Egelman, SergeWagner, DavidAlomar, Noura Nassir2025-01-162024-12-20https://hdl.handle.net/20.500.14154/74661Organizations operating in various industries are continuously experiencing the negative consequences of not sufficiently addressing security and privacy issues in their software development processes. Exploitation of such issues is increasingly leading to breaches of sensitive user data and exposing organizations to legal liabilities. Depending on organizations' sizes and the maturity levels of their development processes, effective handling of these issues might fall under the responsibilities of technical and managerial roles that have different specializations. Throughout the process of developing or maintaining software, the practices adopted by these roles can lead to introducing preventable security and privacy issues that have serious implications to their organizations. Despite the prevalence of these issues, we are yet to obtain sufficient understanding of why they persist, and how the characteristics of organizational software development or maintenance processes are influencing the privacy or security practices adopted software professionals who contribute to these processes. This dissertation presents the results of a series of holistic process-oriented investigations of the factors that are hindering timely detection and remediation of security and privacy issues by organizations. We start by qualitatively examining how process-related factors and interactions with managerial roles were shaping the engineering practices of software developers and testers tasked with handling these issues in organizations operating in the United States and several other countries. We then present the results of in-depth longitudinal measurements of the prevalence of privacy and security issues in thousands of Android apps that were published on the Google Play Store and which were leading their developers to potentially be in violation of applicable privacy regulations. To obtain insights into why these issues existed in the tested apps, we supplement the results of our technical measurements with qualitative data collected through semi-structured interviews and surveys that we targeted to professionals who were involved in the development of the same apps. Our results identify a range of non-technical factors that hindered informed decision-making on how security and privacy issues should be handled, which include the lack of organizational processes that facilitated information sharing between the various roles whose effective cooperation was needed (e.g., software developers and security engineers). However, the results of our technical and qualitative investigations consistently identified enforcement of regulatory and industry compliance requirements as one of the main factors that was driving organizations' efforts to detect or remediate security or privacy issues. Notably, our large-scale longitudinal measurements of the behaviors of Android apps provide evidence of overall improvement in organizational security and privacy practices, which likely resulted from Google Play's ongoing enforcement efforts of privacy compliance requirements over the past few years (2018 to 2023). However, we also show that use of third-party code is introducing complexities in software development processes and continuing to lead software developers to introduce privacy issues (e.g., exfiltration of personal data). The discussions we had with developers of these apps showed that most of them lacked awareness of the behaviors of their own apps, did not have sufficient understanding of their privacy compliance obligations, and did not follow systematic approaches to vetting third-party Software Development Kits (SDKs) for inclusion in their apps. These challenges call for the need of reducing the burden of privacy compliance on software developers by providing them with usable guidance that can help them address security and privacy issues early in their software development processes. We hope that this dissertation will inform regulatory debates about the challenges that are hindering effective handling of security or privacy issues in practice, and the types of interventions that can be incorporated in software development processes to guide software professionals through how to address these issues in a timely fashion.242en-UScomputer securitycomputer privacysoftware engineeringprivacy lawsecurity vulnerabilitysoftware developerThesis