Effectiveness of Software Project Management Based on Capability Maturity Model Integration in the Implementation of Secure Software Development Life Cycle at PT XYZ
Abstract
This study evaluates the implementation of the Secure Software Development Life Cycle (S-SDLC) and examines the effectiveness of software project management based on the Capability Maturity Model Integration (CMMI) version 3 at PT Magicsoft Teknologi Indonesia. A qualitative research approach was employed using in-depth interviews, observations, and documentation analysis. Empirical findings were triangulated and mapped against S-SDLC indicators and twelve CMMI v3 Practice Areas (PAs) grouped into Doing, Managing, and Enabling. The findings indicate that S-SDLC has been integrated throughout the software development lifecycle, positioning security as a built-in process rather than a reactive add-on. Security-relevant practices collectively enhance software quality, system stability, and preventive security governance. With regard to project management effectiveness, the study shows that most PAs reached Capability Level 3 (Defined), reflecting a mature level of process standardization at the project level. However, effectiveness was more prominent in terms of quality, security, and process control, while schedule performance faced pressure due to workload imbalances and resource capacity constraints. These findings highlight that software project effectiveness is inherently multidimensional and cannot be assessed solely through schedule adherence. The study contributes to theory by demonstrating that CMMI v3 can serve as an evaluative framework compatible with S-SDLC and enriches project management discourse by positioning security as an integral dimension of process effectiveness. Practically, the study provides a fit-for-purpose internal evaluation framework for software development organizations seeking to improve process maturity without formal appraisal.
Downloads
References
Agile Alliance. (2001). Manifesto for agile software development. https://agilemanifesto.org
Asmy, Y. Y., & Hasugian, L. P. (2021). Penilaian maturity level perangkat lunak menggunakan CMMI-DEV 1.3 pada aplikasi Manans MINT. Jurnal Manajemen Informatika dan Komputerisasi Akuntansi (JAMIKA), 21(1), 35–42.
https://ojs.unikom.ac.id/index.php/jamika/article/download/5523/2678
Beck, K., Beedle, M., van Bennekum, A., Cockburn, A., Cunningham, W., Fowler, M., … Thomas, D. (2001). Manifesto for agile software development. Agile Alliance. https://agilemanifesto.org
Behl, A., & Behl, K. (2017). Cyberwar: The next threat to national security and what to do about it. Oxford University Press.
Boehm, B. W. (1981). Software engineering economics. Prentice Hall.
Boehm, B. W. (2000). Software cost estimation with COCOMO II. Prentice Hall.
Boehm, B. W., & Basili, V. R. (2001). Software defect reduction top 10 list. Computer, 34(1), 135–137. https://doi.org/10.1109/2.962984
Boehm, B. W., & Turner, R. (2004). Balancing agility and discipline: A guide for the perplexed. Addison-Wesley.
Chrissis, M. B., Konrad, M., & Shrum, S. (2011). CMMI for development: Guidelines for process integration and product improvement (3rd ed.). Addison-Wesley.
CMMI Institute. (2018). CMMI® development v3.0: Improving processes for better performance. ISACA/CMMI Institute.
CMMI Institute. (2018). Standard CMMI appraisal method for process improvement (SCAMPI), version 1.3. CMMI Institute.
CMMI Institute. (2023). CMMI model version 3.0: Improving performance and outcomes. CMMI Institute.
Creswell, J. W., & Creswell, J. D. (2018). Research design: Qualitative, quantitative, and mixed methods approaches (5th ed.). SAGE Publications.
Creswell, J. W., & Poth, C. N. (2018). Qualitative inquiry and research design: Choosing among five approaches (4th ed.). Sage Publications.
De Win, B., Scandariato, R., Buyens, K., Grégoire, J., & Joosen, W. (2009). On the secure software development process: CLASP, SDL and Touchpoints compared. Information and Software Technology, 51(7), 1152–1171. https://doi.org/10.1016/j.infsof.2008.01.010
Gibson, D., Goldenson, D., & Kost, K. (2006). Performance results of CMMI-based process improvement (CMU/SEI-2006-TR-004). Software Engineering Institute. https://doi.org/10.1184/R1/6582011.v1
Goldenson, D. R., & Gibson, D. L. (2003). Demonstrating the impact and benefits of CMMI (CMU/SEI-2003-SR-009). Software Engineering Institute.
Goldratt, E. M. (1997). Critical chain. North River Press.
Hillson, D. (2017). The risk management handbook: A practical guide to managing the multiple dimensions of risk. Kogan Page.
Humble, J., & Farley, D. (2010). Continuous delivery: Reliable software releases through build, test, and deployment automation. Addison-Wesley.
IBM Security. (2022). Cost of a data breach report 2022. IBM Corporation.
ISACA. (2023). CMMI V3: Appraisal method and practices. ISACA.
ISACA. (2023). CMMI V3: Building capability and improving performance. ISACA.
ISACA. (2023). CMMI V3: Model overview. ISACA.
Jiang, J. J., Klein, G., & Chen, H. G. (2001). The relative influence of IS project implementation policies and project leadership on eventual outcomes. Project Management Journal, 32(3), 49–55. https://doi.org/10.1177/875697280103200308
Kerzner, H. (2017). Project management: A systems approach to planning, scheduling, and controlling (12th ed.). Wiley.
Lincoln, Y. S., & Guba, E. G. (1985). Naturalistic inquiry. Sage Publications.
Maxwell, J. A. (2013). Qualitative research design: An interactive approach (3rd ed.). SAGE Publications.
McConnell, S. (2004). Code complete: A practical handbook of software construction (2nd ed.). Microsoft Press.
McGraw, G. (2006). Software security: Building security in. Addison-Wesley Professional.
Microsoft. (2018). Security development lifecycle (SDL) process guidance. Microsoft Corporation.
Miles, M. B., Huberman, A. M., & Saldaña, J. (2018). Qualitative data analysis: A methods sourcebook (4th ed.). SAGE Publications.
National Institute of Standards and Technology. (2020). Systems security engineering: Considerations for a multidisciplinary approach (SP 800-160 Vol. 1). U.S. Department of Commerce.
Niazi, M., Babar, M. A., & Verner, J. M. (2010). Software process improvement barriers: A cross-cultural comparison. Information and Software Technology, 52(11), 1204–1216. https://doi.org/10.1016/j.infsof.2010.06.005
Paulk, M. C., Curtis, B., Chrissis, M. B., & Weber, C. V. (1993). Capability maturity model for software, version 1.1. Software Engineering Institute.
Pohl, K., & Hof, H. (2015). Requirements engineering: Fundamentals, principles, and techniques. Springer.
Pressman, R. S., & Maxim, B. R. (2020). Software engineering: A practitioner’s approach (9th ed.). McGraw-Hill Education.
Project Management Institute. (2021). A guide to the project management body of knowledge (PMBOK® Guide) (7th ed.). PMI.
Ramasubbu, N., Krishnan, M. S., & Kompalli, P. (2005). Leveraging global resources: A process maturity framework. IEEE Software, 22(3), 80–86. https://doi.org/10.1109/MS.2005.69
Royce, W. W. (1970). Managing the development of large software systems. Proceedings of IEEE WESCON, 1–9.
Schwalbe, K. (2019). Information technology project management (9th ed.). Cengage Learning.
Shelat, A., Kumar, S., & Ganesh, R. (2025). Assessing CMMI Level 3 adoption. International Journal of Software Engineering and Applications, 14(2), 45–56.
Shostack, A. (2014). Threat modeling: Designing for security. Wiley.
Silva, F. S. C., Soares, F. S. F., França, A. C. C., & Monteiro, C. V. F. (2015). Using CMMI together with agile software development. Information and Software Technology, 58, 20–43. https://doi.org/10.1016/j.infsof.2014.09.002
Sommerville, I. (2016). Software engineering (10th ed.). Pearson Education.
Souppaya, M., Scarfone, K., & Dodson, D. (2022). Secure software development framework (SSDF) version 1.1 (NIST SP 800-218). NIST. https://doi.org/10.6028/NIST.SP.800-218
Staples, M., & Niazi, M. (2008). Organizational motivations for adopting CMM-based SPI. Information and Software Technology, 50(7–8), 605–620. https://doi.org/10.1016/j.infsof.2007.07.003
Tsai, W. (2021). The impact of project teams on CMMI implementations. Systems Research and Behavioral Science, 34(2), 239–252. https://doi.org/10.1007/s11213-020-09531-y
Turner, J. R. (2016). Gower handbook of project management (5th ed.). Routledge.
Viega, J., & McGraw, G. (2011). Building secure software: How to avoid security problems the right way. Addison-Wesley Professional.
Wibisono, M. I. (2020). Penilaian kematangan proses pengembangan perangkat lunak. Jurnal Teknologi Informasi dan Ilmu Komputer, 7(5), 975–984.
https://media.neliti.com/media/publications/338058
Yilmaz, M., & Ozcan, T. (2023). Mapping CMMI-DEV v2 with Scrum. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.4310530
Copyright (c) 2026 Muhammad Hanifudin, Hussein Satrio
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Authors who publish with this journal agree to the following terms:
- Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgment of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgment of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work.
