and Computer Networks (ISCON), 2019, pp. 601–605, doi: 10.1109/ISCON47742.2019.9036175.
L. Gonchar, “Implementation of Secure Software Development Lifecycle in a Large Software Development Organization BT - Proceedings of the 21st International Workshop on Computer Science and Information Technologies (CSIT 2019),” Dec. 2019, pp. 137–139, doi: 10.2991/csit-19.2019.23.
R. J. Curts and D. E. Campbell, Building A Global Information Assurance Program, 1st ed. New York: Auerbach Publications, 2003.
H. O. Nwaete, “Secure Software Development: Industrial Practice - A Review,” i-Manager’s J. Softw. Eng. Nagercoil, vol. 16, no. 3, pp. 60–71, 2022, doi: 10.26634/jse.16.3.18674.
E. Venson, X. Guo, Z. Yan, and B. Boehm, “Costing Secure Software Development: A Systematic Mapping Study,” 2019, doi: 10.1145/3339252.3339263.
A. A. Alghamdi and M. Niazi, “Challenges of Secure Software Deployment: An Empirical Study,” in Proceedings of the 26th International Conference on Evaluation and Assessment in Software Engineering, 2022, pp. 440–445, doi: 10.1145/3530019.3531337.
K. Rindell, S. Hyrynsalmi, and V. Leppänen, “Aligning security objectives with agile software development,” 2018, doi: 10.1145/3234152.3234187.
A. Petrikoglou and T. Kaskalis, Full Stack Web Development Teaching: Current Status and a New Proposal. 2019.
D.-R. Khan, S. U. Khan, M. Ilyas, and H. Khan, “Systematic Mapping Study on Security Approaches in Secure Software Engineering,” IEEE Access, vol. 9, pp. 19139–19159, Jan. 2021, doi: 10.1109/ACCESS.2021.3052311.
Z. Stefanovska, K. Jakimoski, and W. Stefanovski, “Optimization of Secure Coding Practices in SDLC as Part of Cybersecurity Framework,” J. Comput. Sci. Res., vol. 4, Apr. 2022, doi: 10.30564/jcsr.v4i2.4048.
Z. Shen and S. Chen, “A Survey of Automatic Software Vulnerability Detection, Program Repair, and Defect Prediction Techniques,” Secur. Commun. Networks, vol. 2020, p. 8858010, 2020, doi: 10.1155/2020/8858010.
P. Mukherjee and C. Mazumdar, “‘Security Concern’ as a Metric for Enterprise Business Processes,” IEEE Syst. J., vol. 13, no. 4, pp. 4015–4026, 2019, doi: 10.1109/JSYST.2019.2918116.
F. H. Semantha, S. Azam, B. Shanmugam, K. C. Yeo, and A. R. Beeravolu, “A Conceptual Framework to Ensure Privacy in Patient Record Management System,” IEEE Access, vol. 9, pp. 165667–165689, 2021, doi: 10.1109/ACCESS.2021.3134873.
A. Pereira-Vale, G. Márquez, H. Astudillo, and E. B. Fernandez, “Security Mechanisms Used in Microservices-Based Systems: A Systematic Mapping,” in 2019 XLV Latin American Computing Conference (CLEI), 2019, pp. 1–10, doi: 10.1109/CLEI47609.2019.235060.
“ICST 2020 TOC,” in 2020 IEEE 13th International Conference on Software Testing, Validation and Verification (ICST), 2020, pp. i–vii, doi: 10.1109/ICST46399.2020.00004.
M. Howard and S. Lipner, The Security Development Lifecycle, vol. 34. 2006.
T. Lorünser, H. Pöhls, L. Becker, and T. Laenger, CryptSDLC: Embedding Cryptographic Engineering into Secure Software Development Lifecycle. 2018.
R. Brasoveanu, Y. Karabulut, and I. Pashchenko, “Security Maturity Self-Assessment Framework for Software Development Lifecycle,” 2022, doi: 10.1145/3538969.3543806.
N. Onumah, S. Attwood, and R. Kharel, “Towards Secure Application Development: A Cyber Security Centred Holistic Approach,” in 2020 12th International Symposium on Communication Systems, Networks and Digital Signal Processing (CSNDSP), 2020, pp. 1–6, doi: 10.1109/CSNDSP49049.2020.9249631.
M. Alawneh and I. M. Abbadi, “Integrating Trusted Computing Mechanisms with Trust Models to Achieve Zero Trust Principles,” in 2022 9th International Conference on Internet of Things: Systems, Management and Security (IOTSMS), 2022, pp. 1–6, doi: 10.1109/IOTSMS58070.2022.10062269.
R. A. Khan, S. U. Khan, H. U. Khan, and M. Ilyas, “Systematic Literature Review on Security Risks and its Practices in Secure Software Development,” IEEE Access, vol. 10, pp. 5456–5481, 2022, doi: 10.1109/ACCESS.2022.3140181.
M. M. Jakeri and M. F. Hassan, “A Review of Factors Influencing the Implementation of Secure Framework for in-House Web Application Development in Malaysian Public Sector,” 2018 IEEE Conf. Appl. Inf. Netw. Secur., pp. 99–104, 2018, [Online]. Available: https://api.semanticscholar.org/CorpusID:59600770.
T. Hanauer, W. Hommel, S. Metzger, and D. Pöhn, “A Process Framework for StakStakeholder-Specificualization of Security Metrics,” 2018, doi: 10.1145/3230833.3232855.
W. Williams, “Chapter Integrating Security into Software Development,” in Creating an Information Security Program from Scratch, Ist., CRC Press, 2021, p. 222.
Copyright (c) 2024 Jurnal RESTI (Rekayasa Sistem dan Teknologi Informasi)
This work is licensed under a Creative Commons Attribution 4.0 International License.
Copyright in each article belongs to the author
- The author acknowledges that the RESTI Journal (System Engineering and Information Technology) is the first publisher to publish with a license Creative Commons Attribution 4.0 International License.
- Authors can enter writing separately, arrange the non-exclusive distribution of manuscripts that have been published in this journal into other versions (eg sent to the author's institutional repository, publication in a book, etc.), by acknowledging that the manuscript has been published for the first time in the RESTI (Rekayasa Sistem dan Teknologi Informasi) journal ;