A Study on Incorporating Privacy and Security Practices in the Development of Software
Abstract— Over the past few decades, various organizations have been facing many challenges and issues in designing secure software(s). Software manufacturers adopt different kinds of Software Development Lifecycles (SDLC) to design and develop their software application (s) or system(s). These traditional SDLC practices do not provide any security aspect in terms of building a software product and may often drive to various software vulnerabilities at later stages. In this research, our primary focus is to study different methodologies to incorporate various security practices into the standard software development lifecycle. We majorly analyze various methods of embedding security activities into the Agile methodology and examine to what extent this would help various organizations to build their software product(s) with the help of various security metrics.
Index Terms— Software Development Lifecycle (SDLC), Software Vulnerabilities, Agile, Security Metrics.
Nowadays, software application(s) or system(s) have great demand in the current market all over the world. With the tremendous increase in the usage of the network and internet services like Cloud Computing, Internet of Things (IoT), Mobile Edge Computing (MEC), etc. have attracted a huge number of people to make their life simple and easy. It is due to this requirement from the outside world that drives various software industries and organizations to build different application(s) or system(s) that meet the requirements of customers irrespective of the platform . People across the world have started using these software applications or systems to either store, process or share their information. It is good that we have various organizations that have come up with many software application(s) or system(s) that help people to lead a comfortable life. But we have many incidents which took place during the past few decades where these software applications or systems have been exploited due to which many people hesitate to depend upon the current software application(s) or system(s) . The primary reason behind the customers hesitation is that they are worried about the security and privacy of their information that is associated with these software applications .
If you need assistance with writing your essay, our professional essay writing service is here to help!Essay Writing Service
Customers are progressively facing many ambiguities in understanding how secured and private their personal information is being maintained, processed, shared and handled once their data is being transferred through a common medium called the Internet . However, it is not the deficiency of the user or customer. Many software organizations typically come across many challenges while designing or building different software application(s) or system(s). Among which security and privacy play a crucial role which needs to be taken care of at each step or phase of designing or building software application(s) or system(s). This is due to the reason that the customer(s) may always request or demand the organization(s) for things that are needed to be included in their software .
One of these is the functionality of the software application or system which must be correct and delivered rapidly with the less cost. This makes various organizations to pressurize their product team(s) which increases the chances of making errors or bugs and sometimes this may also lead in neglecting some of the problems which may be raised in the future . And one of these problems is security and privacy aspects in a software application(s) or system(s). Security and privacy are considered as a non-functional requirement as it does not constitute any functionality to the software application or system, but they affect the quality product(s) which are being designed and released by the organization. The problem becomes more complex when there is a large-scale development of software application(s) within the organization . Moreover, it is not only that the software is confined to work only in one environment instead there may be various other environments where these software applications or systems may be used once they are out in the market. However, all the organization(s) are very careful in delivering an adaptable, fast and better software application(s) or system(s) with more functionalities that can be delivered rapidly to all their customer(s) or user(s) .
On the other hand, it is also important for the organization(s) to handle the business logic and the flow of implementing different software application(s) or system(s) properly. For this, the organization must investigate the business functionality of the software and how it is being built. So, it is very crucial for the organization(s) to have these three dimensions of business, process and the technical sides for designing and building secured software application(s) and system(s) using different software development process. Organization(s) make use of different practices which includes a certain number of steps or phases. These are known as the Software Development Lifecycles (SDLC) . There are different types of SDLCs which can be used designing and developing software application(s) or systems(s) at a large scale. The selection of a proper SDLC plays a vital role in the development of a software application or system. It always depends on the user/customer or the complexity of the software that the being developed. There are seven key terms which are always included in any of the software development life cycles that the organization follows. The below cyclic representation in figure.1 shows all the five phases that are involved in the development of every software application or system.
Fig. 1. Different steps or phases that involve in a Software Development Lifecycle (SDLC) .
In this research, we mainly focus on how to incorporate or embed privacy and security practices in different SDLCs and how does this benefit various organization(s) in terms of providing security and maintaining privacy for different software application(s) or system(s) that are being designed and developed in the future by using some of the security metrics. We have structured this paper as follows: In section II, we will discuss the various existing privacy and security practices that are helpful in secure development of software application(s) or system(s). Section III describes different ways of embedding or integrating these privacy and security practices into various Software Development Lifecycles (SDLC). In section IV, we discuss the benefits of incorporating privacy and security practices in SDLC. At last, section V and section VI discuss the future scope and conclusion of this research.
II. RELATED Work
The process of designing software application(s) or system(s) is not independent. It constitutes different units or modules that are integrated and coordinated with each other to build a large software application or system. To design these units or modules more securely, various software engineering methodologies have been introduced at different phases of software development. This is due to the reason that the organizations had to meet the requirements of their customers by delivering efficient and secure software. Below are some of the methodologies that have been proposed by various researchers for incorporating security aspects in the software development lifecycle (SDLC):
Anuradha Sharma et al.  have explored different aspects of incorporating security at various levels in the software development lifecycle (SDLC). In this research, the authors provide a reference of twenty-one directed rules  for expanding the knowledge of software security to various teams that are involved in designing and developing the software application(s) or system(s). These rules provide in-depth training and knowledge of various security engineering practices. The authors provide some of the best security practices like Threat Modeling, Architectural Risk Analysis, and Vulnerability Attack Trees. According to the researchers, Threat modeling helps to identify and analyze how an external entity or attacker finds scope for exploiting vulnerabilities in software by looking at various points to enter and attack the software. The practice of Architectural risk analysis helps the developer in finding threats during the design phase by understanding the pre-requisites that must be included to prevent various security attacks. The Vulnerability Attack Trees help in determining the pathway of an attacker and provides information on how various vulnerabilities of software are linked with each other. Moreover, this research also provides a comparative analysis of Secure SDLC with the traditional SDLC model.
Dr. Dheerendra Singh et al.  in their research provide an analysis of integrating security in the software development lifecycle (SDLC). The researchers provide a study of various roles of architects and developers in secure SDLC practices that help in Access and Identity Control, Classification of Risks, Assessment of Risks and maintaining security. According to their analysis, the Requirement Phase must accommodate a group of members from the security team whose role is to govern the security issues and provide advice to the other members in the requirement team to reduce the vulnerabilities at the early stages of building a software product. The authors provide a set of principles that must be involved in the Design Phase. Some of the principles are adding and removing access to various service(s) based on the task/functionality, restoring the service or system to default state if the action performed by the attacker fails and declining the access and the information regarding the practice/process followed should not be shared among external entities. The role of developers in the Development Phase has a major impact on the security of the software. Developers must be very keen about their code that may late lead to major threats. The Testing Phase also has a crucial role in identifying the different kinds of security concerns that would raise once the software is delivered. The team which is responsible for Testing Phase also needs to verify whether the product meets the requirements of the customer or not.
According to Vaishali et al. , the customers always interested in the software product(s) or service(s) which are free from bugs and vulnerabilities. The main motive of their research is to introduce security and risk assessment practices in the regular SDLC model. Their study indicated that most of the traditional SDLC practices perform security testing at later stages of software development which results in different software bugs and introduces new risks to the software. The researchers have proposed a new Secure Software Development Lifecycle (SecSDLC) which involves two major phases. The initial phase is nothing but involving testing of security aspects at every phase in traditional SDLC at early stages. The authors classify the process of Risk Management into three categories: Risk Assessment, Risk Mitigation, and Risk Evaluation. These three practices are responsible for various risk management tasks like assessing Requirements, Development, Implementation, and Maintenance of the software product(s) or service(s) that being developed. Their research also provides a comparison between different development methods like Open Software Assurance Maturity Model (OpenSAMM), Microsoft-SDL and SecSDLC based on the Common Criteria (CC).
Arwa Albuolayan et cl.  in their research have proposed an extended model of the traditional software development lifecycle (SDLC) with the help of a case study. This extended model ensures maintaining the security aspects in the SDLC at earlier stages. A case study of analyzing practical observations was used to investigate that the newly proposed Secure SDLC can be used by various organizations for the development of any software product or service. The main goal behind their research is to involve various software engineers to integrate security in the SDLC and bring the Project Managers into the picture to review these security policies used at different stages of SDLC. They define the term Unit Analysis which states that at each developmental phase of the software product or service the software engineers and the project manager play a crucial role in reviewing the security policies. They have also designed a framework for the Secure SDLC approach that includes Security Standards and Policies, Tools, Processes, and Skillsets which are maintained by various engineers and managers.
Chandramohan Muniraman et al.  have performed research on exploring and suggesting few methods for embedding security into a software application(s) or services(s) right from the initial till the end phase of developing the software product. The main goal of the authors is to make use of the Threat Modeling by using the Abuse and Misuse cases that typically help in managing the risks of the software product or service at the Requirement Phase itself. They highly prefer to refer to the requirement analysis and specification documents that are generated by various group client meetings. Each group includes at least one head from each department like database administrative, security administrator, developer, and architect. This kind of approach showed an impressive approach to develop the product where teams collaborate on whether to proceed with the other phases of software development. The researchers emphasized more on the Design Phase, where most of the security aspects are needed to be answered before the development begins. Some of the aspects are maintaining access rights based on the user(s) role, design of the architecture and functionality, and Application/Product Security. Moreover, the researchers have investigated that the Testing Phase must include multiple code reviews, removing unwanted functional properties and involvement of trusted third parties for maintaining the security policies.
 A. Senarath and N. A. G. Arachchilage, The Unheard Story of Organizational Motivations Towards User Privacy, Security, Privacy, and Forensics Issues in Big Data Advances in Information Security, Privacy, and Ethics, pp. 280303, 2020.
 M. G. Nagler, Negative Externalities, Competition And Consumer Choice*, The Journal of Industrial Economics, vol. 59, no. 3, pp. 396421, 2011.
 S. Brooks, M. Garcia, N. Lefkovitz, S. Lightman, and E. Nadeau, An introduction to privacy engineering and risk management in federal systems, 2017.
 R. Madge, GDPR’s global scope: the long story, Medium, 26-May2018. [Online]. Available: https://medium.com/mydata/does-the-gdprapply-in-the-us-c670702faf7f. [Accessed: 15-Sep-2019]
 J. Yang, A. Lodgher, and Y. Lee, Secure Modules for Undergraduate Software Engineering Courses, 2018 IEEE Frontiers in Education Conference (FIE), 2018.
 M. C. Oetzel and S. Spiekermann, A systematic methodology for privacy impact assessments: a design science approach, European Journal of Information Systems, vol. 23, no. 2, pp. 126150, 2014.
 R. Selby, Enabling reuse-based software development of large-scale systems, IEEE Transactions on Software Engineering, vol. 31, no. 6, pp. 495510, 2005.
 A. Steffens, H. Lichter, and J. S. Dring, Designing a next-generation continuous software delivery system, Proceedings of the 4th International Workshop on Rapid Continuous Software Engineering – RCoSE 18, 2018.
 R. Lekh and Pooja, “Exhaustive study of SDLC phases and their best praxctices to create CDP model for process improvement,” 2015 International Conference on Advances in Computer Engineering and Applications, Ghaziabad, 2015, pp. 997-1003.
 What are the SDLC phases?, GoodFirms, 26-Jul-2017. [Online]. Available: https://www.goodfirms.co/glossary/sdlc/. [Accessed: 15-Sep-2019].
 P. K. Misra, “Aspects of Enhancing Security in Software Development Life Cycle,” Advances in Computational Sciences and Technology, vol. 10, pp. 203–210, 217AD.
 G. Raj, D. Singh, and A. Bansal, “Analysis for security implementation in SDLC,” 2014 5th International Conference – Confluence The Next Generation Information Technology Summit (Confluence), 2014.
 M. Khari, Vaishali and P. Kumar, “Embedding security in Software Development Life Cycle (SDLC),” 2016 3rd International Conference on Computing for Sustainable Global Development (INDIACom), New Delhi, 2016, pp. 2182-2186.
 N. S. A. Karim, A. Albuolayan, T. Saba, and A. Rehman, “The practice of secure software development in SDLC: an investigation through existing model and a case study,” Security and Communication Networks, vol. 9, no. 18, pp. 5333–5345, 2016.
 C. Muniraman and M. Damodaran, “A PRACTICAL APPROACH TO INCLUDE SECURITY IN SOFTWARE DEVELOPMENT,” Issues in Information Systems, vol. 8, 2007.
Cite This Work
To export a reference to this article please select a referencing stye below:
Related ServicesView all
DMCA / Removal Request
If you are the original writer of this essay and no longer wish to have your work published on UKEssays.com then please: