Towards a Successful Secure Software Acquisition

Context: Security is a critical attribute of software quality. Organizations invest considerable sums of money in protecting their assets. Despite investing in secure infrastructure, organizations remain prone to security risks and cyberattacks that exploit security flaws. Many factors contribute to the challenges related to software security, e.g., the exponential increase in Internet-enabled applications, threats from hackers, and the susceptibility of inexperienced Internet users. Moreover, organizations tend to procure off-the-shelf software from third-party suppliers. However, gaining a complete understanding of ways to assess suppliers' readiness to provide secure software before selecting a supplier is imperative. Objective: We have developed a readiness model for secure software acquisition (RMSSA) to help software organizations select suppliers who can provide secure software. Method: We employed state-of-the-art techniques based on systematic literature review to determine the best practices undertaken by organizations in terms of acquiring secure software, which depends on six core security knowledge areas: confidentiality, integrity, availability, authorization, authentication, and accountability. Results: We evaluated the RMSSA theoretically and in a practical environment based on three case studies with software organizations. Our findings can guide software organizations in selecting the supplier who can develop secure software. Conclusion: The proposed RMSSA can be used to evaluate suppliers' readiness to provide secure software.