More Like this

1. Regulatory and Security Standard Compliance Throughout the Software Development Lifecycle

   Kempe, Evelyn; Massey, Aaron K. (January 2021, Proceedings of the 54th Hawaii International Conference on System Sciences)

   null (Ed.)

   Our systematic literature review aims to survey research on regulatory and security standard requirements as addressed throughout the Software Development Lifecycle. Also, to characterize current research concerns and identify specific remaining challenges to address regulatory and security standard requirements throughout the SDLC. To this end, we conducted a systematic literature review (SLR) of conference proceedings and academic journals motivated by five areas of concern: 1. SDLC & Regulatory Requirement 2. Risk Assessment and Compliance requirements 3. Technical Debt 4. Decision Making Process throughout the SDLC 5. Metric and Measurements of found Software Vulnerability. The initial search produced 100 papers, and our review process narrowed this total to 20 articles to address our three research questions. Our findings suggest that academic software engineering research directly connecting regulatory and security standard requirements to later stages of the SDLC is rare despite the importance of compliance for ensuring societally acceptable engineering. 

   more » « less
2. Perspectives on Regulatory Compliance in Software Engineering

   https://doi.org/10.1109/RE51729.2021.00012  

   Kempe, Evelyn; Massey, Aaron (September 2021, 2021 IEEE 29th International Requirements Engineering Conference (RE))

   Compliance reviews within a software organization are internal attempts to verify regulatory and security requirements during product development before its release. However, these reviews are not enough to adequately assess and address regulatory and security requirements throughout a software’s development lifecycle. We believe requirements engineers can benefit from an improved understanding of how software practitioners treat and perceive compliance requirements. This paper describes an interview study seeking to understand how regulatory and security standard requirements are addressed, how burdensome they may be for businesses, and how our participants perceived them in the software development lifecycle. We interviewed 15 software practitioners from 13 organizations with different roles in the software development process and working in various industry domains, including big tech, healthcare, data analysis, finance, and small businesses. Our findings suggest that, for our participants, the software release process is the ultimate focus for regulatory and security compliance reviews. Also, most participants suggested that having a defined process for addressing compliance requirements was freeing rather than burdensome. Finally, participants generally saw compliance requirements as an investment for both employees and customers. These findings may be unintuitive, and we discuss seven lessons this work may hold for requirements engineering. 

   more » « less
3. A Secure Software Engineering Design Framework for Educational Purpose

   https://doi.org/10.1109/eIT53891.2022.9837112  

   Angulo, Abel A.; Yang, Xiaoli; Niyaz, Quamar; Paheding, Sidike; Javaid, Ahmad Y (May 2022, 2022 IEEE International Conference on Electro Information Technology (eIT))

   Ensuring software security is a critical task for a deliverable software system in today’s world, and its proper implementation guarantees the quality and security of the information ingested, stored, and processed by the system. It is imperative to introduce computer science and computer engineering students (CS/CE) with the secure software design practices early in their curriculum. This approach will help them understand fundamentals of secure programming, vulnerabilities in software systems, and secure software development before joining the industry workforce. In this paper, we propose an educational framework that integrates software security concepts in a software engineering design course. We envision that the framework will engage CS/CE students applying security principles and practices in different phases of the software development life cycle (SDLC) process. Our work focuses on review of common security requirements, policies, and mechanisms related to specific use cases as well as how those requirements are defined during the software design. 

   more » « less
4. Evaluating privacy perceptions, experience, and behavior of software development teams

   Prybylo, Maxwell; Haghighi, Sara; Peddinti, Sai Teja; Ghanavati, Sepideh (August 2024, USENIX Security - SOUPS '24: Proceedings of the Twentieth USENIX Conference on Usable Privacy and Security)

   With the increase in the number of privacy regulations, small development teams are forced to make privacy decisions on their own. In this paper, we conduct a mixed-method survey study, including statistical and qualitative analysis, to evaluate the privacy perceptions, practices, and knowledge of members involved in various phases of the Software Development Life Cycle (SDLC). Our survey includes 362 participants from 23 countries, encompassing roles such as product managers, developers, and testers. Our results show diverse definitions of privacy across SDLC roles, emphasizing the need for a holistic privacy approach throughout SDLC. We find that software teams, regardless of their region, are less familiar with privacy concepts (such as anonymization), relying on self-teaching and forums. Most participants are more familiar with GDPR and HIPAA than other regulations, with multijurisdictional compliance being their primary concern. Our results advocate the need for role-dependent solutions to address the privacy challenges, and we highlight research directions and educational takeaways to help improve privacy-aware SDLC. 

   more » « less
5. Accountable Design for Individual, Societal, and Regulated Values in the UAV Domain

   https://doi.org/10.1109/RE57278.2023.00037  

   Marczak-Czajka, Agnieszka; Nabrzyski, Jarek; Cleland-Huang, Jane (September 2023, 31st {IEEE} International Requirements Engineering Conference, {RE} 2023, Hannover, Germany, September 4-8, 2023)

   Software systems are increasingly expected to address a broad range of stakeholder values representing both personal and societal values as well as values ensconced as laws and regulations. Whereas laws and regulations must be fully addressed, other human values need to be carefully analyzed and prioritized within the context of candidate architectural designs. The majority of prior work has investigated requirements engineering techniques for either regulatory compliance or for human-values, we take an integrated approach which simultaneously considers laws and regulations as well as societal and personal human values throughout the system analysis, specification, and design process. We illustrate our approach through detailed examples drawn from a multi-drone system regulated by the USA Federal Aviation Authority (FAA) and operating in a domain rich with human and societal values. We then discuss requirements engineering challenges and solutions unique to identifying analyzing, and prioritizing human, societal, and regulatory requirements, and ultimately for designing accountable software systems. 

   more » « less