No Silver Bullet: Towards Demonstrating Secure Software Development for Danish Small and Medium Enterprises in a Business-to-Business Model
Raha Asadi, Bodil Biering, Vincent van Dijk, Oksana Kulyk, Elda Paja
TL;DR
This study investigates how Danish SMEs demonstrate software security in business-to-business contexts, motivated by the need to satisfy customers and regulatory expectations. It uses semi-structured ethnographic interviews (N=16) with Danish SMEs and a validation workshop (N=6) to identify five security demonstration approaches: Certifications, Tests/Reports, Questionnaires, Interactive Sessions, and Social Proof. The findings discuss the costs, reliability, and accessibility of each approach, highlighting that no single method suffices and that hybrid, context-aware strategies are needed. The work contributes practical recommendations for industry, academia, and regulators, and suggests future research on combining demonstration methods, accessible certifications, automated testing tools, and structured interactive formats. Overall, the paper advances understanding of how SMEs can credibly convey security status to diverse stakeholders while balancing resource constraints and varying client demands.
Abstract
Software developing small and medium enterprises (SMEs) play a crucial role as suppliers to larger corporations and public administration. It is therefore necessary for them to be able to demonstrate that their products meet certain security criteria, both to gain trust of their customers and to comply to standards that demand such a demonstration. In this study we have investigated ways for SMEs to demonstrate their security when operating in a business-to-business model, conducting semi-structured interviews (N=16) with practitioners from different SMEs in Denmark and validating our findings in a follow-up workshop (N=6). Our findings indicate five distinctive security demonstration approaches, namely: Certifications, Reports, Questionnaires, Interactive Sessions and Social Proof. We discuss the challenges, benefits, and recommendations related to these approaches, concluding that none of them is a one-size-fits all solution and that more research into relative advantages of these approaches and their combinations is needed.