Mapping ISO 15408 Security Functions to SDLC Phases: Insights from a Questionnaire-Based Study
DOI:
https://doi.org/10.52731/lir.v005.457Keywords:
Downstream, Midstream, Security Families, Security targets, UpstreamAbstract
The ISO/IEC 15408 standard provides a systematic approach to defining security functions that are essential for software systems, yet integrating these security functions into the Software De-velopment Life Cycle (SDLC) phases remains challenging. This research aims to establish con-nections between ISO 15408 security functions and SDLC phases by using survey data from software professionals. The survey collected 144 responses from software developers together with quality assurance engineers and security professionals. The analysis shows patterns of se-curity function implementation, which reveal both early-phase adoption gaps and inconsistent audit-related practices. The research evidence demonstrates how better integration of ISO 15408 functions with SDLC would enhance secure software development practices. This research pro-vides practical insights about uniting security standards with actual development workflows.
References
K. Y. J. M. K. S. Y. G. a. J. C. Gefei Sunl, "A Supporting Tool for Creating and MaintainingSecurity Targets According to ISO/IEC 15408," 2012.
A. I. H. S. Y. G. a. J. C. Ning Zhang, "An Analysis of Software Supportable Tasks Relatedwith ISO/IEC 15408," International Conference on Computational Intelligence and Security,2013.
J. M. N. Z. Y. G. a. J. C. Da Bao, "Supporting Verification and Validation of Security Targetswith ISO/IEC 15408," International Conference on Mechatronic Sciences, Electric Engineer-ing and Computer (MEC), 2013.
H.-k. k. S.-m. H. Eun-Ser Lee, "Analysis the priority of security requirement items for theprocess improvement by ISO/IEC 15504 and ISO/IEC 15408," Fifth International Conferenceon Software Engineering Research, Management and Applications, 2007.
N. M. S. J. Tahereh Nayerifard, "An Approach for Software Security Evaluation Based onISO/IEC 15408 in the ISMS Implementation," International Journal of Computer Science and Information Security, 2013.
J. M. N. Z. Y. G. a. J. C. Da Bao, "Supporting Verification and Validation of Security Targetswith ISO/IEC 15408," International Conference on Mechatronic Sciences, Electric Engineer-ing and Computer (MEC), 2013.
S. Patnaik, "A Study on Data Storage Security Issues in Cloud Computing," 2nd InternationalConference on Intelligent Computing, Communication & Conference, 2016.
R. Y. Yoso Adi Setyoko, "Security Protection Profile on Smart Card System," InternationalConference on Information and Communication Technology, 2018.
R. Y. Yoso Adi Setyoko, "Security Protection Profile on Smart Card System Using ISO 15408Case Study: Indonesia Health Insurance Agency," International Conference on Informationand Communication Technology (ICoICT), 2018.
"Common Criteria for Information Technology Security Evaluation," November 2022.