A Maturity Model for Secure Software Design: A Multivocal Study

Hassan Al-Matouq, Sajjad Mahmood, Mohammad Alshayeb*, Mahmood Niazi

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

12 Scopus citations


Security is one of the most important software quality attributes. Software security is about designing and developing secure software that does not allow the integrity, confidentiality, and availability of its code, data, or service to be compromised. Organizations tend to consider security as an afterthought, and they continue to suffer from security risks. Developing secure software requires taking security into consideration in all phases of the Software Development Life Cycle (SDLC). Several approaches have been developed to improve software quality, such as Capability Maturity Model Integration (CMMI). However, software security issues have not been addressed in a proper manner and incorporating security practices into the SDLC remains a challenge. The objective of this paper is to develop a framework to improve the process of designing secure products in software development organizations. To achieve this objective, a Multivocal Literature Review (MLR) was conducted to identify the relevant studies in both the formal and grey literature. A total of 38 primary studies were identified, and available evidence was synthesized into 8 knowledge areas and 65 best practices to build a Secure Software Design Maturity Model (SSDMM). The framework was developed based on the structure of CMMI v2.0 and evaluated through case studies in real-world environments. The case study results indicate that SSDMM is useful in measuring the maturity level of an organization for the secure design phase of SDLC. SSDMM will assist organizations in evaluating and improving their software design security practices. It will also provide a foundation for researchers to develop new software security approaches.

Original languageEnglish
Article number9268931
Pages (from-to)215758-215776
Number of pages19
JournalIEEE Access
StatePublished - 2020

Bibliographical note

Funding Information:
This work was supported by the Deanship of Scientific Research at King Fahd University of Petroleum and Minerals, Saudi Arabia, under Grant IN171008.

Publisher Copyright:
© 2013 IEEE.


  • Software design
  • capability-based security
  • software quality

ASJC Scopus subject areas

  • Computer Science (all)
  • Materials Science (all)
  • Engineering (all)


Dive into the research topics of 'A Maturity Model for Secure Software Design: A Multivocal Study'. Together they form a unique fingerprint.

Cite this