In recent years, the number of cyber attacks has grown rapidly. An effective way to reduce the attack surface and protect software is adoption of methodologies that apply security at each step of the software development lifecycle. While different methodologies have been proposed to address software security, recent research shows an increase in the number of vulnerabilities in software and data breaches. Therefore, the security practices incorporated in secure software development methodologies require investigation. This paper provides an overview of security practices involved in 28 secure software development methodologies from industry, government, and academia. To achieve this goal, we distributed the security practices among the software development lifecycle stages. We also investigated auxiliary (non-technical) practices, such as organizational, behavioral, legal, policy, and governance aspects that are incorporated in the secure software development methodologies. Furthermore, we explored methods used to provide evidence of the effectiveness of the methodologies. Finally, we present the gaps that require attention in the scientific community. The results of our survey may assist researchers and organizations to better understand the existing security practices integrated into the secure software development methodologies. In addition, our bridge between "technical" and "non-technical" worlds may be useful for non-technical specialists who investigate software security. Moreover, exploring the gaps that we found in current research may help improve security in software development and produce software with fewer number of vulnerabilities.

翻译：近年来，网络攻击的数量急剧增长。减少攻击面并保护软件的有效途径之一，是采用在软件开发生命周期的每个阶段都应用安全性的方法论。尽管已有多种方法论被提出以应对软件安全问题，但近期研究显示，软件漏洞和数据泄露的数量仍在增加。因此，安全软件开发方法论中融合的安全实践亟待研究。本文概述了来自工业界、政府及学术界的28种安全软件开发方法论所涉及的安全实践。为实现此目标，我们将安全实践按软件开发生命周期阶段进行划分。同时，我们还研究了这些方法论中纳入的辅助性（非技术性）实践，例如组织、行为、法律、政策及治理等方面。此外，我们探索了用于证明方法论有效性的方法。最后，我们指出了科学界需要关注的空白领域。本调查结果可帮助研究人员和组织更好地理解安全软件开发方法论中已整合的现有安全实践。此外，我们在"技术世界"与"非技术世界"之间建立的桥梁，可能对研究软件安全的非技术专家有所裨益。更重要的是，探索当前研究中发现的空白，有助于改进软件开发中的安全性，并产出漏洞更少的软件。