4.2 Findings of Empirical Study
The empirical investigation was carried out to gather the response from
the experts working with RE security practices for the GSD
organizations. The responses were collected through an online
questionnaire using a five-point Likert scale. The respondents were
asked to indicate their level of agreement using the following
statements: ”Strongly Agree (SA),” ”Agree (A),” ”Strongly Disagree
(SD)”, ”disagree (D)” and ”neutral (N)”.We divided the responses into
three general categories: positive (defined as ”strongly agree and
agree”), negative (defined as ”strongly disagree and disagree”), and
”neutral”. The summarized result of the positive category represents the
participants in the survey. They agreed with the statement that the
identified RE security practices could have a positive impact on the
SSD. The survey results are presented in Table 1.
In the following table, ”RE1” means ”Requirement Engineering Practice
Category 1 for GSD organizations in SSD process”, ”RE2” means
”Requirement Engineering Practice Category 2”, and so on up to ”RE11”.
Similarly, ”P1” means ”Practice 1”. We categorized the identified 70 SRE
practices into 11 fundamental categories, as depicted in Table 1. The
survey findings present that the category ”SRE1: Awareness of SRE” is
the most cited category in the identified practices list, with a
percentage of 84. Requirements are gathered in a number of different
ways, including through interviews, focus groups, and brainstorming
sessions. SRE is distinct in that it strives to ensure full security by
enforcing the three pillars of information security—namely,
confidentiality, integrity, and availability
[25].
The importance of security requirements in secure software engineering
cannot be overstated. The generally used best practices for handling
security risks at the requirement engineering stage of the SDLC are
listed in Table 1. The survey respondents identified that these
practices assist global software development (GSD) organizations in SSD
processes.
Table 1 presents that the most common security requirement engineering
(SRE) practices are: well-defined client roles and resource
capabilities, abuse and misuse cases, record rationale for security
requirements, perform security requirements specification, and define
standard templates for describing authentication, authorization,
immunity, privacy, integrity, non-repudiation, intrusion detection, and
system maintenance security requirements. The SQUARE (Security Quality
Requirements Engineering) technique enables the elicitation,
classification, and prioritizing of security standards for IT systems
and applications [51]. Various
researchers [10,
26, 52]
and the relevance of including SRE in the SSD process have stressed GSD
industry practitioners. These operations yield outcomes that are
inextricably tied to the software’s economic value
[53].