Factors influencing the effective integration of secure development practices in agile teams

Abstract

The integration of secure development practices (SDPs) within agile teams is critical to mitigating security risks in the software development lifecycle (SDLC), particularly in industries such as South African financial services, where cybersecurity threats are prevalent and ever-evolving. This qualitative study explored the factors influencing the effective integration of SDPs, focusing on organisational structure and culture, leadership commitment and support, and tools and technology. Using the Technology-Organisation-Environment (TOE) framework and validated by the OWASP Software Assurance Maturity Model (SAMM), this study established a conceptual framework that comprehensively analysed and assessed the integration of SDPs. Semi-structured interviews were conducted with a diverse range of IT professionals working in agile teams. These individuals, including software engineers, quality assurance (QA) engineers, architects, product owners, project managers, and IT managers, play a role in delivering working software. The research identified key themes through thematic data analysis: the need for a security-conscious organisational culture, proactive leadership support and commitment, and effective deployment of security tools integrated within CI/CD pipelines. The TOE framework provided a holistic lens for understanding how technological, organisational, and environmental factors collectively influence the effective integration of SDPs. At the same time, OWASP SAMM offered a structured approach to measure and validate the maturity of these practices across the Governance, Design, Implementation, Verification, and Operations pillars. While organisations emphasised cybersecurity, inconsistencies in training, communication gaps, and prioritisation of feature delivery over security often hinder SDP integration. Proactive leadership that allocates resources and fosters collaboration and continuous learning positively impacts outcomes. Similarly, when effectively integrated, modern security tools enhance agility and security but face challenges such as legacy system compatibility and the risks of overreliance. iii This study contributes to the theoretical and practical body of knowledge on secure software development by using the TOE framework and aligning practical recommendations with OWASP SAMM.