Mitigating Software Vulnerabilities through Secure Software Development with a Policy-Driven Waterfall Model

,


Introduction
Since the advent of computers in all aspects of our daily life, we have become heavily dependent on them to perform various tasks.Software is the key component to drive a computer to perform its functions.Like other products, a software product is developed through several stages called the software development life cycle which is starting from the initial requirements acquisition to the retirement of the software.
A few years back, the focus of software development was on software functionality rather than security due to fewer risks involved and minimum interaction of the system with the outside world.Nowadays, the systems are no longer isolated.Tey have to communicate with other systems or environments through diferent modes of communication.Te wide usage of computing environments in today's expanding business world resulted in exposure to newer security risks.Software is becoming more vulnerable due to the increase in complexity, connectivity, and extensibility.Tis highlights security as a constraint on software development, and it should be addressed properly to mitigate the security risks.In the case of real-time critical systems, these vulnerabilities can result in fatal consequences [1].
Software with a bad design having security faws is more vulnerable and external protection systems, such as frewalls, intrusion detection, and malware detection, are unable to protect it from external threats.Security is not a requirement, but rather a constraint that afects the quality of the software.It can be ensured at later stages of development in the form of add-ons or some security features.Tese addons and security features do not overcome possible vulnerabilities and hence cannot protect the whole software.It is pertinent to note that system security is diferent than software security.Software is a part of a computer system and should have its own security features.Tese features can be embedded in software during software development life cycle (SDLC).By integrating security into SDLC, we may develop software to proactively defend against potential security threats [2].
Te security of the software has become more critical due to the development of smart environments [3].Te deployment of Internet-of-Tings (IoT) and subsequent development of Artifcial Intelligence of Tings (AIoT) in diverse domains including smart health care, smart transportation, smart homes, smart communities, and smart education has elevated security risks [4,5].Software in IoT environments interacts with remote services using smart devices [6].Furthermore, the software running on smart devices can access sensors, personal information, and use machine-learning techniques to learn situations [7,8].Tese IoT and AIoT software constantly monitor sensor information, location, health information, and system information that can be subject to both active and passive security attacks [9,10].Te information is represented and stored in a common open standard to achieve interoperability among diferent types of systems [11].Te smart devices not only contain personal information but also keep on monitoring system data including sensor information, power information, location information, and activity information [12].While smart devices can be made secure and personal and system data can be protected, the software that needs to run on these devices should be developed securely.From information gathering to storage, the data should be kept confdential and shared with trusted parties only [13,14].Te information storage can also be used as history information which is useful for facilitating a user but is also a security risk [13].Many researchers have proposed using machine learning for anomaly detection which is only efective once the software is deployed [15].It is necessary to use secure practices in software development life cycle (SDLC) to ensure better protection once the software is deployed.Microsoft promotes Data Science as the game changer in secure SDLC [16].
It is necessary to secure a system against security risks.However, developing secure software can mitigate such risks.Te contributions of this paper are as follows: (i) Tis paper aims to highlight the signifcance of security throughout the SDLC and present a security policy framework PDWM for secure software development using the waterfall method.(ii) Furthermore, the authors establish how secure development can lead to software that can detect malware and anomalies.Such software can be developed for smart environments where security risks are high.
Tis paper is organized as follows.Section 2 presents the related work, Section 3 outlines the security policies, and in Section 4, a policy-driven waterfall model for secure software development is proposed.Section 5 describes a case study, and Section 6 summarizes the paper.

Related Works
Te related works have been searched in major research databases by using terms including SDLC, SSDLC, Secure Software, and Secure Software Development.Te primary search sources have been searched using Google Scholar, Institute of Electrical and Electronics Engineers, ACM, Hindawi, Wiley, MDPI, and others.Te results have been sifted to check the relevancy for secure software development processes.Relevancy has been established to compare the efectiveness of PDWN with other techniques in literature.
Tere are two high-profle processes available for the development of secure software, namely, Microsoft's SDL and McGraw's Touchpoints [17,18].SDL is rigorous and heavyweight and is more suitable for large organizations.Te Touchpoints approach is based on industrial experience.Both processes have defned activities for diferent phases of secure software development.Some activities are similar, and some difer in both methodologies due to the priority given to certain activities in each process and are more extensive and heavyweight.
Tariq et al. have listed challenges for mission-critical systems that interact with multiple data sources in real-time, remotely [19].Such systems utilize the concepts of IoT, AIoT, and Industrial IoT (IIoT).Te challenges highlighted by the authors can be mitigated by using secure software development frameworks.Tis concept is enhanced by the authors by utilizing a code-driven trust mechanism for the detection of internal attacks in IoT [20].Butt et al. have demonstrated the efect of unsecured development practices in IoT-based mobile health (mHealth) environments [21].Te authors have proposed an algorithm to mitigate the efects; however, they have not improved the development process of mHealth applications.
Ahmad and Rana have developed a secure architecture for developing e-commerce websites as a software product [22].Tese websites are developed as a Service-Oriented Architecture (SOA) which needs to be made secure as it uses the Internet for communication.Te authors propose embedding the existing techniques to mitigate security threats including unauthorized access, phishing, and interference with key data, within the design of the software.However, the authors have not developed a secure software development model for developing e-commerce applications.
Khan et al. have carried out an extensive survey for secure software development and identifed that the security risks must be identifed and addressed for successful secure software production [23].Henry argues that organizations should establish secure coding principles to ensure a secure software development life cycle (SSDLC) [24].
Dissanayake et al. have conducted a survey of secure software patch management techniques and tools [25].Each software goes through a maintenance and upgrade phase during its life cycle.To improve the performance, including security measures, patches are developed and applied to diferent copies of the software deployed across networks.It is much like the patches of Operating Systems as well as 2 Journal of Engineering Software Suites and apps.All these patches need to be managed efectively to secure deployment and upgrade.Te emergence of Development and Operations (DevOps) as a SDLC method has led to faster delivery of complex software products focusing on higher quality [26,27].Rajapaske et al. enhanced the concept and integrated concepts of Security in DevOps [28].Te new concept is called Development, Security, and Operations (DevSecOps) and comes with new security challenges for complex software development.DevSecOps is suitable for complex software development and requires a strong development and engineering team.Tis can be underutilized for in-house simple software development, where traditional [29] modeling is suitable.
Jøsang et al. proposed strengthening of security curriculum in education sectors so that it leads to secure software development [30].Tis area receives less attention and a focus on security education can broaden the horizon of software developers, engineers, and architects.Angulo et al. have also emphasized the integration of secure practices including secure programming, threat modeling, and risk assessment in Computer Science and Software Engineering (CS/SE) curricula [29].
Almufareh and Humayun have established a concept of mediating Security and Performance (SAP) verifcation to improve the safety as well as the security of software [31].Te authors have identifed several mediating factors that infuence SAP verifcation.
Mbaaka has identifed human as a critical security risk and used STRIDE to identify human factors, including gender, age, and education, to assess the security threats [32].
Te related works show that there is a requirement for establishing security policies and a framework to implement these policies for software development using traditional methods.Tis is evident from Table 1 that compares the related works with PDWM.
PDWM presents a lightweight approach that is more suitable for small and medium organizations that develop medium-sized software products and have higher experience in developing similar products.PDWM outlines the security requirements in depth and describes the existing practices that are limited to specifc phases of development.Te model provides important insights into the security aspects in diferent phases of SDLC and adhering to these practices can lead to the development of a secure software system.By adopting PDWM, an organization can reduce the number of vulnerabilities in its software and hence make it more reliable and increase its security.
Like the traditional waterfall model, the PDWM emphasizes documentation which is a critical part of a software project.Besides documentation, a knowledge base can be built to record all facts that will be useful in other development projects, and with time as the knowledge base becomes more mature, the quality, efciency, reliability, and security of products will improve.
Tis paper provides a new perspective for the integration of security in SDLC by suggesting a policy-driven waterfall model for secure software development.Te work contributes to the understanding of secure software development.For software engineers and practitioners, this will be a more useful source for understanding security throughout the software life cycle, and software developers will be aided with some useful practices to prevent errors during the implementation phase.

Security Policy Framework
A policy can be defned as a defnite plan or course of action adopted for the sake of expediency, facility, etc. [33].From a business point of view, a security policy defnes how a company plans to protect its physical and information technology assets from potential threats.Tis policy document is continuously updated to refect new requirements stemming from the environment.A company's security policy may include an adequate use policy, a training plan to educate employees about how to protect the company's assets, how to enforce the security measures and an auditing mechanism to evaluate the efectiveness of the security policy [34,35].
In the context of a secure software development approach, the security policy can be defned as a guideline to aid system designers and developers in analyzing and implementing security features throughout the development process.We propose a security policy framework as shown in Figure 1.Te security policy framework is developed to address the issue of software security.Its main purpose is to outline the main security requirements that should be taken into account and present a policy-driven waterfall model that addresses these requirements.Organizations that lack security policy will require a lot of efort to introduce the same into their environments as it is difcult to change the habits of employees, especially development staf.
Te policy is written in a general way because it is not amended frequently and is reviewed after a certain period.For example, the security policy provides instructions to check bufer overfow vulnerability but does not mention any specifc tools for that.As for each project, there might be a diferent requirement for tools, so developers should select appropriate tools for that purpose.
Activities in the security policy framework defne roles and responsibilities for administrators and developers, managing secure software development, rules, and regulations, training guidelines, etc. Audits can be conducted to ensure that policy guidelines are properly followed.Te teams should be educated well to implement the security policy framework in true letter and spirit.Designers should have a deep understanding of the security policy framework in order to achieve the goals and for the better transformation of security requirements into features.Developers will get beneft from the security policy, and it will be easy for them to integrate security policy into the system [36].Te security policy framework should cover the following areas [37][38][39]: (i) System architecture (ii) Roles and responsibilities (iii) Risk management

Secure design principles
Training enduser

Handling all errors securely
User friendly error messages

Risk-based security testing
Code reviews

Penetration testing Unit testing
Unit testing

Configuration Management
Securing configuration data and commands

Vulnerability reporting
Create, deploy, and monitor fix Learning security issues

Security guides
Security manuals

Risk Management
Attack trees

Risk assessment of 3rd-party components
Cost-benefit analysis

Risk analysis
Threat modelling, assessment, reviews, and revisions

Security and safety requirements
Prioritize Reviews

Regulatory constraints
System architecture Malicious usecases

Build Security Team.
A central security team comprised of security professionals will be an asset to the organization.Tis team helps the development people by defning process requirements, educating them to adhere to best coding practices, and performing design and code reviews [40].Clearly defne the roles and responsibilities of each team member to have a well-structured approach.An additional task of auditing may be assigned to a small group within the security team.Tis group will ensure that the security policy framework is implemented within the organization and is followed accordingly.
Provide suitable training to the employees regarding the security policy framework.Surprise checks are helpful to verify that employees have a well understanding of the security policy framework and are performing their roles following the guidelines provided to them.A major contribution of the security team is security testing.Test plans based on threat models and attack patterns provide the basis for security testing.Defects found are analyzed, prioritized, and fxed with the help of design and development teams.

Security Requirements.
Security requirements covering all possible aspects of software's security is a key to the development of secure software.Treat modeling is used to further elaborate the security requirements for better understating and to transform them into implementation details.Functional security requirements should also be defned.Treats should be prioritized to address the highestrated threat.Security requirements may impose some constraints to comply with regulatory standards.For example, in the health care system, patient information should not be disclosed without taking the consent of the patient.So, it is a major security concern and many agencies have devised rules and regulations for that.A fnal review may be conducted to assure that there is no uncaptured security requirement.

Risk Management.
Risk management is an important factor in the design of secure software.After evaluating the security requirements, an analysis of anticipated risks is carried out.Treat modeling is used to uncover the threats.Treats are rated so that high-rated threats are given preference.Attack trees are helpful in modeling security threats in a graphical form.In attack trees, the attacker's goal is shown as nodes and branches represent diferent paths to achieve that goal.Once threats are identifed, provide possible solutions to mitigate the threats.Also, carry out a cost-beneft analysis during the risk management phase.Risk management also includes security risks and uses threat modeling to assess the vulnerabilities [41,42].
3.4.Documentation.Documentation is very essential in every project.All artifacts related to the project are recorded that are used as guidelines during the project life cycle.Apart from the design documents, other documents, such as the administrator manual, user manual, and security, guide for the user should also be developed.Tis will ease the work of the administrator of the system and will help users to better understand the system and its features.

Information Privacy.
Te next component of the security policy framework is information privacy.Te company's information policy can be used to draw data classifcation schema.It should clearly state which user has access to which part of the data.User roles must be defned according to the information privacy policy.Security features like authentication and authorization for user access control should be used.Sensitive data should be processed and transmitted in encrypted form.Users should be granted minimum privileges that are necessary to execute a task.

Training.
Another important aspect of the security policy framework is training.Training is the process to educate people to improve their performance by enhancing their skills.It is also useful for the adoption of new technologies or learning about new developments.Many security vulnerabilities arise from bad coding practices.To overcome this problem, the development team should be given training about standard coding practices and writing secure code [43].Training material should include case studies and examples that will beneft the development teams in better understanding of learning material and its impact will last longer.Furthermore, some exercises may be included to evaluate the result of the training session.Training of system users is also essential in order to use the system in an efcient and secure manner.

Error Handling and Exception Management.
Error handling is a way to detect system errors and handle them in such a way that system's normal behavior is not afected.By performing validation of data elements during input, output, or processing, errors can be minimized.Use suitable and user-friendly error messages that can help the user to understand the cause of the error.Moreover, use exception handling mechanisms to capture exceptions that can disrupt the normal operation of the system.
3.8.Security Testing.Te security testing component of the security policy framework describes certain techniques that are employed in the security testing phase.Tis includes risk-based security testing, security features testing, unit testing, penetration testing, code reviews, and security review.
3.9.Confguration Management.Software in its life goes through several changes that are stemmed from its environment with the growing business needs.Confguration management is the process to control and track changes [44,45].A confguration mechanism is necessary to keep a history of changes, review, and impact of changes incorporated.Security in confguration management deals with access control, confdentiality, accountability, and auditing.It ensures that only authorized persons have access to confguration items.All actions are logged in a way to track who made what changes at any given time.It also provides a way to review developer actions.

Feedback and Support.
After the deployment of the software, the feedback mechanism can provide us with information regarding the operation of the software.Tis feedback mechanism can base on monitoring and logging.Te analysis of logging information can reveal vulnerabilities, information about attacks, and any unexpected error that occurred during operation.Periodic visits are also helpful to monitor the behavior of the system.Any vulnerability noted is to be analyzed and adopt measures to fx the same.

A Policy-Driven Waterfall Model for Secure Software Development
A policy-driven waterfall model (PDWM) is derived from the traditional waterfall model as shown in Figure 2. Te PDWM is based on the security policy framework.Its purpose is to integrate security in all phases of software development in order to develop secure software.Te method is linear and sequential and each phase has distinct goals.Before moving to the next phase, it is ensured that the earlier phases are correct.Each phase proceeds in strict order without overlapping.Tere are feedback loops present between each phase to accommodate changes.Upon discovering new artifacts or some defects, we can go back to the previous phase and incorporate the change.Like the traditional waterfall model, the PDWM emphasizes documentation which is an essential part of a project.
Te mechanism starts by identifying and analysing security issues including SQL Injection, outdated software, patch requirements, security risks, data encryption requirements, DDoS awareness, unsecure coding practices, and insecure testing.Tese and other issues are then included in each phase for which it is appropriate and security requirements are addressed.PDWM is designed in a way that addresses security issues in each phase of SDLC.
After developing the security policy framework, it would be easier to transform security features into a development process.PDWM exhibits security aspects throughout the whole software development process.Te output of each phase is provided to the input of the next phase.Every phase may produce new artifacts that will be incorporated into the security policy framework.A knowledge base can also be developed to record the security policy framework which will be useful in other development projects.

Security Analysis.
During the security analysis phase, the operational environment of software is analyzed in detail concerning security aspects.Te most important is the security of information.Further study may include intended users of the system, operating system, and underlying hardware.In addition, network infrastructure, communication channels, frewalls, intrusion detection systems, and software including antivirus, antispam, and antispyware should be analyzed in terms of strengths and weaknesses.
A detailed study of the software's operational environmental factors will help to avoid any vulnerability that, if left unattended, may be propagated in the next phases.Brainstorming sessions conducted with all stakeholders, including decision-makers, security policymakers, and information security specialists, are productive in the evaluation of potential threats.It is necessary to perform a threat analysis to identify assets, potential risks to those assets, possible attackers, and how to safeguard those assets from attacks.Furthermore, assets are prioritized based on confdentiality, integrity, and availability to safeguard more valued assets.Treats are rated and prioritized to take countermeasures against high-rated threats.
Te possible system's security environment should be carefully analyzed which may include the type of security protection available in the underlying operating system, memory management in the operating system, user policies, the organization's information security policy, user privileges to access information, and what type of information a user can access?Te cost-beneft analysis should be carried out keeping in mind the time, budget, and resource constraints.

Security Requirements.
Te most overlooked part of security engineering is the security requirement.Tese are often considered technical issues and are taken into consideration at the implementation stage.Security requirements must be stated in detail in this phase because any uncaptured requirement will be propagated into the next phases of development, consequently leaving faws in the system that could be exploited as vulnerabilities.Collecting and analyzing the right set of security requirements and performing threat analysis is helpful in the identifcation of suitable security requirements and mitigating vital threats [46].A lightweight approach consisting of well-balanced 6 Journal of Engineering security requirements right from the beginning is very useful to elicit critical security requirements [47].One best technique is to defne misuse cases for possible threats [48].Peterson and Steven have presented an approach to defning misuse cases [49].Brainstorming sessions of information security professionals and developers may be productive to discover misuse cases [50].Using misuse cases, one can defne the attacker's goal or ways to exploit the system.Misuse cases may lead to additional nonfunctional and quality requirements that should be documented and included in existing requirements.Knowledge of security analysts is of great value while performing business risk analysis and architectural risk analysis.
Treat modeling helps identify risks and subsequently takes decisions to mitigate those risks in the design, coding, and testing phases [51].To further elaborate the threat models, attack trees are used.Attack trees allow us to model security threats in a graphical form.It has been observed that attack trees are more efective for fnding threats in the absence of use-case diagrams [52].Te graphical representation of the attack tree provides a better understanding of how attacks can be successful and the probability of attacks that are most likely to succeed [53,54].Te methodology can also reveal the vulnerability of a system, under specifed constraints.If we understand the ways in which a system can be attacked, we can develop countermeasures to prevent those attacks.

Security Design.
At the design level, the security framework outlined in the requirements phase must be evaluated in terms of technology and the system must present a unifed structure that can be implemented.Te designers must review the design keeping in view the security requirements which will help to identify additional risks or threats.Software security is categorized into four areas, namely, input, output, data, and algorithm.Tey must be made secure [55].Evaluation of underlying technologies in terms of implementation of the design is crucial.Alternate solutions may be considered to pick the best one that is more secure, efcient, and cost-efective.If the system under development is of classifed nature, there may be a requirement to secure the design of the system.
By following the secure design principles, the secure development process can be improved.Sometimes, there is a requirement that some portion of the application's code may be open to the Internet.In this case, the potential risks and what has been vulnerable must be analyzed.If the application consumes untrusted data, enforce a validation mechanism that must be robust in data handling [56].Te design of software can be made more secure by the use of attack patterns that can identify security vulnerabilities at an initial stage.UMLsec can be used to model the security aspects of the system [57].Once security faws are identifed, designers should adopt appropriate measures to mitigate those vulnerabilities and strengthen the defense mechanism of the system [58].Designers should keep the design as simple as possible and enforce defense mechanisms in depth.
Tere are commercial of-the-shelf (COTS) components available that are used in the development of software to reduce cost and development time.As the software is developed and deployed on some operating systems, we have to use some APIs of the operating system for communications or other services.A detailed study of these APIs will help in a better understanding of their structures and implementation.Bad implementation of APIs can lead to vulnerabilities that may pose a risk to the system.Furthermore, if third-party components have been used in the development of the system, Journal of Engineering obtain complete documentation to get complete knowledge of software components.Developing own encryption algorithm is not an easy job because it requires deep knowledge of encryption techniques.Te use of standard encryption algorithms is a good approach to a secure design.Encryption of passwords or sensitive data is essential to make it secure before transmitting over the network.Te principle of least privilege must be used for a user to perform a task.Te design needs to be consistent and race conditions should not exist.Data objects need to be defned with a lower bound and upper bound limit.

Security Implementation. Implementation begins with
the selection of the appropriate programming language.
Various programming languages are available today with diferent features.C/C++ are quite popular and fexible languages but are criticized due to security vulnerabilities.However, secure coding can be achieved by proper handling of data holders.To overcome common errors regarding string and integer manipulation in C/C++, alternate solutions are available [59].Te most common vulnerabilities arising from coding problems in C language are bufer overfow, format string vulnerabilities, and integer vulnerabilities [60].
Static analysis tools can be used to detect faws in code.Although these tools provide help to developers to discover coding errors, their scopes are limited and do not guarantee defect-free software.Code review can be done with the help of tools, but it is recommended that one should not fully depend on these tools.A manual review should also be performed, which is quite productive.Source code review checklists provide a good way to minimize errors.
Common security faws can be removed by cryptography and with improved quality procedures [61].Programmers should defne passwords with alphanumeric combinations to make them strong enough, with suitable length and expiration periods.All inputs and outputs are to be analyzed and validated.Te length and type of input felds must be clearly defned.It is necessary to implement typecasting carefully and properly and destroy memory objects after use for better memory management.Validation of function calls and parameter passing like pass-by-value or pass-byreference needs to be performed.Sensitive data including user authentication should be transmitted in encrypted form.By following best coding practices, errors like bufer overfow, stack overfow, type mismatch, and divide by zero can be avoided.All exceptions must be handled with a trycatch block and use suitable error messages for user information.For debugging and auditing purposes, logs can be generated.Te security of the logging mechanism has to be handled properly.

Security Testing.
Testing is a crucial part of the software development life cycle.Security testing is the process to determine that the application is securing data and performing its intended functionality.Parameters including authentication, authorization, confdentiality, integrity, and nonrepudiation should be kept in mind for security testing.
Te security team performs various tests to check the behavior of the system under possible attacks.Dynamic software security testing is useful for the system developed using multisource components [62].Although it would be quite hard to develop such a security testing system at the initial stages, later on, it will be more helpful for the development of secure systems.A security test plan comprising security functionality and risk-based security testing is useful in the validation of security aspects and identifcation of security defects [63].
Code review is a time-consuming process but produces good results.Te quality of the review depends upon the reviewer's competency and professionalism.Code review can produce better results for security testing [64].Another technique in security testing is the use of checklists.Checklists are used to verify specifc measures needed for software security [65].Test cases can be generated from misuse cases to validate the defense mechanism against an attack.A test team plays a vital role in the testing phase.Penetration testing is very useful to identify potential vulnerabilities.Penetration testing applied at the unit and system level can improve the software development life cycle [66].Fuzz testing is also very helpful to discover software defects.Testers should employ themselves as hackers of the system to perform testing to evaluate the system for potential vulnerabilities, bugs, or faws.

Operation and Maintenance.
Mostly operation and maintenance phases are not considered in the security framework.However, it is as important as other phases of the software development life cycle.Proper deployment and confguration of the system can ease the work of system administrators.Furthermore, to keep the system updated against security threats, constant updating and monitoring are required.During the operation of software, monitoring the software for security breach attempts is helpful to analyze and remove the defects.A response process may be adopted to evaluate vulnerabilities and respond to these by releasing an update and removing other defects.
Deploying the application safely in its intended environment and running it accordingly will have a positive efect on information security, and monitoring mechanisms help in incident response operations.Other techniques, such as code isolation, protection of executables, and monitoring programs for executables, can be used to safeguard the system from environmental threats.Te introduction of a feedback mechanism is very helpful for continuous improvements and updating of the system.For tracking activities, logging must be used to analyze the attacks or vulnerabilities so that a countermeasure action can be taken and implemented into the system.

Case Study
We use an e-travel system, an online fight ticketing application, to exemplify PDWM. Figure 3 shows the scenario of e-travel that includes inquiries about fights and makes online bookings.
Flight inquiries can be made by any customer as there is no need for the provision of personal data.However, in the case of a complete transaction, that is from reservation to printing of e-ticket, customer information is required which should be kept confdential and hence raises the requirement to make the process secure.We will focus on this scenario for the applicability of the PDWM.
For the e-travel application, we must analyze the environment to identify threats because the environment of the application is also a major factor that infuences possible threats.As e-travel is a client-server application communicating over the Internet, attackers can misuse the system to collect customers' data like the credit card number.So, the main security requirements are to secure the customer's information as well as data transmission over the Internet.Tese two requirements are the security policies that must be adhered to when developing this application.e-travel is exposed to eavesdropping (information disclosure) threats as well [67].Now, we can defne the security requirements for etravel application.Tere are two security requirements that are to be addressed: one is transmitting customer information in a secure way and the other is the e-travel's database privacy as it contains valuable data on customer bookings.
Te attack tree for obtaining customer information is depicted in Figure 4. "Obtain customer's information" is the root node of the attack tree.Branches represent diferent paths that an attacker can follow to achieve that goal.ORnodes represent alternative paths while AND-nodes are subgoals that must be satisfed to accomplish an attack."Looking over the shoulder" and "Treaten" attacks were deleted from the attack tree as they are related to physical security.
When a customer is interested in buying a ticket, then the customer's credentials will be transmitted in an encrypted form.256-bit AES can be used to encrypt the information on the client side and then transmit it over the communication channel.In addition to this, auto-generated session keys with expiration duration can be generated to enhance the security features of the communication.On the server side, information will be decrypted and processed accordingly.
Several programming languages can be used for the implementation of e-travel.For e-travel, we selected PHP as it is open source and suitable for our sample application and for the database MySQL (CE).
256-bit AES is used to encrypt the customer's information on the client side using JavaScript before transmitting it over the Internet to the server.Tis will ensure the confdentiality of data over a public network.Validation of all inputs will be done for type and length.Typecasting if not implemented properly can produce errors.To avoid bufer overfow errors, the bufer size will be fxed, so that it can be checked before usage.
Here are two PHP coding examples for reference.One is the validation of input for alphanumeric and the other is relevant to limiting the length of the text string.//Check if string contains characters other than alphanumeric $alphaNum � "1234567teststring@#&-]";  [68,69].Both tools are open source, support multiplatform, are easy to use, have cutting-edge web technologies, and with low false positive rate.Any detected bugs in this stage should be rated so that bugs with a higher priority should be removed in the frst place.A port scanner tool can be used to scan ports on a web server.Any unused open ports should immediately be closed or disabled to avoid any vulnerability or attack.e-travel system generates logs for thrown exceptions.Tese logs will be analyzed for errors and potential attacks and remedial measures will be taken to secure the system.Table 2 shows the security vulnerabilities and their potential risks for the e-travel scenario based on STRIDE.
Table 1 shows that the critical areas of focus are the boundary processes and databases.It is necessary for the development team to explore security requirements for these areas in all phases of SDLC.It would be necessary to write functional requirements as well as quantify nonfunctional requirements during the requirements phase of development.Te requirements should be modifable and traceable as new requirements emerge.During the design phase, the security aspects should be included in the design, such as encryption, session identifers, authentication, authorization, lease, and checksums.Furthermore, access lists could  When compared with the traditional waterfall model, the security aspects would emerge once the product is deployed, causing errors, and exceptions, which could potentially destroy a business by increasing the cost of the fx.Using PDWM could ensure that security policies are embedded in all phases so that appropriate countermeasures could be included in the design and implementation.
We have further compared the efectiveness of PDWM by developing security test cases.Tese security test cases are developed for the case given in Figure 3. Tere are a total of 12 security test cases for each security vulnerability of the components of the e-travel scenario as shown in Table 2. Compared with the techniques for secure software development listed in Section 2, Table 3 shows that PDWM can identify security vulnerabilities at an earlier stage of development.It can be seen that PDWM can identify 33% more security vulnerabilities when using SOA.

. Conclusions
Tis paper presents PDWM, which uses security policies in software development.Te security policies are embedded in each phase of waterfall-based software development.Te security policies include the security-related requirements that must be considered during SDLC.A framework that supports the security policies is given in this paper.Tis framework is applied to an e-travel case study to ascertain its efectiveness.
PDWM embodies best practices in each phase of software development starting from requirements up to maintenance.Tese best practices help system analysts and

Rigidity
Since PDWM is developed sequentially, there is little room for error.However, the inclusion of security vulnerabilities and their solution in each phase reduces the risks.However, a risk management phase can further reduce the need for change once a phase is completed

Change handling
A change that occurs after a phase is completed can be handled as there are feedback loops in PDWM; however, the cost is higher than agile techniques.PDWM sufers from cost vs security tradeof; while the security handling is enhanced, the cost of change handling cannot be reduced.Tis is also true for late discovery of requirements that could lead to newer security vulnerabilities Flexibility PDWM is not a fexible model like agile techniques.However, when considering security vulnerabilities, fexibility is a desired feature.PDWM addresses fexibility by employing experienced team and enlisting all security requirements for all stages of SDLC exhaustively Delayed feedback PDWM prioritizes security over all other requirements.It is envisaged that the user involvement should increase in each phase to reduce delayed feedback by the user

Exhaustive requirement gathering
Since the team is composed of experienced members, it is impossible to exhaustively gather all requirements during the requirements phase.However, change is still possible that can be handled using feedback loop at a higher cost Large projects While PDWM is not suitable for large projects, a component-based approach can be utilized in which multiple teams develop components using PDWM

Risk management
Tere is no risk management phase explicitly embedded in the model; however, risks of each security vulnerability are considered, and security requirements are generated for each phase 12 Journal of Engineering developers to develop secure software products.Adhering to these practices can result in a secure, reliable, and efcient system that can proactively defend against security threats, especially when it comes to developing software for smart environments.PDWM is limited to the secure development of medium-sized and low-risk software products having stable requirements.Tere is a need to explore the efectiveness of PDWN for developing high-risk software products that have dynamically changing requirements, using agile methods.Te authors list some limitations and how PDWM addresses them in Table 4. Te limitations presented in Table 4 can be used as future work.While PDWM lacks the advantages of the iterative development model, a search for a policy driven agile development goes on.

Figure 1 :
Figure 1: A security policy framework.

Figure 2 :
Figure 2: A policy-driven waterfall model for secure software development.

Table 1 :
Comparison of related works.

Table 2 :
Security vulnerabilities and risks for e-travel.

Table 3 :
Comparison of security test cases between PDWM and other techniques.

Table 4 :
Limitations and their responses in PDWM.much more on the lines of the waterfall method of SDLC with a serial execution.Tis ensures a stable development model useful for an experienced team