Traditionally, security of software is not considered from the very beginning of a software development life cycle, and it is only incorporated in the later stages of development as an afterthought. As a consequence, there are increased risks of security vulnerabilities that are introduced into software in various stages of development. To avoid security vulnerabilities, there are many secure software development efforts in the directions of secure software development life cycle processes, security specification languages, security requirements engineering processes, secure design languages, and secure design guidelines. In this paper, we compare and contrast various secure software development processes based on a number of characteristics that such processes should have. We also analyze security specification languages with respect to desirable properties of such languages. Furthermore, we identify activities that should be performed in a security requirements engineering process to derive comprehensive security requirements. We compare different security requirements engineering processes based on these activities. Finally, we investigate the state-of-the-art in secure design languages and secure design guidelines. Our analysis shows that many of the secure software requirements and design methods lack some of the desired properties. The comparative study presented in this paper will provide guidelines to software developers for selecting specific methods that will fulfill their needs in building secure software applications.
Security breaches, Software system, Software security, Software design, Design defects
