7. Conclusion
The software has become an indispensable part of human life, and we live in the internet of everything. Thus, software security is critical because a malware attack can cause extreme damage to any piece of software while compromising integrity, authentication, and availability, and it results in to breach the personal information, etc. It is important to consider the security practices from the beginning of the software development life cycle to develop secure software. This paper investigates the important practices to consider in the requirements engineering phase for SSD in the GSD domain. Conducting an empirical study with experts, we explored 70 practices and were taxonomized into 11 fundamental dimensions (categories)to assist GSD organizations in specifying the requirements for SSD.
Additionally, we analyzed the interrelationship among core dimensions of identified practices aiming to check their dependency, interdependency, and independency. The results depict the ”awareness of secure requirement engineering” category has the most decisive influence on the other ten core categories of the identified security practices. The ”requirements elicitation” category is fully dependent just on one category, i.e., ”awareness of secure requirement engineering,” and other categories are fully dependent on both these categories. We further performed the MICMAC analysis to check the right cluster of requirements engineering categories. The results show that the ”awareness of secure requirement engineering”, ”requirements elicitation”, and ”analysis and negotiations of security requirements” categories are considered driving variable categories and have, thus, been isolated from the system. It is noted that ”methods and tools”, have strong driving and dependency power and influence other enablers owing to a strong relationship. This renders all the categories interlinked with each other but not fully dependent on any category. We believe the results and discussion of this study will serve as a body of knowledge for research and practitioners’ community to develop effective strategies towards considering security from the requirements engineering phase of software development.