Evaluating and integrating software process improvement models and security engineering principles

  • Haiwen Li

    Student thesis: Doctoral Thesis


    The research is concerned with the management of software quality and information system security in rapidly changing business environments. Project development life cycles are becoming more complex and e-commerce is growing rapidly. Suppliers will offer new and exciting services but decision makers are faced with the challenge of identifying the information security solutions and reducing business risks. Both customers and suppliers are interested in improving the development of security products, system and services. The field of security engineering has several generally accepted principles, but it currently lacks a comprehensive framework for evaluating security-engineering practices and integrating security engineering approaches with software quality improvement models. The aims of this research are 1) to evaluate existing security engineering principles and software process improvement models (such as ISO 15504, CMM, ISO 17799), to identify weaknesses through a comparison. 2) To analyse and investigate the current security management practices in the different organisations, to explore and identify the potential security risks. 3) To integrate and set up a bridge between software quality improvement processes and security engineering principles. 4) To design a model which can provide organisations with guidance on how to gain control of their processes for developing software quality improvement and information security management, and how to evolve towards a culture of security management process through overcoming the weaknesses in above models. The literature review has been conducted to study the existing software process assessment and information security management models. The well-known software process assessment models CMM, ISO 15504, BOOTSTRAP, the information security management standard ISO 17799 and the USD Generally Accepted Security System Principle (GASSP) and SSE-CMM have been analysed. The strengths and weakness of these models have been highlighted from model structure, major functions and frame analysis. Additionally journals and conferences proceedings provide information and a comprehensive knowledge and background for information security management in rapidly changing and e-business environment. In this study surveys on information security management in rapidly changing and e-business environments have been conducted, focusing on exploring and investigating the security management processes and ISO 17799 information security standard usage in different kinds of organisations. The differences between UK and non-UK organisations have been analysed. Some major activities for info-security management and ISO 17799 current status are highlighted, the most important security risk management processes and potential weaknesses have also been analysed. Based on these results, recommendations and further considerations are presented for software houses, e-business companies, financial and security consultant organisations. To provide valuable input in the development of such an approach, an in-depth analysis of the information security management special issues and best practices has been carried out. This research also integrates the security engineering process into a project lifecycle. A new Security Engineering Process Improvement Approach (SEPIA) has been developed as a major contribution to the software industry that fills an important gap between software quality improvement modelling and security engineering principles. It includes more than 120 detailed process improvement and control areas. The SEPIA model has been validated and verified in a global organisation, details of five projects have been presented and analysed, the existing problems in the organisation have been highlighted based on the SEPIA model. After the verification and validation activities, more inputs were also gained to achieve the final SEPIA model. The new model provides organisations with guidance and extra audit reference on how to gain control of their processes for developing software security management, and how to evolve towards a culture of security management process through overcoming the weaknesses in the existing guidelines
    Date of Award2005
    Original languageEnglish
    Awarding Institution
    • Nottingham Trent University

    Cite this