1. Introduction
In recent years, the software has become an important and integrated
part of our daily activities. Software security has gained importance in
research due to the increasing popularity of hacking and attacking
software systems. Software security flaws and vulnerabilities result
from badly written software that hackers can easily exploit. Most
software is designed and put into use without considering security needs
[1]. The majority of companies
consider security to be a post-development process
[2]. Every day, new threats from
inside and outside the company threaten the availability and integrity
of the company’s data, resulting in massive financial loss and other
damage [3].
Integrating security into the software engineering paradigm is essential
to secure the software development life cycle from its early stages
[4]. Therefore, many researchers have
considered security from the outset of software development, starting
with requirement engineering (RE) [5].
The development process needs to shape its security properties by adding
security practices to avoid defects in software products
[6]. Four stages must be followed to
build secure software: Security protocol design, implementation, and
Testing for complete software security needs
[7]. This process aims to improve
security requirements, apply threat modeling during software design, and
follow best security practices when developing, reviewing code, and
Testing [8]. This process needs to be
updated all the time to make sure that software products are safe.
Research is needed to discover what methods, notations, tools, and
techniques are becoming popular [9].
Vulnerabilities are often caused by neglecting security
[10]. The ”fix and penetrate” method,
where security is checked after a project is finished, is used by even
the most ethical companies [10].
Multiple efforts have been made to design, develop, and maintain secure
software systems: Verdon and McGraw
[11] designed Microsoft Trustworthy
Computing Security Development Lifecycle
[12], TSP Secure (Team Software
Process for Secure Software Development)
[13], Secure Software Development
Process Model (S2D-ProM) [14]. Niazi
et al. [10] developed the
Requirements Engineering Security Maturity Model (RESMM), Comprehensive,
Lightweight Application Security Process (CLASP)
[15], and Secure Software Development
Model (SSDM)education [16]. Al-Matouq
et al. [17] designed a Secure
Software Design Maturity Model (SSDMM), etc.
The above discussion shows that software security must be improved from
the start. Integrating security awareness into the SDLC in the RE stage
is a current research topic that needs to be implemented in the
real-world software business [10].
The literature findings reveal that little work has been performed on
SRE, and no work has been published that uses the Interpretive Structure
Modeling (ISM) approach to categorize and find the interrelationship
between RE practices for SSD in the context of GSD. Therefore, there is
a dire need to study:
State-of-art on software security in the context of secure requirement
engineering (SRE).
RE security practices to assist global software development (GSD)
organizations in specifying the requirements for secure software
development (SSD).
To find the interrelationship between the categories of RE security
practices by applying Interpretive Structure Modeling (ISM).
The following research questions were designed to achieve the goals of
this research.
RQ1: What software security practices are required to assist
GSD organizations in specifying the requirements for SSD processes?
RQ2: What would be the interrelationship among the RE security
practices that will assist GSD organizations in better managing SSD
activities?
The remaining paper is structured as follows: Section 2 covers the
background and related work, whereas Section 3 covers the research
methods for this study. Section 4 presents all the results in detail,
while Section 5 presents a summary, implications, and future work.
Section 6 presents the limitations of the research.