Adaptive Security Activities Selection Model Using Multi-Criteria Decision-Making Methods
DOI:
https://doi.org/10.17762/jaz.v45iS1.3404Keywords:
Adaptive security activities, criteria, constraints, ANP, RIM.Abstract
Adaptive security activities are a list of recommended security activities to be integrated smoothly with the software development life cycle (SDLC) to produce a secure application software. Adaptive security activities are needed due to the emergence of factors and constraints which have been determined as one of the reasons for the underutilisation of security activities implementation, especially in the earlier phase of software development process. Security activities selection models were proposed to select and recommend security activities but the models were focused on certain factors or as a solution for specific constraints, and thus the recommended security activities were not adaptive. Consequently, an adaptive security activities selection (ASAS) model was proposed by combining the factors and constraints faced by the development team in selecting security activities. The model consisted of two integrated multi-criteria decisionmaking (MCDM) methods, namely Analytic Network Process (ANP) and Reference Ideal Method (RIM). ANP was used to prioritise and weight the criteria while RIM was used to measure and evaluate the security activities with the value of constraints in regard to each criterion. To validate the model a case study was performed on four inhouse web application development teams in the Malaysian public sector. The proposed model was able to recommend security activities in the requirement and design phase based on different constraints faced by each of the development teams. The model was adaptive due to its flexibility and ability to change and suit different evolved conditions when recommending the security activities.
Downloads
References
Abdullah, L., Chan, W., & Afshari, A. (2018). Application of PROMETHEE method for green supplier selection: a comparative result based on preference functions. Journal of Industrial Engineering International, 0123456789. https://doi.org/10.1007/s40092-018-0289-z
Assal, H., & Chiasson, S. (2018). Security in the Software Development Lifecycle. USENIX Symposium on Usable Privacy and Security (SOUPS), 281–296.
Bandi, A., Fellah, A., & Bondalapati, H. (2019). Embedding security concepts on introductory programming courses. The Journal of Computing Sciences in Colleges, 34(4), 78–89.
Batcheller, A., Fowler, S. C., Cunningham, R., Doyle, D., Jaeger, T., & Lindqvist, U. (2017). Building on the success of building security in. IEEE Security and Privacy, 15(4), 85–87. https://doi.org/10.1109/MSP.2017.3151336
Cables, E., Lamata, M. T., & Verdegay, J. L. (2016). RIM-Reference Ideal Method in Multicriteria Decision Making. Information Sciences, 337–338, 1–10. https://doi.org/10.1016/j.ins.2015.12.011
Cambridge University Press. (2020). Cambridge Dictionary. Cambridge University Press. https://dictionary.cambridge.org
CyberSecurity Malaysia. (2019). Cyber security guideline for secure software development life cycle (SSDLC) (pp. 1–60).
Deschene, M. (2016). Embracing security in all phases of the software development life cycle : A delphi study (Issue September). Capella University.
Dubey, A., & Muthukrishnan, D. (2016). An approach for collaborative quality assessment of software. ACM International Conference Proceeding Series, 18-20-Febr, 190–195. https://doi.org/10.1145/2856636.2856656
Fontana, M. E., & Morais, D. C. (2011). Selecting a portfolio of alternatives in participatory budgeting based on multicriteria method. Conference Proceedings - IEEE International Conference on Systems, Man and Cybernetics, 3179–3183. https://doi.org/10.1109/ICSMC.2011.6084149
Hu, X., Zhuang, Y., Cao, Z., Ye, T., & Li, M. (2017). Modeling and validation for embedded software confidentiality and integrity. Proceedings of the 2017 12th International Conference on Intelligent Systems and Knowledge Engineering, ISKE 2017, 2018-Janua, 1–6. https://doi.org/10.1109/ISKE.2017.8258789
Kadoić, N. (2018). Characteristics of the Analytic Network Process, a Multi-Criteria Decision-Making Method. Croatian Operational Research Review, 9(2), 235–244. https://doi.org/10.17535/crorr.2018.0018
Kanniah, S. L., & Mahrin, M. N. (2016). A review on factors influencing implementation of secure software development practices. International Journal of Computer and Systems Engineering, 10(8), 2882–2889. https://doi.org/doi.org/10.5281/zenodo.1127256
Kissel, R., Stine, K. M., Scholl, M. A., Rossman, H., Fahlsing, J., & Gulick, J. (2008). NIST SP 800-64Rev. 2. Security Considerations in the System Development Life Cycle. Information Security. http://dl.acm.org/citation.cfm?id=2206279%5Cnpapers2://publication/uuid/D524BF13-D081-4554-
AB83-6A82E77E6EC8
Maher, Z. A., Shah, A., Chandio, S., Mohadis, H. M., & Rahim, N. H. B. A. (2020). Challenges and limitations in secure software development adoption - A qualitative analysis in Malaysian software industry prospect. Indian Journal of Science and Technology, 13(26), 2601–2608. https://doi.org/10.17485/ijst/v13i26.848
MAMPU. (2016). Cyber security framework for public sector (RAKKSSA) (p. 34). Malaysian Administrative Modernisation and Management Planning Unit (MAMPU).
Mavrotas, G., & Rozakis, S. (2009). Extensions of the PROMETHEE method to deal with segmentation constraints. Application in a students’ selection problem. Journal of Decision Systems, 18(2), 203–229. https://doi.org/10.3166/jds.18.203-229
McGraw, G. (2006). Software security: Building security in. Addison-Wesley Professional.
Microsoft Corporation. (2010). Simplified implementation of the SDL. Microsoft Corporation.
National Institute of Health. (n.d.). Competencies proficiency scale. Retrieved December 1, 2019, from https://hr.nih.gov/working-nih/competencies/competencies-proficiency-scale
Positive Technologies. (2017). Security trends & vulnerabilities reviews web application (2017).
Rangel, L., Gomes, L., & Resende, R. (2015). Prioritization of telecommunication projects: decision analysis using the PROMETHEE V method. E&G Economia e Gestão, 15(41), 311–332.
Saaty, T. L. (2006). The analytic network process. Decision Making with the Analytic Network Process (International Series in Operations Research & Management Science), 95, 1–26. https://doi.org/10.1007/0-387-33987-6_1
Saaty, T. L., & Ergu, D. (2015). When is a Decision-Making Method Trustworthy? Criteria for Evaluating Multi-Criteria Decision-Making Methods. International Journal of Information Technology & Decision Making, 14(06), 1171–1187. https://doi.org/10.1142/s021962201550025x
Saaty, T. L., & Takizawa, M. (1986). Dependence and independence: From linear hierarchies to nonlinear networks. European Journal of Operational Research, 26(2), 229–237. https://doi.org/10.1016/0377-2217(86)90184-0
Sánchez-Lozano, J. M., & Rodríguez, O. N. (2020). Application of Fuzzy Reference Ideal Method (FRIM) to the military advanced training aircraft selection. Applied Soft Computing Journal, 88, 106061. https://doi.org/10.1016/j.asoc.2020.106061
Serrai, W., Abdelli, A., Mokdad, L., & Serrai, A. (2017). Dealing with user constraints in MCDM based web service selection. Proceedings - IEEE Symposium on Computers and Communications, Pediswesa, 158–163. https://doi.org/10.1109/ISCC.2017.8024522
Sharma, A., & Bawa, R. K. (2020). Identification and integration of security activities for secure agile development. International Journal of Information Technology. https://doi.org/10.1007/s41870-020- 00446-4
Stephens, J. C. (2017). Application security statistics report. The case for DevSecOps. In WhiteHat Security (Vol. 12).
Zavadskas, E. K., Turskis, Z., & Kildienė, S. (2014). State of art surveys of overviews on MCDM/MADM methods. Technological and Economic Development of Economy, 20(1), 165–179. https://doi.org/10.3846/20294913.2014.892037
Downloads
Published
Issue
Section
License
Copyright (c) 2024 Mazni Mohamed Jakeri, Mohd Fadzil Hassan, Aliza Sarlan, Amirudin Abdul Wahab
This work is licensed under a Creative Commons Attribution 4.0 International License.