Secure Software Development: Problems and Solutions

Authors

  • Manal Jaza Al Anzi, Maha Abdul-Rahman Al Balwi, Onytra Abbass

Keywords:

secure software development, cybersecurity, threat modelling, software security testing, security development lifecycle.

Abstract

Secure software development has become progressively dire in the face of increasing cyber threats and the mounting dependence on digital systems across diverse sectors. This paper presents an inclusive review of the problems and answers in the field of developing secure software, drawing insights from a systematic literature review of peer-reviewed articles available within the period from 2015 to 2024. The study recognises key hindrances in adopting secure development practices, comprising having security integrated into the lifecycle of developing software, tackling evolving technologies' security implications, and bridging the skills gap in the industry. The paper investigates effective methodologies such as Security Development Lifecycle (SDL), DevSecOps, and advanced testing techniques like Dynamic Application Security and Testing (DAST).  Static Application Security Testing (SAST) and Findings emphasize the importance of a comprehensive approach to secure software development, comprising organizational culture, constant education, and the implementation of security-focused frameworks. The research also highlights promising trends in automation, AI-assisted security analysis, and cloud-native security approaches. The present paper adds to the literature of developing secure software via tackling current challenges, assessing current solutions, and suggesting future guidelines for research and practice. The insights provided are worthy for designers of software, security specialists, and corporations struggling to heighten the secure development abilities in a progressively complex digital landscape.

Downloads

Download data is not yet available.

References

Conde, Dan (2002). Software product management: Managing software development from idea to product to marketing to sales. Aspatore Books.

Dai, F., Shi, Y., Meng, N., Wei, L., & Ye, Z. (2019). From Bitcoin to cybersecurity: A comparative study of blockchain application and security issues. 4th International Conference on Systems and Informatics (ICSAI), 975-979. doi: 10.1109/ICSAI.2017.8248427.

Gartner. (2021). Gartner Forecasts Worldwide Public Cloud End-User Spending to Grow 18% in 2021. Retrieved from https://www.gartner.com/en/newsroom/press-releases/2021-04-21-gartner-forecasts-worldwide-public-cloud-end-user-spending-to-grow-23-percent-in-2021

Kitchenham, B., & Charters, S. (2007). Guidelines for performing systematic literature reviews in software engineering. IEEE Transactions on Software Engineering, 33(1), 12-34.

Microsoft. (2019). Microsoft Security Development Lifecycle (SDL) Practices. Retrieved from https://www.microsoft.com/en-us/securityengineering/sdl/practices

McGraw, G. (2006). Software security: Building security in. Addison-Wesley Professional.

Keromytis, A.D. (2011). Buffer Overflow Attacks. In: van Tilborg, H.C.A., Jajodia, S. (eds) Encyclopaedia of Cryptography and Security. Springer, https://doi.org/10.1007/978-1-4419-5906-5_502

Marijan, D. & Lal, Ch. (2022). Blockchain verification and validation: Techniques, challenges, and research directions. El Sevier, 45. https://doi.org/10.1016/j.cosrev.2022.100492

Winterrose, M., Carter, K., Wagner, N. &Streilein, W. (2016). Balancing Security and Performance for Agility in Dynamic Threat Environments. Doi:10.1109/DSN.2016.61.

Abiona, O., Oladapo, O., Modupe, O., Oyeniran, O., Adewusi, A. &Komolafe, A. (2024). The emergence and importance of DevSecOps: Integrating and reviewing security practices within the DevOps pipeline. World Journal of Advanced Engineering Technology and Sciences, 11. 127-133. Doi:10.30574/wjaets.2024.11.2.0093

Mohan, V., & Ben Othmane, L. (2016). SecDevOps: Is it a marketing buzzword? Mapping research on security in DevOps. 2016 11th International Conference on Availability, Reliability and Security (ARES), 542-547. doi: 10.1109/ARES.2016.92.

Kumar, R. & Goyal, R. (2020). Modelling continuous security: A conceptual model for automated DevSecOps using open-source software over cloud (ADOC). Elsevier, 97, https://doi.org/10.1016/j.cose.2020.101967

Kamal, D., Ziad, B. &Deema, B. (2017). Assessment of Security Awareness: A Qualitative and Quantitative Study. International Management Review: Marietta, 13(1), 37-58,101-102. https://www.proquest.com/openview/ba98a8bc4cf71224c96295ee6eeea0fe/1?pq-origsite=gscholar&cbl=28202

Gasiba, T., Lechner, U., Pinto-Albuquerque, M. &Zouitni, A. (2020). Design of Secure Coding Challenges for Cybersecurity Education in the Industry. Doi:10.1007/978-3-030-58793-2_18.

Kanniah, S. L., &Mahrin, M. N. R. (2018). Secure software development practice adoption model: A delphi study. Journal of Telecommunication, Electronic and Computer Engineering (JTEC), 10(2-8), 71-75.‏

Negussie, D (2023). Importance of cybersecurity awareness training for employees in business. Vidya - a journal of gujarat university. Doi:2. 104-107. 10.47413/vidya.v2i2.206.

Aslan, Ö., Aktuğ, SS., Ozkan-Okay, M., Yilmaz, A. & Akin E. (2023). Comprehensive review of cyber security vulnerabilities, threats, attacks, and solutions. Electronics, 12(6):1333. https://doi.org/10.3390/electronics12061333

Khaled, H. (2024). Exploring emerging cybersecurity risks from AI-based IOT connections. Journal of Theoretical and Applied Information Technology, 102(13), 1-16. http://www.jatit.org/volumes/Vol102No13/16Vol102No13.pdf

Aljawarneh, Sh., Alawneh, A. &Jaradat, R. (2023). Cloud security engineering: Early stages of SDLC. ElSevier, 74, 385-392. https://doi.org/10.1016/j.future.2016.10.005

Andriadi, K., Soeparno, H., Gaol, F. and Arifin, Y. (2023) "The Impact of Shift-Left Testing to Software Quality in Agile Methodology: A Case Study," International Conference on Information Management and Technology (ICIMTech), Malang, Indonesia, 2023, pp. 259-264, doi: 10.1109/ICIMTech59029.2023.10277919.

Cloud Security Alliance. (2024). Cloud Native Security Report. Retrieved from: https://www.paloaltonetworks.com/state-of-cloud-native-security

Dyess, C. (2021). Maintaining a balance between agility and security in the cloud. Network Security, 3. https://doi.org/10.1016/S1353-4858(20)30031-3

Espenes, K. (2024). Integrating Security in the Software Development Lifecycle: A Comprehensive Approach with SD Elements. Retrieved from: https://www.securitycompass.com/blog/integrating-security-in-the-software-development-lifecycle-with-sd-elements/

Grieco, G., Grinblat, G. L., Uzal, L., Rawat, S., Feist, J., &Mounier, L. (2016). Toward large-scale vulnerability discovery using machine learning. Proceedings of the 6th ACM Conference on Data and Application Security and Privacy, 85-96. https://dl.acm.org/doi/10.1145/2857705.2857720

ISACA. (2019). State of Cybersecurity 2019 Report. Retrieved from https://www.isaca.org/resources/news-and-trends/isaca-podcast-library/the-state-of-cybersecurity-2019

Prasad, R., Rohokale, V. (2020). Artificial Intelligence and Machine Learning in Cyber Security. In: Cyber Security: The Lifeline of Information and Communication Technology. Springer Series in Wireless Technology. Springer, Cham. https://doi.org/10.1007/978-3-030-31703-4_16

Oyetoyan, T. D., Cruzes, D. S., &Jaatun, M. G. (2018). An empirical study on the relationship between software security skills, usage and training needs in agile settings. 2018 11th International Conference on the Quality of Information and Communications Technology (QUATIC), 56-63. doi: 10.1109/ARES.2016.103.

Poller, A., Türpe, S., Epp, F. & Kinder-Kurlanda, K. (2017). Can security become a routine? A study of organizational change in an agile software development group. Proceedings of the 2017 ACM Conference on Computer Supported Cooperative Work and Social Computing, 2489-2503. DOI: 10.1145/2998181.2998191

Takabi, H., Joshi, J. B., &Ahn, G. J. (2010). Security and privacy challenges in cloud computing environments. IEEE Security & Privacy, 8(6), 24-31. DOI: 10.1109/MSP.2010.186

Thompson, C., Naser, A., & Ghani, I. (2021). The role of automated security testing in reducing software vulnerabilities: An empirical analysis. Journal of Systems and Software, 180, 111030.

Downloads

Published

20.01.2025

How to Cite

Manal Jaza Al Anzi. (2025). Secure Software Development: Problems and Solutions. International Journal of Intelligent Systems and Applications in Engineering, 12(4), 4769–4776. Retrieved from https://www.ijisae.org/index.php/IJISAE/article/view/7182

Issue

Vol. 12 No. 4 (2024)

Section

Research Article

License

Creative Commons License

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

All papers should be submitted electronically. All submitted manuscripts must be original work that is not under submission at another journal or under consideration for publication in another form, such as a monograph or chapter of a book. Authors of submitted papers are obligated not to submit their paper for publication elsewhere until an editorial decision is rendered on their submission. Further, authors of accepted papers are prohibited from publishing the results in other publications that appear before the paper is published in the Journal unless they receive approval for doing so from the Editor-In-Chief.

IJISAE open access articles are licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. This license lets the audience to give appropriate credit, provide a link to the license, and indicate if changes were made and if they remix, transform, or build upon the material, they must distribute contributions under the same license as the original.