Surveying Secure Software Development Practices in Finland

Combining security engineering and software engineering is shaping the software development processes and shifting the emphasis of information security from the operation environment into the main information asset: the software itself. To protect software and data assets, software development is subjected to an increasing amount of external regulation and organizational security requirements. To fulfill these requirements, the practitioners producing secure software have plenty of models, guidelines, standards and security instructions to follow, but very little scientific knowledge about effectiveness of the security they take. In this paper, we present the current state of security engineering surveys and present results from our industrial survey (n = 62) performed in early 2018. The survey was conducted among selected software and security professionals employed by a selected set of 303 Finnish software companies. Results are compared to a commercial survey, the BSIMM version 8 and the similarities and distinct differences are discussed. Also, an analysis of the composition of security development life cycle models is presented, suggesting regulation to be the driving force behind security engineering in software industry.

[1]  Kent L. Beck,et al.  Embracing Change with Extreme Programming , 1999, Computer.

[2]  Jouni Markkula,et al.  Survey on agile and lean usage in finnish software industry , 2012, Proceedings of the 2012 ACM-IEEE International Symposium on Empirical Software Engineering and Measurement.

[3]  Gary McGraw,et al.  Software Security: Building Security In , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[4]  Reijo Savola Current level of cybersecurity competence and future development: case Finland , 2017, ECSA.

[5]  Mary Poppendieck,et al.  Lean Software Development: An Agile Toolkit , 2003 .

[6]  Steve Lipner,et al.  Security development lifecycle , 2010, Datenschutz und Datensicherheit - DuD.

[8]  Jose M. Such,et al.  Information assurance techniques: Perceived cost effectiveness , 2016, Comput. Secur..

[9]  Isaac Pentinmaki,et al.  Review of "Lean software development: an agile tookit" by Mary and Tom Poppendieck. Addison Wesley 2003. , 2004, SOEN.

[10]  Ken Frazer,et al.  Building secure software: how to avoid security problems the right way , 2002, SOEN.

[11]  Ville Leppänen,et al.  Adoption and Suitability of Software Development Methods and Practices , 2021, 2016 23rd Asia-Pacific Software Engineering Conference (APSEC).

[12]  William G. Gale Government at a Glance , 2019, Fiscal Therapy.

[13]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[14]  Edsger W. Dijkstra,et al.  Selected Writings on Computing: A personal Perspective , 1982, Texts and Monographs in Computer Science.

[15]  Stavros Stavru,et al.  A critical examination of recent industrial surveys on agile method usage , 2014, J. Syst. Softw..

[16]  Johannes Sametinger,et al.  Software Security , 2013, 2013 20th IEEE International Conference and Workshops on Engineering of Computer Based Systems (ECBS).

[17]  Ville Leppänen,et al.  Case Study of Agile Security Engineering: Building Identity Management for a Government Agency , 2017, Int. J. Secur. Softw. Eng..

[18]  Ville Leppänen,et al.  Securing Scrum for VAHTI , 2015, SPLST.