Using Security Patterns to Tailor Software Process

Secure software development processes can reduce the quantity of security errors and the vulnerabilities involved in software projects. A secure development process is composed by activities that propose the insertion of security requirements in all software development phases. These activities can be based on standards and/or security models such as SSE-CMM, ISO/IEC 27001, ISO/IEC 15408. The problem is that the standards and security models describe security requirements which can be followed but do not describe how these requirements must be implemented in software processes. Security patterns describe good security practices which can be incorporated to the software process and satisfy the requirements that are described by the standards and models. This work proposes a methodology for the tailoring of software processes based on security requirements that are defined by the security practices of the Systems Security Engineering Capability Maturity Model (SSE-CMM). The tailoring has as basis a process framework that is elaborated from the Rational Unified Process (RUP) and security patterns proposed on the literature.