A Readiness Model for Secure Software Acquisition (RMSSA)

Security is a critical software quality attribute. The secure software industry has grown rapidly over the last decade and continues to grow. According to McGraw [1] Software Security is about building secure software: designing software to be secure, making sure that software is secure, and educating software developers, architects, and users about how to build secure things. Security is often defined as an add-on feature and many organizations incorporate security as a patch [2] after the completion of software development. In addition, organizations spend a lot of money on the purchase of good firewalls and antivirus programs, thinking that these applications will be enough to make software secure. However, this approach is still not working perfectly, and organizations remain prone to security risks and cyber-attacks taking advantage of security flaws [2]. With the increase in the software security challenges, organizations tend to procure off-the-shelf products from suppliers. However, organizations are not fully familiar with the challenges of software acquisition. It is imperative to have a complete understanding of how to assess suppliers readiness for secure software development before selecting them. In addition, organizations should have a process to evaluate contractual and technical controls prior to procuring software. Moreover, it is important that certain processes should be in place before selecting the supplier such as evaluating the suppliers skilled human resources, appropriate infrastructure, quality of product, organizations track record of successful projects and software escrowing etc. The objective of this research proposal is to develop a Readiness Model for Secure Software Acquisition (RMSSA) to assist organizations in selecting the suppliers who can provide secure software. We will employ state-of-the-art techniques such as evidence-based approaches and industrial empirical studies to develop the proposed model. In addition, we will conduct case studies to evaluate the use of RMSSA in a real-world environment. RMSSA will extensively improve the selection of appropriate software suppliers who can develop and provide secure software. This work will provide researchers in the field of software security with appropriate knowledge to evaluate the readiness of software suppliers to provide suitably secure software. New secure software acquisition practices will then be developed to address the high number of security issues currently reported in the procurement of off-the-shelf products. In addition, the project outcomes will provide software organizations with the ability to measure the readiness of software suppliers to develop secure software. Ultimately, this work will place software organizations in a better position to acquire software that is more secure. RMSSA will be available to researchers and software practitioners via our website. Managers of local software development organizations will be able to use RMSSA to evaluate the strengths and weaknesses of software suppliers in terms of developing secure software.