"We are a startup to the core": A qualitative interview study on the security and privacy development practices in Turkish software startups

TL;DR

This study explores security and privacy practices in Turkish software startups, revealing low prioritization due to lack of awareness and resources, and highlights the positive influence of regulations.

Contribution

It provides qualitative insights into security and privacy practices in Turkish startups, an understudied population, and offers tailored recommendations for improving these practices globally.

Findings

Developers rarely prioritize security and privacy.

Lack of awareness, skills, and resources hinder security efforts.

Regulations positively impact security and privacy.

Abstract

Security and privacy are often neglected in software development, and rarely a priority for developers. This insight is commonly based on research conducted by researchers and on developer populations living and working in the United States, Europe, and the United Kingdom. However, the production of software is global, and crucial populations in important technology hubs are not adequately studied. The software startup scene in Turkey is impactful, and comprehension, knowledge, and mitigations related to software security and privacy remain understudied. To close this research gap, we conducted a semi-structured interview study with 16 developers working in Turkish software startups. The goal of the interview study was to analyze if and how developers ensure that their software is secure and preserves user privacy. Our main finding is that developers rarely prioritize security and privacy, due to a lack of awareness, skills, and resources. We find that regulations can make a positive impact on security and privacy. Based on the study, we issue recommendations for industry, individual developers, research, educators, and regulators. Our recommendations can inform a more globalized approach to security and privacy in software development.