Software security in practice: knowledge and motivation

Developing secure software remains a challenge for developers despite the availability of security resources and secure development tools. Common factors affecting software security include the developer's security awareness and the rationales behind their development decisions with respect to security. In this work, we conducted interviews with software developers to examine how developers in organizations acquire security knowledge, and what factors motivate or prevent developers from adopting software security practices. Our analysis reveals that developers' security knowledge and motivations are intertwined aspects that are both important for promoting security in development teams. We identified a variety of learning opportunities used by developers and employers for increasing security awareness, including in-context learning activities preferred by developers. Based on our application of the self-determination theory, better security outcomes are expected when developers are internally driven toward security, rather than motivated by external factors; this aligns with our interpretation of participants' descriptions relating to security outcomes within their teams. Based on our analysis, we provide ideas on how to motivate developers to internalize security and improve their security practices.