4.2 Findings of Empirical Study
The empirical investigation was carried out to gather the response from the experts working with RE security practices for the GSD organizations. The responses were collected through an online questionnaire using a five-point Likert scale. The respondents were asked to indicate their level of agreement using the following statements: ”Strongly Agree (SA),” ”Agree (A),” ”Strongly Disagree (SD)”, ”disagree (D)” and ”neutral (N)”.We divided the responses into three general categories: positive (defined as ”strongly agree and agree”), negative (defined as ”strongly disagree and disagree”), and ”neutral”. The summarized result of the positive category represents the participants in the survey. They agreed with the statement that the identified RE security practices could have a positive impact on the SSD. The survey results are presented in Table 1.
In the following table, ”RE1” means ”Requirement Engineering Practice Category 1 for GSD organizations in SSD process”, ”RE2” means ”Requirement Engineering Practice Category 2”, and so on up to ”RE11”. Similarly, ”P1” means ”Practice 1”. We categorized the identified 70 SRE practices into 11 fundamental categories, as depicted in Table 1. The survey findings present that the category ”SRE1: Awareness of SRE” is the most cited category in the identified practices list, with a percentage of 84. Requirements are gathered in a number of different ways, including through interviews, focus groups, and brainstorming sessions. SRE is distinct in that it strives to ensure full security by enforcing the three pillars of information security—namely, confidentiality, integrity, and availability [25].
The importance of security requirements in secure software engineering cannot be overstated. The generally used best practices for handling security risks at the requirement engineering stage of the SDLC are listed in Table 1. The survey respondents identified that these practices assist global software development (GSD) organizations in SSD processes.
Table 1 presents that the most common security requirement engineering (SRE) practices are: well-defined client roles and resource capabilities, abuse and misuse cases, record rationale for security requirements, perform security requirements specification, and define standard templates for describing authentication, authorization, immunity, privacy, integrity, non-repudiation, intrusion detection, and system maintenance security requirements. The SQUARE (Security Quality Requirements Engineering) technique enables the elicitation, classification, and prioritizing of security standards for IT systems and applications [51]. Various researchers [10, 26, 52] and the relevance of including SRE in the SSD process have stressed GSD industry practitioners. These operations yield outcomes that are inextricably tied to the software’s economic value [53].