Analyzing the Use of Public and In-house Secure Development Guidelines in US and Japanese Industries

Secure development guidelines contribute to improving software security from the development stage by making developers aware of the risks to be assumed, the necessary security countermeasures, and how to implement them. In this study, we investigated the actual utilization of guidelines and their usability in the industry through a survey of software development professionals in the U.S. and Japan (N =396 in the U.S. and N = 474 in Japan). Our quantitative analysis revealed that "in-house" guidelines not examined in most existing studies are in fact widely utilized in the industry and also clarified how they are related to the use of public guidelines. In addition, we found that the practices for implementing guidelines recommended by existing studies are difficult for software development professionals with certain attributes, e.g., those who are working on small projects. The findings demonstrate the need for lightweight recommended practices taking into account organizational issues at industrial development sites that are easy for developers to implement.