Propuesta de un modelo metodológico para la gestión y adopción de prácticas seguras, en los equipos de desarrollo de software, en una entidad bancaria costarricense
Date
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
El sector bancario costarricense enfrenta un entorno de creciente exposición a amenazas cibernéticas, en un contexto donde la digitalización de los servicios financieros incrementa la superficie de ataque y la dependencia tecnológica institucional. A pesar de la existencia de normativas nacionales e internacionales orientadas a la protección de la información, persisten brechas significativas en la integración sistemática de prácticas de desarrollo de software seguro dentro de los equipos técnicos, particularmente en las fases tempranas del ciclo de vida del desarrollo.
La presente investigación aplicada tuvo como objetivo proponer un modelo metodológico estructurado que facilite la gestión y adopción de prácticas de desarrollo de software seguro en una entidad del sector bancario público costarricense. Para ello, se desarrolló un estudio con enfoque mixto, que combinó un diagnóstico del estado actual mediante la aplicación de una encuesta a 25 profesionales del área de desarrollo, junto con un análisis comparativo de los marcos internacionales OWASP SAMM, Microsoft Security Development Lifecycle (SDL) y NIST Secure Software Development Framework (SSDF).
Los resultados evidencian una alta valoración conceptual de la seguridad por parte de los profesionales encuestados; no obstante, se identificó una implementación predominantemente reactiva, concentrada en fases de codificación y pruebas, con limitada integración en etapas de diseño y planificación. Asimismo, se constató una baja adopción formal de estándares internacionales, lo que refleja la ausencia de una guía metodológica adaptada al contexto organizacional y regulatorio nacional.
Como respuesta a estas brechas, se diseñó un modelo metodológico compuesto por ocho dominios estructurados, que integran gobernanza, ciclo de vida seguro (SSDLC) gestión de requisitos, respuesta a incidentes, gestión de proveedores, cultura organizacional, automatización tecnológica y métricas para la mejora continua. El modelo articula principios de Secure by Design, responsabilidad compartida y madurez incremental, alineando buenas prácticas internacionales con las características operativas del sector bancario costarricense.
Se concluye que la adopción de un enfoque metodológico estructurado y contextualizado no solo fortalece la postura de ciberseguridad institucional, sino que también contribuye a la transparencia, resiliencia operativa y confianza pública en el sistema financiero nacional.
The Costa Rican banking sector operates in an increasingly complex cybersecurity landscape, where digital transformation has expanded the attack surface and heightened institutional technological dependency. Despite the existence of national and international regulatory frameworks aimed at safeguarding financial information, significant gaps remain in the systematic integration of secure software development practices within technical teams, particularly during the early stages of the software development lifecycle. This applied research aimed to propose a structured methodological model to facilitate the management and adoption of secure software development practices within a public banking institution in Costa Rica. A mixed-methods approach was employed, combining a diagnostic assessment through a survey administered to 25 software development professionals with a comparative analysis of internationally recognized frameworks: OWASP SAMM, Microsoft Security Development Lifecycle (SDL), and the NIST Secure Software Development Framework (SSDF). Findings reveal a strong conceptual awareness of the importance of security among professionals; however, implementation remains largely reactive, concentrated in coding and testing phases, with limited integration during design and planning stages. Additionally, a low formal adoption of international standards was identified, highlighting the absence of a context adapted methodological guide aligned with national regulatory and organizational realities. In response to these gaps, an eight-domain methodological model was designed, integrating governance, secure software development lifecycle (SSDLC), security requirements management, incident response, third-party management, organizational culture, technological automation, and metrics for continuous improvement. The model incorporates principles such as Secure by Design, shared responsibility, and incremental maturity, aligning global best practices with the operational characteristics of the Costa Rican banking sector. It is concluded that adopting a structured and context-sensitive methodological approach strengthens institutional cybersecurity posture while enhancing transparency, operational resilience, and public trust in the national financial system.
The Costa Rican banking sector operates in an increasingly complex cybersecurity landscape, where digital transformation has expanded the attack surface and heightened institutional technological dependency. Despite the existence of national and international regulatory frameworks aimed at safeguarding financial information, significant gaps remain in the systematic integration of secure software development practices within technical teams, particularly during the early stages of the software development lifecycle. This applied research aimed to propose a structured methodological model to facilitate the management and adoption of secure software development practices within a public banking institution in Costa Rica. A mixed-methods approach was employed, combining a diagnostic assessment through a survey administered to 25 software development professionals with a comparative analysis of internationally recognized frameworks: OWASP SAMM, Microsoft Security Development Lifecycle (SDL), and the NIST Secure Software Development Framework (SSDF). Findings reveal a strong conceptual awareness of the importance of security among professionals; however, implementation remains largely reactive, concentrated in coding and testing phases, with limited integration during design and planning stages. Additionally, a low formal adoption of international standards was identified, highlighting the absence of a context adapted methodological guide aligned with national regulatory and organizational realities. In response to these gaps, an eight-domain methodological model was designed, integrating governance, secure software development lifecycle (SSDLC), security requirements management, incident response, third-party management, organizational culture, technological automation, and metrics for continuous improvement. The model incorporates principles such as Secure by Design, shared responsibility, and incremental maturity, aligning global best practices with the operational characteristics of the Costa Rican banking sector. It is concluded that adopting a structured and context-sensitive methodological approach strengthens institutional cybersecurity posture while enhancing transparency, operational resilience, and public trust in the national financial system.
Description
Keywords
Desarrollo de software, Desarrollo de software seguro, Prácticas de desarrollo seguro de software