Cost Estimation Model for Secure Software Development

Engineering security in software is now a high priority objective in many IS application especially for the banking and electronic commerce. Most of the commerce websites are forced to add on security coding to prevent them from web criminal. These are due to the poor coding and lacking in consideri...

Full description

Saved in:
Bibliographic Details
Main Author: Sia Abdullah, Nur Atiqah
Format: Thesis
Language:English
Published: 2011
Subjects:
Online Access:http://psasir.upm.edu.my/id/eprint/20031/1/FSKTM_2011_11_ir.pdf
http://psasir.upm.edu.my/id/eprint/20031/
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Universiti Putra Malaysia
Language: English
Description
Summary:Engineering security in software is now a high priority objective in many IS application especially for the banking and electronic commerce. Most of the commerce websites are forced to add on security coding to prevent them from web criminal. These are due to the poor coding and lacking in considering security during system development life cycle (SDLC). To build security into the applications or systems, it will substantially raise software costs. The existing software cost estimation (SCE) models are lacking in emphasis on the security coding or factors in estimating the software cost. Therefore, there is a need to have cost estimation model for the secured software in order to have more accurate estimation. Some of the researchers have tried to extend COCOMO II by including security cost drivers. In this thesis, however, due to the security issues highlighted by Function Point Analysis (FPA), a Software Security Characteristics Model (SSCM) is proposed to be extended in the FPA to include the security costing. To produce SSCM, two software security measurement metrics, which are Davis’s software security management and metric; and McGraw’s software security seven touch points, are considered to derive the security aspects according to SDLC. The security aspects are then cross-referenced with four common security standards. These standards include Information Technology (IT) Security Cost Estimation Guide, Common Criteria for Information Technology Security Evaluation, Open Web Application Security Project (OWASP), and Control Objectives for Information and related Technology (COBIT). These characteristics are then arranged according to the security aspects. As a result, SSCM, which consists of 48 characteristics, is developed. To validate the model, a survey is setup to investigate the current practices in Multimedia Super Corridor (MSC) software houses in Klang Valley, Malaysia. The survey results are analyzed using Rasch Measurement Method. The results reveal a person spread of 5.52logit with good Separation, G=3.64 and excellent Reliability of Cronbach-α = 0.97, which means the survey outcome is acceptable. With μperson of 83.06% and the Person Mean = 1.59 ≥ 0.00; with significant of p=0.05, the SSCM are valid, relevant and implemented in current practices. This validated SSCM is then corroborated through expert opinions in verifying the discarded characteristics. The final SSCM is used to extend the General System Characteristics (GSCs) in FPA by including two additional evaluation sheets, which are specified in calculating the security costing. The evaluation score for these sheets is based on the result of Rasch in the survey. An online estimation tool is developed based on the SSCM and so called Extended FPA in an experiment. To evaluate the user acceptance towards this tool, a user acceptance model has been adapted based on three theoretical models, which are Technology Acceptance Model (TAM), Method Evaluation Model (MEM) and Part 3 ISO/IEC 14143 (ISO/IEC). This adapted model is the basic for the user acceptance questionnaire and hypotheses in the laboratory experiment. Besides, case studies are designed as experiment materials. This experiment is then carried out to test the user acceptance towards the Extended FPA compared to the IFPUG FPA. The respondents are trained with both FSM methods according to within-subject design. There are comparative analyses between two FSM methods in this experiment. From the user acceptance results, we can concluded that seven out of nine null hypotheses are rejected, which shows overall the responses to the post-task surveys suggested that Extended FPA is more consistent, easier to use, more useful and nevertheless is more likely to be used in the future. As a conclusion, the results of this study are contributed in theoretical and practical aspect. For the theoretical aspect, several models and theories are integrated in a systematic way: SSCM, Research Design, and Empirical Studies.; while for the practical aspect, this study deals with current problem in the industry: the security costing for the secure software.