The Impact of Software Security Practices on Development Effort: An Initial Survey

Background: Software projects are facing the need to adopt security practices during the software development life cycle (SDLC). Nevertheless, the amount of effort to be invested in order to achieve a certain level of software security is not clear yet. Aims: The goal of this study is to get an overview of the application of software security practices in the industry and to identify the impact of the introduction of such activities in software development projects in terms of effort/cost. Method: We conducted a survey on a software security group of a professional social network by applying a random sampling strategy to establish a representative set of participants. Results: The questionnaire was fully answered by 110 participants, from the 808 profiles that were invited from the sampling frame. The results show that security practices have been applied thoroughly in the projects and revealed high variability in secure software development effort across the participants’ projects. Further research is needed to understand the different professionals’ perspectives regarding security effort in projects. As lessons learned, we found that the professional social network offered a demographically diverse sampling frame, but this comes with hurdles that need to be overcome. Conclusions: The experiences of the participants showed that security is a factor that drives effort in software projects, and security practices need to be taken into account when planning software development initiatives. Our findings about the current state of practices and adoptions can help practitioners and researchers in future endeavors.