Surveying Security Practice Adherence in Software Development

ABSTRACT: Software development teams are increasingly incorporating security practices in to their software development processes. However, little empirical evidence exists on the costs and benefits associated with the application of security practices. Balancing the trade off between the costs in time, effort, and complexity of applying security practices and the benefit of an appropriate level of security in delivered software requires measuring security practice benefits and costs. The goal of this research is to support researcher investigations of software development security practice adherence by building and validating a set of security practices and adherence measures through literature review and survey data analysis. We extracted 16 software development security practices from a review of the literature, and established a set of adherence measures based on technology acceptance theory. We built a survey around the 13 most common practices and our adherence measures. We surveyed 11 security-focused open source projects to collect empirical data as a test of our theorizing about practice adherence. In our collected survey data, each of the 13 security practices we identified was used daily by at least one survey participant. Tracking vulnerabilities and applying secure coding standards are the practices most often applied daily. In our data, Ease of use, Effectiveness, and Training, measured via Likert items, did not always show the expected theoretical relationship with practice use. In our data, Training is positively correlated with practice use, while Effectiveness and Ease of use vary in their correlations with practice use on a practice by practice basis.

Patrick J. Morrison received the BS degree in computer science from the University of Florida and the MS degree in computer science from Florida Atlantic University. He is currently working toward the PhD degree in the Computer Science department at NCSU under the supervision of Dr. Laurie Williams.  His research interests are in empirical software engineering, security, and developer productivity. He has interned at Microsoft Research, and IBM. He worked as a developer and consultant before returning to academia.