Security versus Compliance: An Empirical Study of the Impact of Industry Standards Compliance on Application Security

Abstract

The integration of security aspects into software development is an open topic, especially in highly regulated industries where standards are accompanied by a high degree of complexity. The research question of this paper relates to the misconception of industry standards compliance and security in the field of software development. Cyber attackers are constantly inventing new tools to penetrate systems and exploit even the most minor flaws, and adherence to an industry standard is not a solution. In this study, an empirical investigation is conducted over a six-month period to observe various customer relationship management (CRM) systems. To analyze and anticipate the vulnerabilities of various CRMs, penetration testing methodologies and cross-project prediction approaches are employed. Classification using multiple machine learning approaches is utilized in the study to increase the discovery of vulnerable components in each CRM. The Student [Formula: see text]-test is also used to assess if the mean values of the two CRM datasets are substantially different from each other in order to evaluate the efficacy of overall security and its features. The results show that security best practices during application development have a significant influence on applications created in regulated environments. The action research approach used to validate this study provided positive results and its feasibility in practice to optimize security throughout the application development. This study adds to the literature on information security management systems (ISMS) and best practices in application development in terms of creating and implementing opportunities based on broader information security management measures.