Secure software development lifecycle: A case for adoption in software SMEs

Main Article Content

Wisdom Chiazam Umeugo


Software is widely deployed and used for managing critical daily domestic, social, and economic activities. Due to software’s economic value, software is a high-value target of malicious actors and a primary source of many information security vulnerabilities. Software must be engineered to be secure because of its value. Traditional approaches to software security treat software as an addon and have been proven inadequate at producing secure software. Practicing the secure software development lifecycle (SSDLC) is recommended in academic literature. Software SMEs must adopt and practice the SSDLC for increased security of published software. This paper explores the SSDLC and makes a case for its adoption with the goal of informing security decision-makers of Software SMEs.


Download data is not yet available.

Article Details

Author Biography

Wisdom Chiazam Umeugo, University of the Cumberlands

Ph.D Candidate,

School of Computer and Information Sciences,

University of the Cumberlands

Kentucky, United States


R. A. Khan and S. U. Khan, “A preliminary structure of software security assurance model,†in Proceedings of the 13th International Conference on Global Software Engineering, New York, NY, USA, May 2018, pp. 137–140, doi: 10.1145/3196369.3196385.

E. Venson, R. Alfayez, M. M. F. Gomes, R. M. C. Figueiredo, and B. Boehm, “The impact of software security practices on development effort: an initial survey,†in 2019 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM), Sep. 2019, pp. 1–12, doi: 10.1109/ESEM.2019.8870153.

U.S. Department of Homeland Security, “Security in the softwarelifecycle: Making software development processes—and software produced by them—more secure. DRAFT Version 1.2. ,†2006, Accessed: Jan. 28, 2023. [Online]. Available:

R. A. Khan, S. U. Khan, H. U. Khan, and M. Ilyas, “Systematic mapping study on security approaches in secure software engineering,†IEEE Access, vol. 9, pp. 19139–19160, 2021, doi: 10.1109/ACCESS.2021.3052311.

H. Al-Matouq, S. Mahmood, M. Alshayeb, and M. Niazi, “A maturity model for secure software design: A multivocal study,†IEEE Access, vol. 8, pp. 215758–215776, 2020, doi: 10.1109/ACCESS.2020.3040220.

R. Fujdiak et al., “Managing the secure software development,†in 2019 10th IFIP International Conference on New Technologies, Mobility and Security (NTMS), Jun. 2019, pp. 1–4, doi: 10.1109/NTMS.2019.8763845.

W. J. R. Nichols and T. Scanlon, “DoD Developer’s Guidebook for Software Assurance,†2018.

M. Alenezi and S. Almuairfi, “Security risks in thesoftware development lifecycle,†IJSEA, vol. 8, no. 3, pp. 7048–7055, Sep. 2019.

C. A. White, “Root causes of insecure internet of things and holistically addressing them,†in 2020 International Conference on Computational Science and Computational Intelligence (CSCI), Dec. 2020, pp. 1066–1074, doi: 10.1109/CSCI51800.2020.00198.

M. Alenezi and S. Almuairfi, “Essential activities for secure software development,†IJSEA, vol. 11, no. 2, pp. 1–14, Mar. 2020, doi: 10.5121/ijsea.2020.11201.

M. Paul, Official (ISC)2 guide to the CSSLP CBK. Auerbach Publications, 2013.

M. G. Jaatun and D. Soares Cruzes, “Care and feeding of your security champion,†in 2021 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), Jun. 2021, pp. 1–7, doi: 10.1109/CyberSA52016.2021.9478254.

J. Ransome and A. Misra, Core Software Security. Auerbach Publications, 2018.

N. Davis, W. Humphrey, S. T. Redwine, G. Zibulski, and G. McGraw, “Processes for producing secure software,†IEEE Secur. Privacy Mag., vol. 2, no. 3, pp. 18–25, May 2004, doi: 10.1109/MSP.2004.21.

K. Rindell, J. Ruohonen, and S. Hyrynsalmi, “Surveying secure software development practices in finland,†in Proceedings of the 13th International Conference on Availability, Reliability and Security - ARES 2018, New York, New York, USA, Aug. 2018, pp. 1–7, doi: 10.1145/3230833.3233274.

S. L. Kanniah and M. N. Mahrin, “Secure software development practice adoption model: A delphi study.,†Journal of Telecommunication, Electronic and Computer Engineering (JTEC), vol. 10, no. 2, pp. 71–75, 2018.

M. H. Sharif, R. Datta, and M. Valavala, “Identifying Risks and Security Measures for E-Commerce Organizations.,†Int. J. Eng. Appl. Sci. Technol, vol. 4, no. 5, 2019.

A. Asadoorian, M. Alberto, and M. L. Ali, “Creating and using secure software,†in 2020 11th IEEE Annual Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON), Oct. 2020, pp. 0786–0792, doi: 10.1109/UEMCON51285.2020.9298046.

J. C. Núñez, A. C. Lindo, and P. G. Rodríguez, “A preventive secure software development model for a software factory: a case study.,†IEEE Access, vol. 8, pp. 77653–77665, 2020.

A. M. Jamil, L. ben Othmane, A. Valani, M. Abdelkhalek, and A. Tek, “The current practices of changing secure software: An empirical study,†in Proceedings of the 35th Annual ACM Symposium on Applied Computing, New York, NY, USA, Mar. 2020, pp. 1566–1575, doi: 10.1145/3341105.3373922.

T. W. Thomas, M. Tabassum, B. Chu, and H. Lipford, “Security during application development: an application security expert perspective,†in Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems - CHI ’18, New York, New York, USA, Apr. 2018, pp. 1–12, doi: 10.1145/3173574.3173836.

F. Mateo Tudela, J.-R. Bermejo Higuera, J. Bermejo Higuera, J.-A. Sicilia Montalvo, and M. I. Argyros, “On combining static, dynamic and interactive analysis security testing tools to improve OWASP top ten security vulnerability detection in web applications,†Appl. Sci., vol. 10, no. 24, p. 9119, Dec. 2020, doi: 10.3390/app10249119.

R. A. Khan, S. U. Khan, H. U. Khan, and M. Ilyas, “Systematic literature review on security risks and its practices in secure software development,†IEEE Access, vol. 10, pp. 5456–5481, 2022, doi: 10.1109/ACCESS.2022.3140181.

M. Ruggieri, T.-T. Hsu, and M. L. Ali, “Security considerations for the development of secure software systems,†in 2019 IEEE 10th Annual Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON), Oct. 2019, pp. 1187–1193, doi: 10.1109/UEMCON47517.2019.8993081.

T. E. Gasiba and U. Lechner, “Raising secure coding awareness for software developers in the industry.,†2019 IEEE 27th International Requirements Engineering Conference Workshops (REW), p. 141, 2019.

M. Noman, M. Iqbal, and A. Manzoor, “A survey on detection and prevention of web vulnerabilities,†ijacsa, vol. 11, no. 6, 2020, doi: 10.14569/IJACSA.2020.0110665.

R. Trifonov, O. Nakov, G. Pavlova, S. Manolov, G. Tsochev, and P. Nakov, “Analysis of the principles and criteria for secure software development,†in 2020 28th National Conference with International Participation (TELECOM), Oct. 2020, pp. 125–128, doi: 10.1109/TELECOM50385.2020.9299567.

Cybersecurity & Infrastructure Security Agency, “Introduction to the CLASP Process | CISA,†Cybersecurity & Infrastructure Security Agency, Jul. 03, 2013.,guided%20by%20formalized%20best%20practices. (accessed Feb. 05, 2022).

OWASP Software Assurance Maturity Model, “OWASP SAMM,†OWASP SAMM. OWASP software assurance maturity model. (accessed Jan. 28, 2023).

K. Bernsmed, M. G. Jaatun, and P. H. Meland, “Safety Critical Software and Security - How Low Can You Go?,†in 2018 IEEE/AIAA 37th Digital Avionics Systems Conference (DASC), Sep. 2018, pp. 1–6, doi: 10.1109/DASC.2018.8569579.

G. McGraw, “Software security and the building security in maturity model (BSIMM).,†Journal of Computing Sciences in Colleges, vol. 30, no. 3, pp. 7–8, 2015.

M. Shaikh, P. H. Ali Qureshi, M. Shaikh, Q. A. Arain, A. Zubedi, and P. Shaikh, “Security paradigms in SDLC requirement phase — A comparative analysis approach,†in 2021 International Conference on Engineering and Emerging Technologies (ICEET), Oct. 2021, pp. 1–6, doi: 10.1109/ICEET53442.2021.9659614.

BSIMM, “Software Security Framework .† (accessed Feb. 27, 2022).

Microsoft, “Microsoft Security Development Lifecycle Practices.† (accessed Oct. 28, 2022).

Microsoft Learn, “Agile SDL: Streamline Security Practices For Agile Development | Microsoft Learn,†Sep. 10, 2019. (accessed Jan. 28, 2023).

M. G. Jaatun, “Architectural risk analysis in agile development of cloud software,†in 2019 IEEE International Conference on Cloud Computing Technology and Science (CloudCom), Dec. 2019, pp. 295–300, doi: 10.1109/CloudCom.2019.00050.

D. Raghuvanshi, “Introduction to Software Testing.,†International Journal of Trend in Scientific Research and Development (IJTSRD), vol. 4, no. 3, pp. 797–800, 2020.

A. Anwar et al., “Measuring the cost of software vulnerabilities,†ICST Transactions on Security and Safety, vol. 7, no. 23, p. 164551, Jun. 2020, doi: 10.4108/eai.13-7-2018.164551.

R. Alkhadra, J. Abuzaid, M. AlShammari, and N. Mohammad, “Solar Winds Hack: In-Depth Analysis and Countermeasures,†in 2021 12th International Conference on Computing Communication and Networking Technologies (ICCCNT), Jul. 2021, pp. 1–7, doi: 10.1109/ICCCNT51525.2021.9579611.

L. Sterle and S. Bhunia, “On solarwinds orion platform security breach,†in 2021 IEEE SmartWorld, Ubiquitous Intelligence & Computing, Advanced & Trusted Computing, Scalable Computing & Communications, Internet of People and Smart City Innovation (SmartWorld/SCALCOM/UIC/ATC/IOP/SCI), Oct. 2021, pp. 636–641, doi: 10.1109/SWC50871.2021.00094.

D. Votipka, R. Stevens, E. Redmiles, J. Hu, and M. Mazurek, “Hackers vs. testers: A comparison of software vulnerability discovery processes,†in 2018 IEEE Symposium on Security and Privacy (SP), May 2018, pp. 374–391, doi: 10.1109/SP.2018.00003.

M. Tuape and Y. Ayalew, “Factors affecting development process in small software companies,†in 2019 IEEE/ACM Symposium on Software Engineering in Africa (SEiA), May 2019, pp. 16–23, doi: 10.1109/SEiA.2019.00011.

OECD, “SME Performance - OECD.† (accessed Mar. 01, 2022).

F. Alghamdi, “Motivational company’s characteristics to secure software,†in 2020 3rd International Conference on Computer Applications & Information Security (ICCAIS), Mar. 2020, pp. 1–5, doi: 10.1109/ICCAIS48893.2020.9096815.

D. Geer, “Are companies actually using secure development life cycles?,†Computer, vol. 43, no. 6, pp. 12–16, Jun. 2010, doi: 10.1109/MC.2010.159.

T. D. Oyetoyan, D. S. Cruzes, and M. G. Jaatun, “An Empirical Study on the Relationship between Software Security Skills, Usage and Training Needs in Agile Settings,†in 2016 11th International Conference on Availability, Reliability and Security (ARES), Aug. 2016, pp. 548–555, doi: 10.1109/ARES.2016.103.

I. A. Tøndel, D. S. Cruzes, M. G. Jaatun, and G. Sindre, “Influencing the security prioritisation of an agile software development project,†Computers & Security, vol. 118, p. 102744, Jul. 2022, doi: 10.1016/j.cose.2022.102744.

A. Tosun, A. Bener, and B. Turhan, “Implementation of a software quality improvement project in an SME: A before and after comparison,†in 2009 35th Euromicro Conference on Software Engineering and Advanced Applications, Aug. 2009, pp. 203–209, doi: 10.1109/SEAA.2009.52.

Z. A. Maher, A. Shah, S. Chandio, H. M. Mohadis, and N. H. B. A. Rahim, “Challenges and limitations in secure software development adoption - A qualitative analysis in Malaysian software industry prospect,†IJST, vol. 13, no. 26, pp. 2601–2608, Jul. 2020, doi: 10.17485/IJST/v13i26.848.

H. Assal and S. Chiasson, “Motivations and amotivations for software security.,†SOUPS Workshop on Security Information Workers (WSIW). USENIX Association, p. 1, 2018.

M. Choras et al., “Measuring and Improving Agile Processes in a Small-Size Software Development Company,†IEEE Access, vol. 8, pp. 78452–78466, 2020, doi: 10.1109/ACCESS.2020.2990117.

C. M. M. Bezerra, S. C. B. Sampaio, and M. L. M. Marinho, “Secure agile software development: policies and practices for agile teams,†in Quality of information and communications technology: 13th international conference, QUATIC 2020, faro, portugal, september 9–11, 2020, proceedings, vol. 1266, M. Shepperd, F. Brito e Abreu, A. Rodrigues da Silva, and R. Pérez-Castillo, Eds. Cham: Springer International Publishing, 2020, pp. 343–357.

F. Moyón, D. Méndez, K. Beckers, and S. Klepper, “How to Integrate Security Compliance Requirements with Agile Software Engineering at Scale?,†in Product-Focused Software Process Improvement: 21st International Conference, PROFES 2020, Turin, Italy, November 25–27, 2020, Proceedings, vol. 12562, M. Morisio, M. Torchiano, and A. Jedlitschka, Eds. Cham: Springer International Publishing, 2020, pp. 69–87.

D. Ionita, C. van der Velden, H.-J. K. Ikkink, E. Neven, M. Daneva, and M. Kuipers, “Towards Risk-Driven Security Requirements Management in Agile Software Development,†in Information systems engineering in responsible information systems: caise forum 2019, rome, italy, june 3–7, 2019, proceedings, vol. 350, C. Cappiello and M. Ruiz, Eds. Cham: Springer International Publishing, 2019, pp. 133–144.

M. Deschene, “Embracing security in all phases of the software development life cycle: A Delphi study,†Undergraduate thesis, 2016.

J. Witschey, O. Zielinska, A. Welk, E. Murphy-Hill, C. Mayhorn, and T. Zimmermann, “Quantifying developers’ adoption of security tools,†in Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering - ESEC/FSE 2015, New York, New York, USA, Aug. 2015, pp. 260–271, doi: 10.1145/2786805.2786816.