A Maturity Model for Secure Software Design: A Multivocal Study

Security is one of the most important software quality attributes. Software security is about designing and developing secure software that does not allow the integrity, confidentiality, and availability of its code, data, or service to be compromised. Organizations tend to consider security as an afterthought, and they continue to suffer from security risks. Developing secure software requires taking security into consideration in all phases of the Software Development Life Cycle (SDLC). Several approaches have been developed to improve software quality, such as Capability Maturity Model Integration (CMMI). However, software security issues have not been addressed in a proper manner and incorporating security practices into the SDLC remains a challenge. The objective of this paper is to develop a framework to improve the process of designing secure products in software development organizations. To achieve this objective, a Multivocal Literature Review (MLR) was conducted to identify the relevant studies in both the formal and grey literature. A total of 38 primary studies were identified, and available evidence was synthesized into 8 knowledge areas and 65 best practices to build a Secure Software Design Maturity Model (SSDMM). The framework was developed based on the structure of CMMI v2.0 and evaluated through case studies in real-world environments. The case study results indicate that SSDMM is useful in measuring the maturity level of an organization for the secure design phase of SDLC. SSDMM will assist organizations in evaluating and improving their software design security practices. It will also provide a foundation for researchers to develop new software security approaches.