SDSMM: Software Design Security Maturity Model

Various approaches to improving the quality of software have been developed, such as capability maturity model integration (CMMI) [1]. The CMMI is a software process improvement model for improving the quality of software development. The structure of the CMMI is based on 22 process areas, which guide how to develop a quality software. However, no process area in CMMI has been designed to address software security issues. In previous studies, software security problems have been addressed; however, these problems were underestimated, misunderstood and not addressed in the manner that they should have been [2, 3]. Traditionally, security considerations tend to be incorporated as an afterthought, leading to a cycle known as "penetrate and patch". In addition, organizations spend large amounts of money purchasing strong firewalls, intrusion detection systems, antivirus software, antispyware software and encryption mechanisms [4]. However, this approach is not working, and organizations continue to suffer security risks due to the exploitation of security flaws [3]. Software is considered to be secure if it does not allow the confidentiality, integrity, and availability of its data, code, or service to be compromised [5]. According to McGraw [6] Software Security is about building secure software: designing software to be secure, making sure that software is secure, and educating software developers, architects, and users about how to build secure things. Previously, some work has been conducted on information security maturity, the capability of digital forensics organizations and IT security maturity, in which the focus is on the ability of organizations to fulfill their security objectives [7]. However, incorporating security practices and processes into different phases of the software development life cycle remains a challenge, one that can be addressed through a software security maturity model. The objective of this research is to develop a software design security maturity model (SDSMM) to assist software development organizations in better design secure software. We will utilize the CMMI structure in the development of SDSMM. We will employ practical and evidence-based approaches, e.g., a systematic literature review and empirical studies within the software industry, to develop the proposed model. This two-step process will ensure our confidence in the reliability of the collected data. In addition, we will conduct case studies to evaluate the use of SDSMM in a real-world environment. SDSMM will significantly impact the software security issues that are currently affecting software development projects. This work will provide other researchers with a firm foundation on which to develop new software design security approaches. In addition, the project outcomes will provide software development organizations with the ability to measure their maturity of secure design development. Ultimately, this work will place software development organizations in a better position to deliver software that is more secure. SDSMM will be available to Saudi researchers and software practitioners via our website. Managers of local Saudi software development organizations will be able to use SDSMM to evaluate their strengths and weaknesses in terms of designing, implementing, improving and measuring suitable processes for effectively managing their software security.