An investigation of factors affecting secure software development practices adoption

Abstract

Consideration of security during software development from the initial design phase has not been consistently addressed by the software developers. As a result there is an abundance of software systems with weak security. The solution proposed by the academia and the industry is to integrate security within various stages of software development life cycle. Acceptance from all the software developers and stakeholders is necessary for successful adoption of this paradigm shift within the organization. A number of secure development methodologies have been proposed by the industry and the academia for secure development but most of them were ignored by the developers. The objective of this research is to identify the factors influencing developers to adopt secure software development practices. The extent to which developers adopt secure software development practices is crucial to the successful development of secure software. In this research an integrated model is proposed and validated based on the Unified Theory of Acceptance and Use of Technology model 2 (UTAUT2). This research uses sequential explanatory mix method research design to achieve the desired research aims. A survey questionnaire is used for quantitative data collection and interviews were conducted at second qualitative stage with 04 experts from software industry. According to the proposed conceptual model the adoption of secure software development practices were determined by eight factors i.e. performance expectancy (PE), effort expectancy (EE), Social Influence (SI), facilitating conditions (FC), Habit (HT), secure software development awareness (SSDAW), Top management involvement (TPM) and Readiness for change (RFC). The model was tested on a sample of 382 software engineers and developers around Klang Valley Malaysia. Using structural equation modeling with Smart-pls software, data analysis showed that 11 out of 14 hypothetical paths were significant. The results revealed that the performance expectancy (PE), effort expectancy (EE), Social Influence (SI), facilitating conditions (FC), Habit (HT), Top management involvement (TPM), Secure Software Development awareness (SSDAW) and Readiness for change (RFC) were found to have significant effect on developer’s Behavioral intention (BI) to adopt secure software development practices and on use behavior (UB) among software developers. The findings revealed that behavioral intention is explained by PE, EE, FC, SI, HT, SSDAW, TPM and RFC. Similarly, use behavior is explained by behavioral intention, BI, SSDAW and FC. Findings of the study showed that the proposed model achieved an acceptable fit with the data. Based on identified key factors, an integrated model was developed and validated to predict the adoption of secure software development practices by software developers in the industry. In second phase of the study, qualitative results were obtained from the interviews from 04 experts of the industry to confirm the quantitative results. It was found that both quantitative and qualitative approaches contributed complementary results. This research seeks to supplement the existing literature regarding security integration in software development lifecycle for secure software development and provide software development firms with strategies and guidelines to successfully introduce and integrate secure software development practices within their organization. This research provide more reliable results as compared to previous studies as both quantity and qualitative technique are used in this study to find out the factors ,opinions and suggestions from the people working in software industry.