An Exploratory Study on Secure Software Practices Among Software Practitioners in Malaysia
Keywords:Secure Software Practices, Exploratory Study, Software Practitioners, Malaysi,
AbstractRapid growths of computers, mobile phones and Internet technology have created ways for irresponsible people to undertake computer crimes. Millions of users across the globe have fallen as victims to computer crimes, including Malaysia. It is due to current software environment which is more complex, distributed, keeps confidential data and easily exposed to malicious attacks. Consequently, secure software process is increasingly gaining much importance among software practitioners and researchers. However, even though its importance has been revealed, only few studies were conducted regarding its current practice in the software industry, especially in Malaysia. Thus, an exploratory study is conducted among software practitioners in Malaysia to study their experiences and practices on the secure software process in the real-world projects. This paper discusses the findings from the study, which involved 93 software practitioners. Structured questionnaire is utilized for data collection purpose whilst statistical methods such as frequency, mean, and cross tabulation are used for data analysis. Outcomes from this study reveal that software practitioners are becoming increasingly aware on the importance of secure software process, however, they lack of appropriate implementation of the practices.
Hong, L., H., Bin, L., and Taylor, M. “A Comparative Analysis of Cybercrimes and Governmental Law Enforcement in China and the United States. Asian journal of criminology. Vol. 5(2), pp. 123-135, 2010.
CBS Corporation. 2015. These Cybercrime Statistics Will Make You Think Twice About Your Password: Where’s the CSI Cyber team when you need them?. Retrieved from http://www.cbs.com/shows/csicyber/news/1003888/these-cybercrime-statistics-will-make-you-thinktwice-about-your-password-where-s-the-csi-cyber-team-when-youneed-them-/
Lee, H. B. 2011, July 26. RM 63 juta rugi angkara jenayah siber. Utusan Malaysia. Retrieved from
Bernama 2013, May 6. Malaysia sixth most vulnerable to cybercrime. The Star. Retrieved from
Cheng, N. 2015, October 26. More than 30 Malaysians fall prey to cybercrime daily. The Star Online. Retrieved from
Mead, N. R. 2010. Security requirement engineering. BSI Articles, SEI Institute.
McGraw, G. 2006. Building security in. Boston: Pearson Education
McGraw, G. 2004. Software security. Security & Privacy, IEEE, 2(2), 80-83. doi: 10.1109/MSECP.2004.1281254
Fauziah Baharom, Aziz Deraman and Abdul Razak Hamdan 2005. A survey on the current practices of software development process in Malaysia. Journal of ICT. pp. 57-76.
Yazrina Yahya, Maryati Mohd Yusof, Mohammed Yusof and Nazlia Omar. The use of Information System development methodology.
Whitehat Security 2013. Website security statistics report, WhiteHat Security, California.
National Cyber Security Alliance 2010. National small business study.
Geer, D. “Are companies actually using secure development life cycles?”. Comp. vol. 43(6), pp.12-16, 2010.
Elahi, G., Yu, E. and Tong, L. “Security requirements engineering in the wild: a survey of common practices. IEEE Ann. Comp.Soft. and App. Conf. pp. 314-319, 2011.
Wilander, J. and Gustavsson, J. 2005. Security requirements–A field study of current practice. Symp. on Req. Eng. for IS.
Amjed Tahir, Rodina Ahmad and Zarinah Mohd Kasirun. 2010. An empirical study on the use of standards and procedures in software development projects. Int. Conf.on Soft.Tec.& Eng.
Ani Liza Asnawi, Gravell, A. M. and Wills, G. B. 2012. Factor analysis: Investigating important aspects for agile adoption in Malaysia. AGILE India. pp. 60-63.
De Win, B., Scandariato, R., Buyens, K., Gregoire, J., and Joosen, W. 2009. On the secure software development process: CLASP, SDL and
Touchpoints compared. Information and Software Technology. Vol.
(7): pp. 1152-1171, 2009.
McGraw, G. 2011. Technology transfer: A software security marketplace case study. Software, IEEE. Vol. 28(5), pp. 9-11, 2011.
ISO 2015. ISO Standards. Retrieved from https://www.iso.org
Davis, N. 2013. Secure software development lifecycle process. Retrieved from https://buildsecurityin.uscert.gov/articles/knowledge/sdlc-process/secure-software-developmentlife-cycle-processes
Karpati, P., Sindre, G., and Opdahl, A. L. 2011. Characterising and analysing security requirements modelling initiatives. Sixth International Conference on Availability, Reliability and Security. 710-715.
Microsoft. 2012. Microsoft Security Development Lifecycle SDL
Process Guidance Version 5.2. Retrieved from http://www.microsoft.com/enmy/download/confirmation.aspx?id=29884
OWASP. 2006. CLASP best practices. Retrieved from
Rios, E. et al. 2009. A qualitative evaluation of model-based security activities for software development. Proceedings of European Workshop on Security in Model Driven Architecture, 14-21. Retreived from http://www.utwente.nl/ctit/publications/workshopproceedings/2009/wp0
Julia, H. A., Barnum, S., Ellison, R. J., McGraw, G., and Mead, N. R.
Software security engineering. Boston: Addison-Wesley.
Evans, R., Tsohou, A., Tryfonas, T., and Morgan, T. 2010. Engineering secure systems with ISO 26702 and 27001. 5th International Conference on System of Systems Engineering (SoSE). 1-6.
Ashbaugh, D. A. 2009. Security software development assessing and managing security risks. Boca Raton: CRC Press.
Merkow, S. M. and Raghavan, L. 2010. Secure and resilient software development. Boca Raton: Auerbach Publications.
Ai, C. Y., Md Mahbubur Rahim, and Leon, M. 2007. Understanding factors affecting success of information security risk assessment: the case of an Australian higher educational institution. Proceedings of PACIS.Paper 74. Retrieved from http://aisel.aisnet.org/pacis2007/74
Syed Irfan Nabi, Abdulrahman A. Mirza, and Khaled Alghathbar 2010. Information assurance in Saudi organizations- an empirical study. In TaiHoon, K., Wai-Chi, F., Muhammad Khurram Khan, Arnett, K. P., Heaujo, K., & Slezak, D., Security technology, disaster recovery and business continuity. Berlin Heidelberg: Springer Berlin Heidelberg
Siponen, M., Pahnila, S., and Mahmood, M. “Compliance with
information security policies: an empirical investigation”. Computer. Vol. 43(2): pp. 64–71, 2010.
Olsson, R. 2006. Managing project uncertainty by using an enhanced risk management process. Sweden: Malardalen University Press.
Sommerville, I. 2007. Software Engineering 8th Ed. Harlow: Pearson Education Limited.
Fauziah Baharom, Jamaiah Yahya, Aziz Deraman, and Abdul Razak Hamdan 2011. SPQF: software process quality factor for software process assessment and certification, International Conference on Electrical Engineering and Informatics.
Shafinah Farvin Packeer Mohamed, Fauziah Baharom and Aziz
Deraman. “ESPAC Model: Extended Software Process Assessment and Certification Model”. ARPN Journal of Engineering and Applied
Sciences. Vol. 10(3), pp. 1364-1373, 2015.
How to Cite
TRANSFER OF COPYRIGHT AGREEMENT
The manuscript is herewith submitted for publication in the Journal of Telecommunication, Electronic and Computer Engineering (JTEC). It has not been published before, and it is not under consideration for publication in any other journals. It contains no material that is scandalous, obscene, libelous or otherwise contrary to law. When the manuscript is accepted for publication, I, as the author, hereby agree to transfer to JTEC, all rights including those pertaining to electronic forms and transmissions, under existing copyright laws, except for the following, which the author(s) specifically retain(s):
- All proprietary right other than copyright, such as patent rights
- The right to make further copies of all or part of the published article for my use in classroom teaching
- The right to reuse all or part of this manuscript in a compilation of my own works or in a textbook of which I am the author; and
- The right to make copies of the published work for internal distribution within the institution that employs me
I agree that copies made under these circumstances will continue to carry the copyright notice that appears in the original published work. I agree to inform my co-authors, if any, of the above terms. I certify that I have obtained written permission for the use of text, tables, and/or illustrations from any copyrighted source(s), and I agree to supply such written permission(s) to JTEC upon request.