A Cross-role and Bi-national Analysis on Security Efforts and Constraints of Software Development Projects

Abstract

Software security, which is often regarded as a non-functional requirement, tends to be less prioritized than other explicit requirements in development projects. For designing security measures that can be used in software development, we must understand the obstacles that prevent the adoption of secure software development practices. In this study, we quantitatively analyzed security efforts and constraints of software development projects through an online survey of software development professionals in the US and Japan (N=664). We revealed how certain characteristics of a development project, such as the project's contractual relationships or the software's target users, influence security efforts and constraints. In addition, by comparing the survey results of two groups (developers and managers), we revealed how the gap in their security efforts and constraints influences software security. We believe the results provide insights toward designing usable measures to assist security-related decision-making in software development and conducting appropriate surveys targeting software development professionals.