Abstract
As a consequence to factors such as progress made by the attackers, release of new technologies and use of increasingly complex systems, and threats to applications security have been continuously evolving. Security of code and privacy of data must be implemented in both design and programming practice to face such scenarios. In such a context, this paper proposes a software development approach, Privacy Oriented Software Development (POSD), that complements traditional development processes by integrating the activities needed for addressing security and privacy management in software systems. The approach is based on 5 key elements (Privacy by Design, Privacy Design Strategies, Privacy Pattern, Vulnerabilities, Context). The approach can be applied in two directions forward and backward, for developing new software systems or re-engineering an existing one. This paper presents the POSD approach in the backward mode together with an application in the context of an industrial project. Results show that POSD is able to discover software vulnerabilities, identify the remediation patterns needed for addressing them in the source code, and design the target architecture to be used for guiding privacy-oriented system re-engineering.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Ardimento, P., Baldassarre, M.T., Caivano, D., & Visaggio, G. (2004). Multiview framework for goal oriented measurement plan design. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 3009, pp. 159–173., https://doi.org/10.1007/978-3-540-24659-6_12.
Ardimento, P., Caivano, D., Cimitile, M., & Visaggio, G. (2008). Empirical investigation of the efficacy and efficiency of tools for transferring software engineering knowledge. Journal of Information & Knowledge Management, 7(3), 197–207 ISSN: 0219-6492.
Baldassarre, M. T., Bianchi, A., Caivano, D., & Visaggio, G. (2005). An industrial case study on reuse oriented development. In: Proceedings of 21st IEEE International Conference on Software Maintenance. p. 283-292, WASHINGTON, DC: IEEE computer society, ISBN:0-7695-2368-4, Budapest Hungary, September 2005. https://doi.org/10.1109/ICSM.2005.20.
Baldassarre, M. T., Caivano, D., & Visaggio, G. (2013). Empirical studies for innovation dissemination: Ten years of experience. In: 17th International Conference on Evaluation and Assessment in Software Engineering, EASE 2013. ACM International Conference Proceedings Series, ACM Press, ISBN: 978-145031848-8, https://doi.org/10.1145/2460999.2461020.
Baldassarre, M.T., Barletta, V.S., & Caivano, D., (2018). Smart Program Management in a Smart City. 110th AEIT International Annual Conference, AEIT 2018, https://doi.org/10.23919/AEIT.2018.8577379
Baldassarre, M. T., Barletta, V. S., Caivano, D., & Scalera, M. (2019a). Privacy oriented software development. Communications in Computer and Information Science, 1010, 18–32. https://doi.org/10.1007/978-3-030-29238-6_2.
Baldassarre, M. T., Barletta, V. S., Caivano, D., Raguseo, D., & Scalera, M. (2019b). Teaching cyber security: the hack-space integrated model. In Proceedings of the Third Italian Conference on Cyber Security (Vol. 2315) CEUR Workshop Proceedings.
Baldassarre, M. T., Barletta, V. S., Caivano, D., & Scalera, M. (2019c). Target architecture in privacy oriented software development. SERLAB. https://serlab.di.uniba.it/posd.
Black, P. E., Badger, L., Guttman, B., & Elizabeth Fong, E. (2016). Dramatically reducing software vulnerabilities. Resource document. National Institute of Standards and Technology (NIST). https://doi.org/10.6028/NIST.IR.8151 Accessed 17 Oct 2019.
Caivano, D., Fernandez-Ropero, M., Pérez-Castillo, R., Piattini, M., & Scalera, M. (2018). Artifact-based vs. human-perceived understandability and modifiability of refactored business processes: An experiment. Journal of Systems and Software, 144, 143–164.
Cavoukian, A. (2012). Operationalizing privacy by design: a guide to implementing strong privacy practices. Resource document. Global Privacy and Security by Design. http://www.ontla.on.ca/library/repository/mon/26012/320221.pdf. Accessed 17 Oct 2019.
Cavoukian, A. (2016). International council on global privacy and security, by design. In IEEE Potentials, Sept.-Oct. 2016, vol. 35, no. 5, pp. 43–46.
Center for Internet Security. (2019). CIS benchmarks. Resource document. CIS. https://www.cisecurity.org/cis-benchmarks/. Accessed 21 Oct 2019.
Colesky, M., Hoepman, J., & Hillen C. (2016). A critical analysis of privacy design strategies. IEEE Security and Privacy Workshops (SPW), San Jose, CA, pp. 33–40. https://doi.org/10.1109/SPW.2016.23.
Diamantopoulou, V., Argyropoulos, N., Kalloniatis, C., & Gritzalis, S. (2017). Supporting the design of privacy-aware business processes via privacy process patterns. In 11th International Conference on Research Challenges in Information Science (pp. 187–198). Lahore: Brighton. https://doi.org/10.1109/RCIS.2017.7956536.
Fernández-Sáez, A. M., Genero, M., Caivano, D., & Chaudron, M. R. V. (2016). Does the level of detail of UML diagrams affect the maintainability of source code?: a family of experiments. Empirical Software Engineering, Volume 21, Issue 1, 1 February 2016, pp 212–259 https://doi.org/10.1007/s10664-014-9354-4
Fortify Static Code Analyze (SCA). (2019). Resource document. Micro Focus. https://www.microfocus.com, 2018. Accessed 22 Oct 2019.
Halkidis, S. T., Tsantalis, N., Chatzigeorgiou, A., & Stephanides, G. (2008). Architectural risk analysis of software systems based on security patterns. IEEE Transactions on Dependable and Secure Computing, 5(3), 129–142.
Hansen, M., Jensen, M., & Rost, M. (2015). Protection goals for privacy engineering. IEEE Security and Privacy Workshops, San Jose, CA, pp. 159–166.
Hatzivasilis, G., Papaefstathiou, I., & Manifavas, C. (2016). Software security, privacy, and dependability: metrics and measurement. IEEE Software, 33(4), 46–54.
Hilbrich, M., & Frank, M. (2017). Enforcing security and privacy via a cooperation of security experts and software engineers: a model-based vision. IEEE 7th International Symposium on Cloud and Service Computing (SC2), Kanazawa, pp. 237–240.
Hoepman, J.-H. (2014). Privacy design strategies. In IFIP, ICT systems security and privacy protection (pp. 446–459). Berlin Heidelberg: Springer.
IBM, X-Force Threat Intelligence Index. (2019). Resource document. Atlanta: IBM Security Accessed 17 Oct 2019.
Jaatun, M. G., Cruzes, D. S., Bernsmed, K., Tøndel, I. A., & Røstad, L. (2015). Software security maturity in public organisations. In International Conference on Information Security, ISC 2015: Information Security (pp. 120–138). Cham: Springer International Publishing. https://doi.org/10.1007/978-3-319-23318-5_7.
Kallpniatis, C., Kavakli, E., & Gritzalis, S. (2008). Addressing privacy requirements in system design: the PriS method. In Requirements Engineering (Vol. 13, pp. 241–255). Berlin: Springer-Verlag. https://doi.org/10.1007/s00766-008-0067-3.
Kissel, R. L., Stine, K. M., Scholl, M. A., Rossman, H., Fahlsing, J., & Gulick, J. (2008). Security considerations in the system development life cycle. Special Publication (NIST SP) – 800-64 rev 2.
Morales-Trujillo, M. E., Matla-Cruz, E. O., García-Mireles, G. A., & Piattini, M. (2018). Privacy by design in software engineering: a systematic mapping study. Paper presented at Avances en Ingenieria de Software a Nivel Iberoamericano (pp. 107–120), CIbSE, London.
Moral-García, S., Ortiz, R., Moral-Rubio, S., Vela, B., Garzás, J., & Fernández-Medina, E. (2010). A new pattern template to support the design of security architectures. PATTERNS 2010: The 2nd Int. Conferences on Pervasive Patterns and Applications, (pp. 66–71).
Navarro-Machuca, J., & Chen, L. (2016). Embedding model-based security policies in software development. IEEE 2nd Int. Conf. on Big Data Security on Cloud (BigDataSecurity), IEEE Int. Conf. on High Performance and Smart Computing (HPSC), and IEEE Int. Conf. on Intelligent Data and Security (IDS), New York, pp. 116–122.
Notario, N., Crespo, A., Martìn, Y. S., Del Alamo, J. M., Le Métayer, D., Antignac, T., Kung, A., et al. (2015). PRIPARE: integrating privacy best practices into a privacy engineering methodology. IEEE Security and Privacy Workshops, San Jose, CA, pp. 151–158. https://doi.org/10.1109/SPW.2015.22.
Ortiz, R., Moral-Rubio, S., Garzás, J., & Fernández-Medina E. (2011). Towards a pattern-based security methodologiy to build secure information systems. Proceedings of the 8th International Workshop on Security in Information Systems WOSIS 2011, (pp. 59–69).
OWASP Top 10–2017 (n.d.) The ten most critical web application security risks. Resource document. OWASP. https://owasp.org. Accessed 17 Oct 2019.
OWASP Testing Guide. (2016). Resource document. OWASP. https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents. Accessed 22 Oct 2019.
Privacy Patterns, https://privacypatterns.org. Resource document. UC Berkeley, School of Information. Accessed 17 Oct 2019.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, (2016). Resource document. Official Journal of the European Union. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679. Accessed 18 Oct 2019.
Shehab Farhan, A. R., & Mostafa, G. M. (2018). A methodology for enhancing software security during development processes. 21st Saudi Computer Society National Computer Conference (NCC), Riyadh, pp. 1-6. https://doi.org/10.1109/NCG.2018.8593135.
Spiekermann, S., & Cranor, L. F. (2009). Engineering privacy. IEEE Transactions on Software Engineering, 35(1), 67–82. https://doi.org/10.1109/TSE.2008.88.
Suphakul, T., & Senivongse, T. (2017). Development of privacy design patterns based on privacy principles and UML. 18th IEEE/ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing (SNPD), Kanazawa, pp. 369–375. https://doi.org/10.1109/SNPD.2017.8022748.
Thomborson, C. (2016). Privacy patterns. 14th Annual Conference on Privacy, Security and Trust (PST), Auckland, pp. 656–663.
Tung, Y., Lo, S., Shih, J., & Lin, H. (2016). An integrated security testing framework for secure software development life cycle. 18th Asia-Pacific Network Operations and Management Symposium (APNOMS), Kanazawa, pp. 1–4.
Van Blarkom, G. W., Borking, J. J., & Olk, J. G. E. (2003). Handbook of privacy and privacy-enhancing technologies. The Case of Intelligent Software Agents. College Bescherming Bersoonsgegevens, ISBN 90-74087-33-7.
Yanbing, L., Xingyu, L., Yi, J., & Yunpeng, X. (2016). SDSA: a framework of a software-defined security architecture. China Communications, 13(2), 178–188.
Funding
This study has been partially funded by the Project “Digital Service Ecosystem” (Cod. PON03PE_00136_1) funded by Italian Minister of University and Research and Project “Auriga2020” - (Cod. T5LXK18), funded by Apulia Region.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Baldassarre, M.T., Barletta, V.S., Caivano, D. et al. Integrating security and privacy in software development. Software Qual J 28, 987–1018 (2020). https://doi.org/10.1007/s11219-020-09501-6
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11219-020-09501-6