Analysis of Secure Software Process Models and Metrics in Development

Verified

Added on 2020/04/21

AI Summary

This report delves into secure software process models and metrics, crucial for developing reliable and safe systems. It explores safety-critical activities, comparing lifecycle models and addressing security concerns in software development. The report covers various aspects, including process engineering, tool selection, and legal/regulatory needs. It examines different software development lifecycle models like Waterfall, V-Shaped, and Spiral, highlighting their security implications and use cases in safety-critical applications such as aviation and automotive systems. The study also addresses threat and risk assessment, identifying attack types within a taxonomy. The report emphasizes the importance of software safety in preventing failures that could lead to significant risks and financial losses. It highlights the need for a clear understanding of software's role and its interaction with the system, advocating for a proactive approach to security throughout the development lifecycle, including planning, defining standards, and incorporating security measures early on. The report concludes by emphasizing the need for formal methods and tools like UML to support secure systems development and manage the complexities of safety-critical systems.

Running head: SECURE SOFTWARE PROCESS MODELS AND METRICS
Secure software process models and metrics
Name of the Student:
Name of the university:
Author note:

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

1SECURE SOFTWARE PROCESS MODELS AND METRICS
Table of Contents
Introduction....................................................................................................................................2
1.Safety critical activities for reliable software.............................................................................2
2. Comparison of life cycle model and security concerns in developing secure software............6
3. Use cases for safety critical activities......................................................................................11
4. Threat assessment of any particular attack..............................................................................14
5. Identification of attack type within a taxonomy of attack types..............................................15
6. Risk assessment for the identified attack.................................................................................18
Conclusion...................................................................................................................................19
Bibliography................................................................................................................................21

2SECURE SOFTWARE PROCESS MODELS AND METRICS
Introduction
Safety critical activities is a set of activities that comprises everything related to hardware,
software as well as human aspects required to perform safety actions where failure would cause
important increment in the safety risks for people and involving environment. In the present study,
safety related system is discussed that would be helpful to develop reliable software. A software is
said to be safe if it is very unrealistic or an at times occurrence to deliver a process that could or
allow hazards to occur the system which it controls. Software Engineering of Safety critical
computer systems requires a cleared up or arranged comprehension of correct part of software and
its associations with the system. The system describes safety critical activities for developing
reliable software. Life cycle models of security concerns, detection of attack types within taxonomy
of attack types are explained in the study.
1. Safety critical activities for reliable software
Software Safety is one of the most imperative as well as examined in various software
standards, determining needs for benefit of clients, applications, hardware in order to evade failures
in software development. In addition, leading to threats by association of the computer systems, all
things considered1. Particularly in uses of software critical systems, commitments of software
failures leads to big threat to human life, significant financial misfortune as well as broad harm to
make condition2. As there are no standards structure existed, which exhaustively address security of
software, there is requirement for getting accurate remedy as well as essentiality of software quality
1Baskerville, R., Spagnoletti, P. and Kim, J., 2014. Incident-centered information security: Managing a strategic balance
between prevention and response. Information & Management, 51(1), pp.138-151.
2Thomas, D.R., Beresford, A.R. and Rice, A., 2015, October. Security metrics for the android ecosystem.
In Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile
Devices (pp. 87-98). ACM.

3SECURE SOFTWARE PROCESS MODELS AND METRICS
as well as principles or for audit of the different guidelines and models in safety basic processing
systems.
Software development of a safety-critical system needs an unmistakable comprehension of
the part of software in and cooperation with, the system3. These systems require the most extreme
care in their determination, outline, usage, operation and upkeep, as they could prompt injury or
loss of lives; thus it results in monetary misfortune. This kind of system is considered in this
examination. Various reliability regimes for safety critical systems that can be explained as
followed. Fail-operational system is continuing for operating when the control systems fail.
On the other hand, safety critical activities in software engineering are difficult to achieve.
The activities can be explained as followed.
 First is process engineering as well as management.
 Second activity is selection of proper tools as well as environment for particular
system.
 Third activity is addressing any type of legal as well as regulatory needs like FAA
requirements for aviation.
However, dependable, seemingly safe concepts as well as structures come up short phases,
because of three essential reasons. There are some outstanding cases of safety critical systems
application ranges, for example, car, resistance, air movement, air make controlling, transportation,
interchanges, therapeutic diagnostics, atomic, warm and nuclear power, instrumentation4. Since, the
09safety is subject to the right and ideal wanted execution of the software, this paper principally
3Almasizadeh, J. and Azgomi, M.A., 2013. A stochastic model of attack process for the evaluation of security
metrics. Computer Networks, 57(10), pp.2159-2180.
4Boehm, B., Lane, J.A., Koolmanojwong, S. and Turner, R., 2014. The incremental commitment spiral model:
Principles and practices for successful systems and software. Addison-Wesley Professional.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

4SECURE SOFTWARE PROCESS MODELS AND METRICS
underlines on the software segment of security basic computer system, while mulling over of the
security service and safety designing issues particular to specific application system.
Figure 1: Safety critical activities for reliable software
(Source:Walden et al. 2014, p.315 )
Since extent of security does not bind to software component just, but rather likewise to
consider the safety of entire hardware, software, administrators or clients and condition, the
commitments of security service and safety designing towards software security are investigated.
The greater part of the systems keeps their unwavering quality and certainty on software to
accomplish their definitive objectives6. The objective of Software Safety in a large portion of the
safety basic computer systems are ongoing control systems and require most consideration and care
5Walden, J., Stuckman, J. and Scandariato, R., 2014, November. Predicting vulnerable components: Software metrics
vs text mining. In Software Reliability Engineering (ISSRE), 2014 IEEE 25th International Symposium on (pp. 23-33).
IEEE.
6Abdelaziz, A.A., El-Tahir, Y. and Osman, R., 2015, September. Adaptive Software Development for developing safety
critical software. In Computing, Control, Networking, Electronics and Embedded Systems Engineering (ICCNEEE),
2015 International Conference on (pp. 41-46). IEEE.

5SECURE SOFTWARE PROCESS MODELS AND METRICS
in their particular, arranging, outline, usage, approval, assessment and operational support. In this
examination, it is viewed as that such sort of security basic computer system for application to make
safeguard7.
Figure 2: Implication of activities for developing secure software
(Source: Abdelmaboud et al. 2015, p.1718)
There are several aspects followed by software development team in order to develop
reliable software. The cost of minimizing defects is one of the procedures that help to generate
defect free software and continuously encounter schedules that avoids costs related with delayed
along with spending less time on software repair. In addition, management of defects throughout
development of life cycle is one of the methods followed by the team for developing secure
software. On the other hand, requirement activities is one of the procedures that needs to calculate
some % vulnerabilities injected at the time of requirement activities are deleted during analysis of
7Singh, M., Sharma, A.K. and Saxena, R., 2016. An UML+ Z Framework For Validating And Verifying the Static
Aspect of Safety Critical System. Procedia Computer Science, 85, pp.352-361.
8 Abdelmaboud, A., Jawawi, D.N., Ghani, I., Elsafi, A. and Kitchenham, B., 2015. Quality of service approaches in
cloud computing: A systematic mapping study. Journal of Systems and Software, 101, pp.159-179.

6SECURE SOFTWARE PROCESS MODELS AND METRICS
requirements, threat modeling as well as development of abuse cases. After this stage, it is
important to design activities. Completion of design activities leads to implementation activities
where some % of vulnerabilities injected at the time of designing, coding removed while reviewing
codes and in dynamic, static analysis as well as testing.
2. Comparison of life cycle model and security concerns in developing secure software
A software procedure show is a unique portrayal of procedures which are utilizing to build
up the software. It essentially takes after the SDLC strategy which incorporates Analysis, Design,
Implementation, Testing, and Maintains.
Waterfall Model
It is one of the traditional models of designing software. It is an established model and
broadly used as a part of government projects as well as several purposes of an organization doing a
project9. As this model helps in arranging in beginning times, it guarantees configuration defects
before they create.
V-Shaped Model
It works similar to the waterfall. A V-Shaped life cycle is an ordered path of executing
process of a developing a software. Testing is featured in the particular model compared to the
waterfall.
Incremental Model
It combines components of the waterfall demonstrate connected in an iterative form each
direct arrangement produces deliverable additions of the software. The main augmentation is
regularly a center item10. The center item is utilized by the client or experiences definite assessment.
Based on assessment comes about, an arrangement is produced for the following augmentation.
9Abdelmaboud, A., Jawawi, D.N., Ghani, I., Elsafi, A. and Kitchenham, B., 2015. Quality of service approaches in
cloud computing: A systematic mapping study. Journal of Systems and Software, 101, pp.159-179.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

7SECURE SOFTWARE PROCESS MODELS AND METRICS
Spiral Model
The model has four stages such as planning, analysis of risks, manufacturing as well as
evaluation11. At the underlying spiral, starting with the arranging, prerequisites are properly
assembled considering specific threats.
Rad Model
It is named as Rapid Application Development model. In the particular model, the capacities
are usually generated in parallel as it is similar to usual undertakings12. The development is
conveyed after it is unifies working model.
Extreme Programming:
A way to deal with advancement, in light of the improvement and conveyance of little
augmentations of usefulness is included in the process13. It depends on steady code change, client
inclusion in the improvement group and combines shrewd software.
Agile Model
10Ahmed, N. and Matulevičius, R., 2014. Securing business processes using security risk-oriented patterns. Computer
Standards & Interfaces, 36(4), pp.723-733.
11Walden, J., Stuckman, J. and Scandariato, R., 2014, November. Predicting vulnerable components: Software metrics
vs text mining. In Software Reliability Engineering (ISSRE), 2014 IEEE 25th International Symposium on (pp. 23-33).
IEEE.
12 Fuggetta, A. and Di Nitto, E., 2014, May. Software process. In Proceedings of the on Future of Software
Engineering (pp. 1-12). ACM.
13Hamill, M. and Goseva-Popstojanova, K., 2015. Exploring fault types, detection activities, and failure severity in an
evolving safety-critical software system. Software Quality Journal, 23(2), pp.229-265.

8SECURE SOFTWARE PROCESS MODELS AND METRICS
Agile advancement is one sort of iterative and Incremental improvement display. In each
discharge is altogether tried to guarantee software quality is kept up or not. On the other hand,
software safety must manage the standards of security services, security developing and software
designing for creating safety basic computer systems with the objectives of influencing the system
making safe, to attack free as well as safeguard notwithstanding give an elucidated separation to
surveying and assessing the hazard, with the standards of software hazard service14. In this system,
utilization of the safety service practices can be developed, for example, arranging, characterizing
standards, settling duties, criteria and targets, chance evaluation, outline for security, detailing
safety prerequisites and incorporating abilities and strategies to address security issues right on time
with a dream for affirmation15. In this structure, additional investigated coordination of
appropriateness of non-specific mechanical order and software advancement progressive system are
developed, with determined repetitive audit including security experts creating a nodal point for
software safety.
Even though there are several advantages in waterfall model, there are security concerns in
waterfall model. In the testing stage, it is difficult to go back as well as change the process, which is
not good enough in the concept stage. There are no working software generated until it is getting
late in the life cycle. In addition, there is a good model for complicated as well as object oriented
projects. There is poor model for long as well as ongoing projects.
Security measures are well established within the waterfall development lifecycle model. On
contrary, more software projects are utilizing spiral development life cycle model. Spiral model
may include risks for specific expertise. The spiral model utilizes iterative steps that create some
changes in every phases of software development procedure. It changes security ensuring the
14Holm, H., Shahzad, K., Buschle, M. and Ekstedt, M., 2015. P $^{2} $ CySeMoL: Predictive, Probabilistic Cyber
Security Modeling Language. IEEE Transactions on Dependable and Secure Computing, 12(6), pp.626-639.
15Zheng, X., Martin, P., Brohman, K. and Da Xu, L., 2014. CLOUDQUAL: a quality model for cloud services. IEEE
transactions on industrial informatics, 10(2), pp.1527-1536.

9SECURE SOFTWARE PROCESS MODELS AND METRICS
application having some flaws or vulnerabilities exploited in the system. Failures are exposed
appropriate security measures at every phases opening up vulnerabilities for hackers in order to
exploit as well as enhance costly in patching.
3. Use cases for safety critical activities
There is an expanding desire to misuse the adaptability of software based systems with
regards to basic systems where consistency is basic. Illustrations incorporate the utilization of
installed systems in different application areas, for example, fly-by-wire in Avionics, drive-by-wire
in Automotive16. Given the high security prerequisites in such systemsan intensive plan technique is
important. Specifically, the utilization of excess instruments to remunerate the shortcomings that
happen in any operational system may require complex conventions whose accuracy can be non-
clear. In this way, safety components can't be "indiscriminately" embedded into a basic system, yet
the general system advancement must consider security angles. Besides, infrequently safety
components can't be utilized off-the-rack, however must be composed particularly to fulfill given
prerequisites.
This can be non-trifling, as awesome cases for software failures practically speaking
illustrate, for example, the unstable disappointment of the Ariane 5 rocket in 1997. Any support to
help safe systems improvement would in this way be valuable. Specifically, it is attractive to
consider security perspectives as of now in the outline stage, before a system is really executed,
since expelling imperfections in the plan stage spares cost and time. This is huge; for instance, in
flying, confirmation costs speak to half of the general costs. There has been a lot of fruitful research
into utilizing formal techniques for the improvement of safety basic systems. Lamentably, some
portion of the trouble of basic systems advancement is that rightness is frequently in strife to cost. It
would subsequently be useful to utilize thorough means with regards to a mechanically proficient
16Rosaci, D. and Sarnè, G.M., 2014. Multi-agent technology and ontologies to support personalization in B2C E-
Commerce. Electronic Commerce Research and Applications, 13(1), pp.13-23.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

10SECURE SOFTWARE PROCESS MODELS AND METRICS
improvement strategy17. The Unified Modeling Language (UML) [UML01] offers an exceptional
open door for top notch basic systems improvement that is possible in a mechanical setting. As the
accepted standard in modern displaying, an extensive number of engineers is prepared in UML,
making less preparing important18. Likewise, UML details as of now be accessible for safety
investigation, which again would spare time and cost. Compared to past documentations with a
client group of similar size, UML is moderately unequivocally characterized, opening up the
likelihood for cutting edge apparatus support to help the improvement of security basic systems.
Issues in basic systems advancement frequently emerge when the theoretical freedom of software
from the hidden physical layer ends up being an unfaithful deliberation, for instance in settings, for
example, real-time or all the more by and large security basic systems19. Since UML enables the
modeler to depict distinctive perspectives on a system, including the physical layer, it appears to be
encouraging to endeavor to utilize UML to address these issues by displaying the interdependencies
between the system and its physical condition20. While there has been a lot of work tending to real-
time systems with UML and expanding thoughtfulness regarding utilizing UML for security in the
present work it is considered that safety and adaptation to non-critical failure prerequisites. In order
to support safe systems improvement, security agendas have been proposed in [HJL96, Lut96,
Hel98]21. Here, UML to this application area by correctly characterizing some such checks with
17Braude, E.J. and Bernstein, M.E., 2016. Software engineering: modern approaches. Waveland Press.
18Rostami, M., Koushanfar, F. and Karri, R., 2014. A primer on hardware security: Models, methods, and
metrics. Proceedings of the IEEE, 102(8), pp.1283-1295.
19Riel, A., Kreiner, C., Macher, G. and Messnarz, R., 2017. Integrated design for tackling safety and security challenges
of smart products and digital manufacturing. CIRP Annals-Manufacturing Technology.
20Sadeghi, A.R., Wachsmann, C. and Waidner, M., 2015, June. Security and privacy challenges in industrial internet of
things. In Design Automation Conference (DAC), 2015 52nd ACM/EDAC/IEEE (pp. 1-6). IEEE.
21Demirkan, H. and Delen, D., 2013. Leveraging the capabilities of service-oriented decision support systems: Putting
analytics and big data in cloud. Decision Support Systems, 55(1), pp.412-421.

11SECURE SOFTWARE PROCESS MODELS AND METRICS
generalizations catching security prerequisites and related physical properties can be tailored. One
can likewise check whether the limitations related with the generalizations are satisfied in a given
particular.
4. Threat assessment of any particular attack
In safety basic systems, an imperative idea likewise utilized here is that of a security level.
Safety objectives for security basic systems are regularly communicated quantitatively by means of
the most extreme permitted disappointment rate22. Conceivable failures include: message
misfortune which might be because of equipment disappointments or software failuresfor instance,
cradle floods message defer which may thusly come about into the reordering of messages if the
deferral is variable message defilement when a message is altered in travel. Types of repetition
normally utilized incorporate space excess physical duplicates of an asset, time excess rerunning
capacities and data excess (mistake recognizing codes)23. Three principles "lightweight" expansion
systems like generalizations, labeled esteems and imperatives to incorporate security prerequisites
in an UML detail, together with the limitations formalizing the necessities can be used. In order to
assess a model against the necessities, it can be eluded that to an exact semantics for the utilized
piece of UML reached out with a thought of disappointments.
5. Identification of attack type within a taxonomy of attack types
Distributed denial-of-service (DDoS) becomes arapidly developing issue. The large number
of attacks as well as defense approaches is overpowering. There are a few sorts of taxonomies
classifications for characterizing attacks and defenses, and in this manner furnishes specialists with
a superior comprehension of the issue and the present arrangement space24. The threat management
criteria were chosen to feature shared traits and imperative highlights of attack methodologies,
22Wallace, L.G. and Sheetz, S.D., 2014. The adoption of software measures: A technology acceptance model (TAM)
perspective. Information & Management, 51(2), pp.249-259
23Fenton, N. and Bieman, J., 2014. Software metrics: a rigorous and practical approach. CRC Press.