Security risks of global software development life cycle: Industry practitioner's perspective

Abstract

Software security has become increasingly important because the malicious attack and other hacker risks of a computer system have grown popularity in the last few years. As a result, several researchers have examined security solutions as early as the requirement engineering phase. With the growth of the software business and the internet, there is a need to understand the security risks against each phase of the software development life cycle (SDLC). This study aims to empirically investigate and prioritize the risks that could negatively impact the software security aspects of SDLC in the context of global software development (GSD). To achieve the study objectives, we conducted an industrial empirical study to determine the impact of software security threats against each phase of SDLC. Furthermore, the fuzzy analytical hierarchy process (FAHP) was used to prioritize the list of software security risks against the SDLC. The results and analysis of this study provide a ranked-based decision-making framework, which assists the practitioners in considering the most critical security risks on priority. The results show “improper plan for secure requirement identification, inception, authentication, authorization, and privacy,” “lack of threat models updating,” “lack of output validation,” “lack of certification in the final release and archive,” and “spoofing” as the top-ranked security risks of SDLC in GSD. In addition, the application of FAHP is novel in this domain as it is helpful to address multicriteria decision-making problems.