Prioritisation and Selection of Software Security Activities

Software security is accomplished by introducing security-related activities into the software development process or by altering existing activities so that security is taken into account. Since the importance of software security has only relatively recently received the recognition it deserves, security is not ingrained into the development processes in common use today. A variety of approaches to software security have been proposed, but they rarely support developers in determining which security activities are appropriate for them and which they should choose to implement. An exception to this rule is the sustainable software security process (S³P). This paper describes the final step of the S³P, which helps developers estimate the cost of security-related activities and select the combination of security activities that best suits their needs. This is accomplished by applying the analytic hierarchy process and an automated search heuristic, scatter search, to the models created as part of the S³P.