An Exploratory Study on Secure Software Practices Among Software Practitioners in Malaysia

Shafinah Farvin Packeer Mohamed, Fauziah Baharom, Aziz Deraman, Jamaiah Yahya, Haslina Mohd


Rapid growths of computers, mobile phones and Internet technology have created ways for irresponsible people to undertake computer crimes. Millions of users across the globe have fallen as victims to computer crimes, including Malaysia. It is due to current software environment which is more complex, distributed, keeps confidential data and easily exposed to malicious attacks. Consequently, secure software process is increasingly gaining much importance among software practitioners and researchers. However, even though its importance has been revealed, only few studies were conducted regarding its current practice in the software industry, especially in Malaysia. Thus, an exploratory study is conducted among software practitioners in Malaysia to study their experiences and practices on the secure software process in the real-world projects. This paper discusses the findings from the study, which involved 93 software practitioners. Structured questionnaire is utilized for data collection purpose whilst statistical methods such as frequency, mean, and cross tabulation are used for data analysis. Outcomes from this study reveal that software practitioners are becoming increasingly aware on the importance of secure software process, however, they lack of appropriate implementation of the practices.


Secure Software Practices; Exploratory Study; Software Practitioners; Malaysi;

Full Text:



Hong, L., H., Bin, L., and Taylor, M. “A Comparative Analysis of Cybercrimes and Governmental Law Enforcement in China and the United States. Asian journal of criminology. Vol. 5(2), pp. 123-135, 2010.

CBS Corporation. 2015. These Cybercrime Statistics Will Make You Think Twice About Your Password: Where’s the CSI Cyber team when you need them?. Retrieved from

Lee, H. B. 2011, July 26. RM 63 juta rugi angkara jenayah siber. Utusan Malaysia. Retrieved from


Bernama 2013, May 6. Malaysia sixth most vulnerable to cybercrime. The Star. Retrieved from

Cheng, N. 2015, October 26. More than 30 Malaysians fall prey to cybercrime daily. The Star Online. Retrieved from

Mead, N. R. 2010. Security requirement engineering. BSI Articles, SEI Institute.

McGraw, G. 2006. Building security in. Boston: Pearson Education

McGraw, G. 2004. Software security. Security & Privacy, IEEE, 2(2), 80-83. doi: 10.1109/MSECP.2004.1281254

Fauziah Baharom, Aziz Deraman and Abdul Razak Hamdan 2005. A survey on the current practices of software development process in Malaysia. Journal of ICT. pp. 57-76.

Yazrina Yahya, Maryati Mohd Yusof, Mohammed Yusof and Nazlia Omar. The use of Information System development methodology.

Whitehat Security 2013. Website security statistics report, WhiteHat Security, California.

National Cyber Security Alliance 2010. National small business study.

Geer, D. “Are companies actually using secure development life cycles?”. Comp. vol. 43(6), pp.12-16, 2010.

Elahi, G., Yu, E. and Tong, L. “Security requirements engineering in the wild: a survey of common practices. IEEE Ann. Comp.Soft. and App. Conf. pp. 314-319, 2011.

Wilander, J. and Gustavsson, J. 2005. Security requirements–A field study of current practice. Symp. on Req. Eng. for IS.

Amjed Tahir, Rodina Ahmad and Zarinah Mohd Kasirun. 2010. An empirical study on the use of standards and procedures in software development projects. Int. Conf.on Soft.Tec.& Eng.

Ani Liza Asnawi, Gravell, A. M. and Wills, G. B. 2012. Factor analysis: Investigating important aspects for agile adoption in Malaysia. AGILE India. pp. 60-63.

De Win, B., Scandariato, R., Buyens, K., Gregoire, J., and Joosen, W. 2009. On the secure software development process: CLASP, SDL and

Touchpoints compared. Information and Software Technology. Vol.

(7): pp. 1152-1171, 2009.

McGraw, G. 2011. Technology transfer: A software security marketplace case study. Software, IEEE. Vol. 28(5), pp. 9-11, 2011.

ISO 2015. ISO Standards. Retrieved from

Davis, N. 2013. Secure software development lifecycle process. Retrieved from

Karpati, P., Sindre, G., and Opdahl, A. L. 2011. Characterising and analysing security requirements modelling initiatives. Sixth International Conference on Availability, Reliability and Security. 710-715.

Microsoft. 2012. Microsoft Security Development Lifecycle SDL

Process Guidance Version 5.2. Retrieved from

OWASP. 2006. CLASP best practices. Retrieved from

Rios, E. et al. 2009. A qualitative evaluation of model-based security activities for software development. Proceedings of European Workshop on Security in Model Driven Architecture, 14-21. Retreived from


Julia, H. A., Barnum, S., Ellison, R. J., McGraw, G., and Mead, N. R.

Software security engineering. Boston: Addison-Wesley.

Evans, R., Tsohou, A., Tryfonas, T., and Morgan, T. 2010. Engineering secure systems with ISO 26702 and 27001. 5th International Conference on System of Systems Engineering (SoSE). 1-6.

Ashbaugh, D. A. 2009. Security software development assessing and managing security risks. Boca Raton: CRC Press.

Merkow, S. M. and Raghavan, L. 2010. Secure and resilient software development. Boca Raton: Auerbach Publications.

Ai, C. Y., Md Mahbubur Rahim, and Leon, M. 2007. Understanding factors affecting success of information security risk assessment: the case of an Australian higher educational institution. Proceedings of PACIS.Paper 74. Retrieved from

Syed Irfan Nabi, Abdulrahman A. Mirza, and Khaled Alghathbar 2010. Information assurance in Saudi organizations- an empirical study. In TaiHoon, K., Wai-Chi, F., Muhammad Khurram Khan, Arnett, K. P., Heaujo, K., & Slezak, D., Security technology, disaster recovery and business continuity. Berlin Heidelberg: Springer Berlin Heidelberg

Siponen, M., Pahnila, S., and Mahmood, M. “Compliance with

information security policies: an empirical investigation”. Computer. Vol. 43(2): pp. 64–71, 2010.

Olsson, R. 2006. Managing project uncertainty by using an enhanced risk management process. Sweden: Malardalen University Press.

Sommerville, I. 2007. Software Engineering 8th Ed. Harlow: Pearson Education Limited.

Fauziah Baharom, Jamaiah Yahya, Aziz Deraman, and Abdul Razak Hamdan 2011. SPQF: software process quality factor for software process assessment and certification, International Conference on Electrical Engineering and Informatics.

Shafinah Farvin Packeer Mohamed, Fauziah Baharom and Aziz

Deraman. “ESPAC Model: Extended Software Process Assessment and Certification Model”. ARPN Journal of Engineering and Applied

Sciences. Vol. 10(3), pp. 1364-1373, 2015.


  • There are currently no refbacks.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 License.

ISSN: 2180-1843

eISSN: 2289-8131