[Paper] Challenges in Developing Secure Software -- Results of an Interview Study in the German Software Industry

Source: arXiv - 2512.07368v1

Overview

A recent interview study of 19 security‑focused professionals across 12 German software firms uncovers why secure‑by‑design remains elusive despite a flood of tools and frameworks. The authors pinpoint three intertwined root causes—technical complexity, low security awareness, and misaligned development processes—while also highlighting a critical talent shortage. Their findings map out concrete research and practice gaps that could shape the next wave of secure‑software initiatives.

Key Contributions

• Empirical evidence from a cross‑industry interview series that maps the real‑world obstacles to building secure software.
• Three high‑level challenge categories (complexity, awareness, process) that explain why existing security tooling often fails to deliver.
• Identification of a talent bottleneck: a shortage of skilled security engineers that amplifies all other challenges.
• Actionable research agenda linking each challenge to potential academic and industry interventions (e.g., better education, process redesign, tooling integration).
• Practical checklist for managers to self‑diagnose security gaps in their own development pipelines.

Methodology

The researchers conducted semi‑structured interviews (≈45 min each) with senior developers, architects, and security leads from 12 companies spanning finance, automotive, healthcare, and telecom. Participants were selected to represent a mix of company sizes and maturity levels. Interview transcripts were coded using thematic analysis: two independent coders iteratively derived a codebook, reconciled differences, and clustered codes into the three overarching challenge themes. The qualitative approach ensures the insights reflect lived industry experience rather than theoretical speculation.

Results & Findings

Collectively, these factors explain why the proliferation of security tools has not translated into measurable reductions in cybercrime statistics.

Practical Implications

• Shift‑left security must be more than a buzzword: Integrate lightweight, automated checks (e.g., static analysis, dependency scanning) directly into CI pipelines to match agile cadence.
• Invest in continuous security education: Short, role‑specific training modules can raise baseline awareness without pulling developers off sprint work.
• Redesign processes to include security “ownership”: Assign a security champion per team who bridges the gap between security experts and developers.
• Leverage “security as a service”: For firms struggling with talent, outsource certain activities (e.g., penetration testing, threat modeling) while building internal capability over time.
• Tool‑process co‑design: Choose tools that fit existing workflows (e.g., IDE plugins, pull‑request bots) to reduce friction and increase adoption.

Limitations & Future Work

• Geographic focus: All participants were based in Germany, so cultural or regulatory nuances elsewhere may yield different challenge profiles.
• Sample size: Nineteen interviews provide depth but may not capture the full spectrum of industry practices, especially in startups or highly regulated sectors.
• Static snapshot: The study reflects a specific point in time; rapid changes in cloud‑native tooling could shift the balance of challenges.

The authors suggest expanding the study to other regions, increasing the number of participants, and longitudinally tracking how interventions (e.g., security champion programs) affect the identified challenges.

Authors

• Alex R. Mattukat
• Timo Langstrof
• Horst Lichter

Paper Information

• arXiv ID: 2512.07368v1
• Categories: cs.SE, cs.CR
• Published: December 8, 2025
• PDF: Download PDF