Secure Software Engineering in the Financial Services: A Practitioners' Perspective

TL;DR

This study explores how financial services software teams incorporate security practices, face challenges, and perceive improvements, highlighting the gap between security research and practical implementation in a global context.

Contribution

It provides qualitative insights into security practices, challenges, and knowledge-sharing among financial software practitioners through interviews across multiple continents.

Findings

Practitioners consider security at various development phases.

Existing security tools need significant improvements.

Knowledge sharing is vital for security learning.

Abstract

Secure software engineering is a fundamental activity in modern software development. However, while the field of security research has been advancing quite fast, in practice, there is still a vast knowledge gap between the security experts and the software development teams. After all, we cannot expect developers and other software practitioners to be security experts. Understanding how software development teams incorporate security in their processes and the challenges they face is a step towards reducing this gap. In this paper, we study how financial services companies ensure the security of their software systems. To that aim, we performed a qualitative study based on semi-structured interviews with 16 software practitioners from 11 different financial companies in three continents. Our results shed light on the security considerations that practitioners take during the different phases of their software development processes, the different security practices that software teams make use of to ensure the security of their software systems, the improvements that practitioners perceive as important in existing state-of-the-practice security tools, the different knowledge-sharing and learning practices that developers use to learn more about software security, and the challenges that software practitioners currently face when it comes to secure their systems.