“We are a startup to the core”: A qualitative interview study on the security

and privacy development practices in Turkish software startup𝑠 [1]

Alexandra Anton Universitatea Nationala de Stiinta si

Facultatea de Automatica si Tehnologie Politehnica Bucuresti
Calculatoare
Abstract— The article addresses the issue of security and
privacy in the development of software startups, especially those A. USABILITY
in Turkey, where the number of people working in IT is When asked to define usability, most participants revolved
increasing significant. Thus, this study was done on 16 around the idea of an app that was easy to use, required few
developers in Turkey, and it was found that the problems are clicks, moved quickly and had all the functionality it was
rooted in the lack of education about security and privacy since intended for. However, at the implementation level, nobody
the school years where teachers do not emphasize this side of IT,
but it is also neglected both at the micro level by developers and
made the connection between usability, security and
at the macro level by companies. privacy. 50% of the participants said that they have a team
of front-end developers and designers who deal with
Keywords — usability, security, privacy usability, and the remaining 50% said that during the
implementation process they put themselves in the user's
Introduction shoes to see how they would prefer the application to be,
mentioned that it should be modular or that they take user
Given that research into developers' use of security and feedback.
privacy has been conducted mostly on small and mid-size
companies in the West, this article continues the study of B. SECURITY
Turkey, a non-WEIRD country, which has access to both From a security point of view, it was observed that
Europe and Asia and the Middle East, by interviewing 16 participants link security to privacy because of data
Turkish developers. It is also important to note the growth that protection and data leaks. It is worth noting the view of one
Turkey is experiencing in IT: according to Github reports, it is participant that security is not a necessity especially in the
in the top 10 countries with the highest growth in software
early stages of a startup, functionality being more of a
developers.
priority, while another participant sees it as a strictly human
I. METHODOLOGY responsibility.
A study was conducted on 16 Turkish developers, 25% of C. PRIVACY
them women and 75% men, with an average age of 28.4 50% of Turkish developers associate privacy with
years, with and without higher education, all working in IT. unauthorized access, thus preventing unpleasant situations
They were recruited through social media applications, and through secure data storage. The other 50% take privacy
with their consent, they completed a survey and then into account either when integrating third-party systems or
attended a meeting in Turkish or English (only one opted for by putting themselves in a user's shoes and thinking about
English) to elaborate on the ideas and opinions in the how disclosing certain details would affect them.
survey.
III. PROBLEMS AND RISKS
II. RESULTS
This study also addressed the problems and risks that can
In order to be able to analyze security, usability and arise from ignoring the three concepts discussed, and the
privacy in detail, one must first observe the development participants concluded that usability is designed based on user
process that companies have. Thus, from the survey, it feedback, or is not an issue. Neglecting security can bring with
emerged that most of them have a systematic, detailed it malicious attacks and the collection of private data which
development process using Agile methodology, and decisions can be avoided by companies and users taking responsibility
are taken jointly. However, there was a significant part of the and using third-party libraries. Finally, privacy, closely linked
responses where the decisions were made only by the to security, can be improved by data minimization or solution
development team and had only a few weekly meetings, and design.Keep your text and graphic files separate until after the
there were even 2 people who had no defined process at all. In text has been formatted and styled. Do not use hard tabs, and
terms of testing, most of them were testing their own limit use of hard returns to only one return at the end of a
functionality, and only a quarter of all survey participants paragraph. Do not add any kind of pagination anywhere in the
mentioned security, but put a lot of emphasis on it. Also, 6 out paper. Do not number text heads-the template will do that for
of 16 do not have any kind of code review process with the you. However, when it comes to who holds responsibility for
excuse that they don't have time for it. Regarding Third-Party these security and privacy vulnerabilities, a quarter of
Integration, only 12.5% take security into account when participants said users, with the rest split between
integrating a third-party library, the remaining 87.5% focus on developers/testers, the company and the CTO.
the solutions, documentation and portability that such libraries
offer. IV. STEPS TO MITIGATE THE RISKS
To get a better idea of how Turkish developers view the Finally, participants were asked to take steps to solve these
concepts of usability, security and privacy, they were asked problems created by lack of security and confidentiality. Thus,
how they define these concepts and how they apply them in the suggestions were both for developers to take these issues
their companies. into account during product development and also to be in a
continuous learning in this area of security, but also for
companies, which should invest more funds in buying C. RESEARCH ON DEVELOPERS IN STARTUPS
licensed products and by hiring or training a team specifically An analysis of startups, which represent a large percentage of
dedicated to security testing. the world's services and products for all types of companies,
V. DISCUSSION from small to large, showed a lack of attention to security.
Startups, due to customer pressure and lack of time, prefer
Based on the study, five possible recommendations for speed of delivery and application functionality over
improving the problems emerged: companies should invest application security, documentation and testing. Thus,
more resources in security and privacy, developers should software buyers should understand the need to allocate time
improve and take these issues into account, researchers and resources to qualitative rather than quantitative
should do more research in these areas to draw attention to development, since the average delivery time for a minimum
these problems, teachers should put more emphasis on these viable product is one month, which does not allow time to
areas and laws should be stricter in this direction.
even follow a lightweight Agile methodology. [4]
VI. CONCLUSION D. DEVELOPER RESEARCH IN TURKEY
In conclusion, it can be stated that in Turkey in the IT field
Engineers in Turkey, they found the following four habits
not enough attention is paid to security and privacy starting
that software producers in the Turkish industry have: the
from the educational environment to the actual
most used methodology is a rather outdated one, Waterfall,
implementation of services and products, which is obviously
and they have negative ideas about Agile, the remaining
a wrong and negligent approach that needs to be remedied.
50% is split between Lean and Agile. From the point of
VII. RELATED WORK view of the effort spent during the development of an
application, the requirements definition phase is considered
To better understand Turkish developers' concepts of the most difficult and the development phase represents the
security and privacy, we need to consider several external most, i.e. 31% of the total time, the rest of the phases having
aspects such as: similar percentages, approximately equal to 12%, from
A. BACKGROUND ON TURKEY which we can notice the low importance they give to testing,
In Turkey, a non-WEIRD country, the archetypal concept of and the measurability of the code is achieved either not at all
the housewife, mother, wife and not necessarily career in half of the cases, or by counting lines of code. [5]
woman is still present. Thus, women are pushed more E. REGULATIONS BY ORGANIZATIONS
towards jobs such as teachers, nurses, or, in IT, analysts
As far as privacy and GDPR compliance in software
instead of developers. A study of 12 women in Turke𝑦 [2] development is concerned, the major reasons why
found that the percentage of women is increasing and developers don't take it into account is due to lack of
surprisingly, in some compounds the percentage of testers is technique or because they are not familiar with GDPR, or
50-50 female-male. However, sexist thinking dominates any other form of data laws. In order to increase the privacy
there and because of this, areas where communicative and that applications don't have, the GDPR should be universal
organized people are sought after are dominated by women, and provide implementation techniques that developers can
to the detriment of technical areas, considered more 'robust' consider. Of course, developers should also be more willing
and requiring more thinking where men are favored. to learn and apply these rules, to improve themselves and
Thus, it is much harder for a woman to reach higher positions
the products they develop. [6]
in society, and sexual equality there is still not enforced,
which is a hindrance to the development of the people in this REFERENCES
field and shrinks the workforce. [1] Dilara Kekulluoglu, Yasemin Acar“We are a startup to the core”: A
qualitative interview study on the security and privacy development
B. SECURITY AND PRIVACY RESEARCH WITH practices in Turkish software startups
DEVELOPERS [2] Bas¸ak Bozkurt and Aylin AKPINAR. Bilis¸im sekt ¨or ¨unde
From another research [3] conducted on developers in toplumsal cinsiyete dayali is¸ b ¨ol ¨um ¨u. Marmara Universitesi Kadın
ve Toplumsal ¨ Cinsiyet Aras¸tırmaları Dergisi, 1(2):17–28, 2017.K.
Turkey, it emerged that the practices that are applied in Elissa, “Title of paper if known,” unpublished.
companies and those that should be applied in theory differ [3] Hala Assal and Sonia Chiasson. Security in the software development
substantially, due to the organization of tasks in the team, the Hala Assal and Sonia Chiasson. ’think secure from the beginning’ a
education of developers, external pressures and experience. survey with software developers. In Proceedings of the 2019 CHI
Some survey participants admitted that they have even found conference on human factors in computing systems, pages 1–13, 2019.
it difficult to consciously deliver applications with [4] Renata Souza, Karla Malta, and Eduardo Santana De Almeida.
Software engineering in startups: a single embedded case study. In
vulnerabilities, being constrained by time, showing that they 2017 IEEE/ACM 1st International Workshop on Software Engineering
are aware of the security measures that need to be for Startups (SoftStart), pages 17–23. IEEE, 2017.
implemented, but do not take them into account. Also, most [5] Vahid Garousi, Ahmet Cos¸kunc¸ay, Aysu Betin-Can, and Onur Demir
of the blame when a problem of overwriting arises is given ¨ors. A survey of software engineering practices in turkey. Journal of
directly to the developers, which is not always correct Systems and Software, 108:148–177, 2015.
because even companies do not attach the necessary [6] Abdulrahman Alhazmi and Nalin Asanka Gamagedara Arachchilage.
Why are developers struggling to put GDPR into practice when
importance to security, and in order to improve this aspect it developing Privacy-Preserving software systems? USENIX
is recommended to implement an automated testing and Association, August 2020..
programming processes.