Security Engineering Approach to Support Software Security

As information security and privacy become increasingly important to organizations, the demand grows for software development processes that assure information integrity, availability, and confidentiality. Unfortunately, despite the investments made in process improvement, there is still no guarantee that the developed software products are protected from attacks or do not present security vulnerabilities. As soon as software products continue to present security flaws and be compromised by attacks, the Systems Security Engineering - Capability Maturity Model (SSE-CMM) becomes the de facto model to structure a software security approach. Moreover, security best practices, practical experience or international standards, like ISO/IEC 15408, should also be considered to support security engineering as they propose activities that can be adapted to enhance security in a software development process and contribute towards the overall software security. This paper proposes a security engineering approach to support software security through a specialized process that helps develop more secure software, entitled Process to Support Software Security (PSSS). In addition, one of PSSS´s subprocess, Model Security Threat, is explained in detail. This paper also presents the results of the case study when the PSSS was first applied in a software development project as well as the preliminary results of a large project implementation.