Security in the Software Development Lifecycle.

We interviewed developers currently employed in industry to explore real-life software security practices during each stage of the development lifecycle. This paper explores steps taken by teams to ensure the security of their applications, how developers' security knowledge inuences the process, and how security fits in (and sometimes conicts with) the development workow. We found a wide range of approaches to software security, if it was addressed at all. Furthermore, real-life security practices vary considerably from best practices identi_ed in the literature. Best practices often ignore factors affecting teams' operational strategies. Division of labour is one example, whereby complying with best practices would require some teams to restructure and reassign tasks|an effort typically viewed as unreasonable. Other inuential factors include company culture, security knowledge, external pressure, and experiencing a security incident.