Surveying Security Practice Adherence in Software Development

Software development teams are increasingly incorporating security practices in to their software development processes. However, little empirical evidence exists on the costs and benefits associated with the application of security practices. Balancing the trade off between the costs in time, effort, and complexity of applying security practices and the benefit of an appropriate level of security in delivered software requires measuring security practice benefits and costs. The goal of this research is to support researcher investigations of software development security practice adherence by building and validating a set of security practices and adherence measures through literature review and survey data analysis. We extracted 16 software development security practices from a review of the literature, and established a set of adherence measures based on technology acceptance theory. We built a survey around the 13 most common practices and our adherence measures. We surveyed 11 security-focused open source projects to collect empirical data as a test of our theorizing about practice adherence. In our collected survey data, each of the 13 security practices we identified was used daily by at least one survey participant. Tracking vulnerabilities and applying secure coding standards are the practices most often applied daily. In our data, Ease of use, Effectiveness, and Training, measured via Likert items, did not always show the expected theoretical relationship with practice use. In our data, Training is positively correlated with practice use, while Effectiveness and Ease of use vary in their correlations with practice use on a practice by practice basis.