5. Summary, Implications and Future Work
In software engineering, it is important to carefully consider the
practices with the intent to develop secure software projects at the
beginning. Requirements engineers need to examine the best practices
that come with the GSD paradigm, which is being considered by the vast
majority of software development companies. Since this research
investigates and evaluates the security practices that need to be
adopted by requirements engineering teams in the context of GSD, this
paper is an extension of our previously published systematic literature
review.
In the first phase of this research, a questionnaire survey was
conducted with GSD experts. The results of this survey were used to
assess the importance of the highlighted RE security practices in
real-world practice. The data collection process for the survey yielded
50 responses that were considered for the final data sample. According
to the frequency analysis, these 70 RE security practices and their
primary 11 categories are linked to industry practices. Survey results
depict that the most common security requirement engineering (SRE)
practices are well-defined client roles and resource capabilities, abuse
and misuse cases, record rationale for security requirements, perform
security requirements specification, and define standard templates for
describing authentication, authorization, immunity, privacy, integrity,
non-repudiation, intrusion detection, and system maintenance security
requirements. These operations yield outcomes that are inextricably tied
to the software’s economic value.
Secondly, in the third phase, we used the ISM technique to investigate
the links between GSD organizations in the SSD process 11 major RE
security practices categories. According to the findings, the RE1
”Awareness of SRE” category is the top for selecting RE practices for
SSD. This shows that RE1 is an independent category in the identified
list of RE practices for SSD. All the other categories are dependent on
RE1. The ISM approach results also present that RE3 ”Requirement
Elicitations” is dependent only on level 3 (RE1: Awareness of SRE), but
all the coming categories (RE2, RE4-RE11) of level 1 depend on level 2
category (RE3). The findings further depict that RE2, RE4-RE11 practices
categories depend on RE3 and RE1.
The study implications for researchers and practitioners are as follows:
- For Researchers: By conducting a thorough assessment of both
academic and literature, the study offers a state-of-the-art summary
of the RE security practices that potentially positively impact GSD
organizations in SSD procedures. The study findings give a body of
knowledge for researchers to use in developing RE security practices
to deploy SSD approaches. In addition, the study presents a ranked
framework for the observed RE security practices categories. The
security practices are investigated within the framework of their
priority ranking and the link between the fundamental categories of
the identified RE security practices. We believe that a
prioritization-based ranking will assist researchers in thinking about
the most significant RE security practice category in their ongoing
and future work.
- For Practitioners: An in-depth literature review and
empirical studies provide a body of information to industry
specialists regarding the RE security practices for the GSD
organizations in the SSD process. This research provides 70 RE
security practices and categorizes them into 11 core categories, each
of which calls on industry practitioners to focus on them throughout
the implementation of RE initiatives for the SSD process.
Prioritization and categorization of identified practices will assist
GSD practitioners in considering the most significant RE security
practice category aspect on priority. The practitioners will be
assisted in revising and developing new strategies for successfully
implementing RE practices if the security risks they face are first
identified and then prioritized. In addition, this study presents a
comprehensive view of RE security practices categories, enlightening
practitioners regarding which category is critically important for
SRE.ISM was also introduced as a unique methodology to help RE
industry experts fix any ambiguous viewpoints of GSD experts in the
SSD domain.
- Future Work: The development of security models and
techniques for RE procedures in the real-world industry has not
received much scholarly attention. In the future, we will use a fuzzy
analytical hierarchy process (FAHP) to design a framework/model that
supports RE in software development by identifying critical security
risks, best practices, levels of RE practices categories, and a road
map. Various areas, including political, economic, and management
sciences, have extensively used AHP to solve complicated problems.
When measuring multiple criteria’s relative importance, classical AHP
cannot handle the ambiguity and obscurity of the decision-maker.
Because of this, fuzzy AHP was developed, which outperformed AHP in
terms of accuracy and efficiency
[57-59]. With these insights in
mind, we have chosen to use them in future work on fuzzy AHP over
other approaches. This is the case even though integrating security
into RE is extremely important. Given the importance of security
concerns in software development, we are driven to create a secure RE
maturity model (SREMM) that will aid GSD firms in measuring their
security maturity level and recommending best practices for
successfully executing RE activities. SREMM will be engineered on SLR
and empirically discover RE security risks, its best practices, and
taking guidance from existing security models in software engineering
disciplines. The security maturity level components will be used to
assess the GSD organization’s maturity level in the RE process and
recommend best practices to improve its RE capabilities. The proposed
model will be helpful in the GSD industry’s efforts to carry out SRE
activities in the actual world.