Global software development (GSD) offers quality results, cost-effectiveness, and uninterrupted project delivery. However, integrating security into GSD remains a challenge. This study aims to enhance security in GSD projects by developing a hybrid approach using an empirical survey and Interpretive Structural Model (ISM). Initially, we identified 13 major security-coding risks and 82 practices to mitigate these by conducting a systematic literature review and questionnaire survey with 50 GSD security experts. Moreover, 13 experts were invited to analyze the interrelationships among the practices using ISM. The ISM analysis revealed that out of the identified security-coding practices, “never submit security measures to illegitimate authority”, “avoiding buffer overflow and format string vulnerabilities”, “control the brute force attack”, and “identify a middleman attack” were considered fully dependent. While “avoid revealing information to achieve a secure design” is entirely independent within the GSD security context. The study aids GSD professionals in assessing readiness in establishing contractual trust, understanding the current process pros and cons, and addressing urgent issues in secure software development processes.

Cybersecurity is an ongoing and critical concern because of the constant and persistent threats from malicious actors such as hackers and crackers. The widespread use of software systems has revolutionized modern society in various aspects, but it has also brought forth new challenges in safeguarding sensitive and confidential information with the evolution of information and communication technology (ICT). Quantifying security measures can provide evidence to support decision-making in software security, especially when it comes to evaluating the security performance of software systems. This involves understanding the main quality criteria of security metrics, which can aid in building security metrology models based on practical requirements. To further explore this topic, this study conducted a systematic literature review of security metrics and measures in the context of Secure Software Development (SSD). The study selected 61 research studies based on specific inclusion and exclusion criteria and extracted data from the selected articles. The study identified 215 software security metrics, which were then categorized based on Software Development Life Cycle (SDLC) phases. To evaluate the effectiveness of the most commonly cited metrics in each phase, the study applied a SWOT analysis to highlight their strengths, weaknesses, opportunities, and threats. The findings of this study offer valuable guidance to diligent and motivated researchers to investigate emerging research trends and address existing gaps in Secure Software Development. Furthermore, this investigation provides software professionals with a more comprehensive understanding of security measurements, constraints, and open-ended specific and general issues.

Technological advancement makes the world a global village. The immense use of software systems has modernized human society in every aspect. Thus, the security parameter is an important element that needs to be considered while developing software systems. Considering the significance of software security, it is important to consider the security practices from the early phase of the software development life cycle (SDLC), i.e., requirements engineering (RE). Hence, this study aims to identify and categorize RE practices important to apply for secure software development (SSD) in a geographically distributed development environment. To study the RE practices concerning SSD, we conducted a questionnaire survey with industrial experts in the global software development (GSD) context. Furthermore, the interpretive structure modeling (ISM) approach was applied to evaluate the relationship between the RE security practice core categories. This paper identifies 70 practices and classifies them into 11 fundamental dimensions (categories) to assist GSD organizations in specifying the requirements for SSD. The ISM results show the “Awareness of Secure Requirement Engineering (SRE)” category has the most decisive influence on the other ten core categories of the identified RE security practices. With the help of empirical evidence and the ISM approach, this work attempts to identify potential security practices and to give a set of secure RE practices that can be used to improve the security of the software development process.