1. Introduction
In recent years, the software has become an important and integrated part of our daily activities. Software security has gained importance in research due to the increasing popularity of hacking and attacking software systems. Software security flaws and vulnerabilities result from badly written software that hackers can easily exploit. Most software is designed and put into use without considering security needs [1]. The majority of companies consider security to be a post-development process [2]. Every day, new threats from inside and outside the company threaten the availability and integrity of the company’s data, resulting in massive financial loss and other damage [3].
Integrating security into the software engineering paradigm is essential to secure the software development life cycle from its early stages [4]. Therefore, many researchers have considered security from the outset of software development, starting with requirement engineering (RE) [5]. The development process needs to shape its security properties by adding security practices to avoid defects in software products [6]. Four stages must be followed to build secure software: Security protocol design, implementation, and Testing for complete software security needs [7]. This process aims to improve security requirements, apply threat modeling during software design, and follow best security practices when developing, reviewing code, and Testing [8]. This process needs to be updated all the time to make sure that software products are safe. Research is needed to discover what methods, notations, tools, and techniques are becoming popular [9]. Vulnerabilities are often caused by neglecting security [10]. The ”fix and penetrate” method, where security is checked after a project is finished, is used by even the most ethical companies [10].
Multiple efforts have been made to design, develop, and maintain secure software systems: Verdon and McGraw [11] designed Microsoft Trustworthy Computing Security Development Lifecycle [12], TSP Secure (Team Software Process for Secure Software Development) [13], Secure Software Development Process Model (S2D-ProM) [14]. Niazi et al. [10] developed the Requirements Engineering Security Maturity Model (RESMM), Comprehensive, Lightweight Application Security Process (CLASP) [15], and Secure Software Development Model (SSDM)education [16]. Al-Matouq et al. [17] designed a Secure Software Design Maturity Model (SSDMM), etc.
The above discussion shows that software security must be improved from the start. Integrating security awareness into the SDLC in the RE stage is a current research topic that needs to be implemented in the real-world software business [10]. The literature findings reveal that little work has been performed on SRE, and no work has been published that uses the Interpretive Structure Modeling (ISM) approach to categorize and find the interrelationship between RE practices for SSD in the context of GSD. Therefore, there is a dire need to study:
State-of-art on software security in the context of secure requirement engineering (SRE).
RE security practices to assist global software development (GSD) organizations in specifying the requirements for secure software development (SSD).
To find the interrelationship between the categories of RE security practices by applying Interpretive Structure Modeling (ISM).
The following research questions were designed to achieve the goals of this research.
RQ1: What software security practices are required to assist GSD organizations in specifying the requirements for SSD processes?
RQ2: What would be the interrelationship among the RE security practices that will assist GSD organizations in better managing SSD activities?
The remaining paper is structured as follows: Section 2 covers the background and related work, whereas Section 3 covers the research methods for this study. Section 4 presents all the results in detail, while Section 5 presents a summary, implications, and future work. Section 6 presents the limitations of the research.