Security quality model: an extension of Dromey's model

The quantity of sensitive data that is stored, processed and transmitted has increased many folds in recent years. With this dramatic increase, comes the need to ensure that the data remain trustworthy, confidential and available at all times. Nonetheless, the recent spate of high-profile security incidents shows that software-based systems remain vulnerable due to the presence of serious security defects. Therefore, there is a clear need to improve the current state of software development to guide the development of more secure software. To this end, we propose a security quality model that provides a framework to identify known security defects, their fixes, the underlying low-level software components along with the properties that positively influence the overall security of the product. The proposed model is based on Dromey's quality model that addresses the core issue of quality by providing explicit guidelines on how to build quality into a product. Furthermore, to incorporate security, we have introduced several new model components and model construction guidelines as Dromey's model does not address security explicitly and the model construction guidelines are not specific enough. We use well-known defects and security controls to construct the model as a proof of concept. The constructed model can be used by the programmers during development and can also be used by the quality engineers for audit purposes. We also propose an automated environment in which the model can be used in practice.