ReqSecure: A Requirements Engineering Security Maturity Model

Different approaches have been developed to improve the quality of software such as capability maturity model integration (CMMI) [1]. The core objective of the CMMI is to find out an organization's capability by gauging the degree to which software processes are defined and managed. There are 22 process areas in CMMI, which guide software development organizations in what to do in each phase of the software development life cycle. However, in CMMI no process area has been designed to address the software security issues in general and requirements engineering security issues in particular. This does not mean that the software security problems were never raised before, but these problems were underestimated, misunderstood and were not addressed the way they should have been [2, 3]. Traditionally, security considerations are typically incorporated as an afterthought leading to a cycle of penetrate and patch. In addition, organizations spend lots of money in purchasing good firewalls, intrusion detection systems, antivirus software, antispyware software and encryption mechanisms [4]. However, this approach is not working and organizations continue to avail security risks due to exploitation of security flaws [3]. Software Security is about building secure software: designing software to be secure, making sure that software is secure, and educating software developers, architects, and users about how to build secure things [5]. Software is considered to be secure if it does not allow the confidentiality, integrity, and availability of its data, code, or service to be compromised [6]. Some work has been conducted on information security maturity, capability of digital forensics organizations and IT security maturity, in which the focus is on the ability of organizations to meet the objectives of security [7-10]. However, incorporating the security practices and processes into different phases of the software development life cycle, such as requirement phase, remains a challenge. The aim of this research is to develop a requirements engineering security maturity model (ReqSecure) to assist software development organizations in better specifying requirements for secure software. We will follow the structure of CMMI for the development of ReqSecure. We will employ practical and evidence-based approaches in order to develop ReqSecure, e.g. the systematic literature review and empirical studies with software industry. This two-step process will give us confidence in the reliability of the collected data. In addition we will conduct case studies in order to evaluate the ReqSecure in a real world environment. The ReqSecure will significantly impact the software security issues currently reported in software development projects. This work will provide other researchers with a firm basis on how to develop new software security approaches. New software security practices will then be developed addressing the high number of security issues currently reported in software development projects. In addition, the project outcomes will provide software development organizations with ability to measure their maturity of specifying requirements for secure software. Ultimately, this work will put software development organizations in a better position to deliver software that is more secured. The ReqSecure will be available to Saudi researchers and software practitioners via our website. Managers of local Saudi software development organizations will be able to use the ReqSecure in evaluating their strength and weaknesses in terms of designing, implementing, improving and measuring suitable processes to effectively manage their requirements engineering security.