Challenges in Developing Secure Software -- Results of an Interview Study in the German Software Industry
Alex R. Mattukat, Timo Langstrof, Horst Lichter
TL;DR
The paper addresses the persistent gap between available security guidelines and real-world secure software development by conducting an interview study with 19 industry experts from 12 German software companies. It identifies 13 challenges grouped into three categories: processes and organization, security complexity, and knowledge/staff, highlighting cost, workload, awareness, and continuous change as core drivers. The findings underscore that securing software is as much an organizational and cultural issue as a technical one, calling for security-by-design adoption, improved processes, and better alignment of incentives. The work provides actionable directions for research and practice to enhance secure software development in industry contexts.
Abstract
The damage caused by cybercrime makes the development of secure software inevitable. Although many tools and frameworks exist to support the development of secure software, statistics on cybercrime show no improvement in recent years. To understand the challenges software companies face in developing secure software, we conducted an interview study with 19 industry experts from 12 cross-industry companies. The results of our study show that the challenges are mainly due to high complexity, a lack of security awareness, and unsuitable processes, which are further exacerbated by an immediate lack of skilled personnel. This article presents our study and the challenges we identified, and derives potential research directions from them.