Software Testing Security Maturity Model (STSMM)

Security is an important attribute of quality software. Software is considered to be secure if it does not allow the confidentiality, integrity, and availability of its data, code, or service to be compromised [1]. According to McGraw Software Security is about building secure software: designing software to be secure, making sure that software is secure, and educating software developers, architects, and users about how to build secure things. Organizations spend large amounts of money purchasing intrusion detection systems, antivirus software, antispyware software and encryption mechanisms. However, these solutions are not enough and organizations continue to suffer security risks due to ever-growing list of security vulnerabilities. The Capability Maturity Model (CMMI) is a well-established approach developed to help improve the quality of software. The CMMI is structured on twenty-two process areas, which acts as a guide to develop a quality software. However, no process area in CMMI has been designed to address software security issues. Hence, incorporating security practices and processes into different phases of the software development life cycle remains a challenge, one that can be addressed through a software testing security maturity model. Software security testing of the software development life cycle tend to be far from mature and are usually carried out in ad-hoc manner. Due to less mature testing processes, organizations are prone to ineffective testing practices in detecting defects including serious security related failures. The objective of this research is to develop a Software Testing Security Maturity Model (STSMM) to assist software development organizations in better test security aspects of software. We will utilize the CMMI structure in the development of STSMM. We will employ evidence-based approaches including a systematic literature review and industrial empirical studies to develop the proposed model. In addition, we will conduct case studies to evaluate the use of STSMM in a real-world environment. STSMM will significantly influence the software security issues that are currently affecting software development projects. This work will provide other researchers with a firm foundation on which to develop new software testing security approaches. In addition, the project outcomes will provide software development organizations with the ability to measure their maturity of secure testing capabilities. Ultimately, this work will place software development organizations in a better position to deliver software that is more secure. STSMM will be available to Saudi researchers and software practitioners via our website. Managers of local Saudi software development organizations will be able to use STSMM to evaluate their strengths and weaknesses in terms of testing and measuring suitable processes for effectively managing their software testing security.