NTT and NTT DOCOMO BUSINESS Reveal Barriers to Security Practices in Software Development Through Large-Scale Code Analysis and Developer Survey

~Identifying developers' lack of awareness, workload, and misconceptions to accelerate secure development in the AI and automation era~

News Highlights:

TOKYO — February 24, 2026 — NTT and NTT DOCOMO BUSINESS, in collaboration with Waseda University, conducted a study on GitHub Actions², a widely used CI/CD platform, to investigate the implementation status of officially recommended security measures and the factors hindering their adoption (hereinafter, the Study). By combining large-scale analysis of approximately 340,000 public repositories with a survey of more than 100 developers, the Study quantitatively revealed that the implementation rate of five major security measures in GitHub Actions remains low, with an average of 17.5% (ranging from 0.6% to 52.9%). The results also demonstrated that human factors, such as limited awareness of the measures, misunderstandings regarding their applicability, and concerns about operational burden, are key barriers to implementation (hereinafter, the Results). Based on these findings, the organizations will promote further strengthening of security across services developed and delivered using CI/CD, contributing to the provision of safer and more reliable services for customers.

In addition, the Results have been accepted for presentation at the Network and Distributed System Security Symposium 2026 (NDSS 2026)³, one of the leading international conferences in the field of cybersecurity, to be held in San Diego, USA, in February 2026.

Background

In recent years, CI/CD has become widely adopted to improve the efficiency of software development. CI/CD is a mechanism that automates various processes in the software development lifecycle, such as testing and release procedures. It contributes to faster development, reduction of human error, and improved quality stability. Today, many companies' developers use CI/CD as a fundamental technology in their daily development activities.⁴

Among these tools, GitHub Actions is a CI/CD service available on GitHub⁵, one of the world's largest software development platforms. It is widely used across development environments, ranging from individual developers to large-scale enterprise projects.

However, because CI/CD environments automate software distribution and updates, operational issues such as improper management of authentication credentials or insufficient review of configuration changes can lead to serious security incidents affecting the entire software supply chain, including the introduction of malicious code. In 2020, a large-scale supply chain attack exploited a software update process, potentially affecting up to approximately 18,000 organizations, with confirmed compromises in government agencies and private companies.

In 2025, an incident was also reported in which a widely used automation program on GitHub Actions was maliciously modified, resulting in the leakage of authentication credentials used during development.

Although GitHub Actions provides recommended security measures and configurations to mitigate such risks, it had not been sufficiently clarified to what extent these measures are implemented in real-world development environments, nor what factors hinder their adoption.

Figure 1: Areas automated by CI/CD in the software development lifecycle

Overview of the Study

As part of the Study, a survey was conducted targeting public software repositories and developers using GitHub Actions (hereinafter, the Survey).

The Study has two key features:

Results of the Study

The Survey revealed that five major security measures in GitHub Actions remain at a generally low implementation level, with an average adoption rate of 17.5% (ranging from 0.6% to 52.9%). In particular, measures that rely on dedicated tools or built-in features were found to be underutilized in practice.

The developer survey further identified the primary factors behind the lack of implementation, including insufficient awareness of the existence of the security measures and a perceived increase in operational burden. In addition, some respondents demonstrated misconceptions, such as the belief that these measures are "not relevant to their own development activities."

These findings indicate that providing guidelines alone is not sufficient to improve CI/CD security, and that technical support mechanisms and development frameworks that take into account developers' understanding and workload are essential. The results of this study can be leveraged to design more effective notifications for developers and to strengthen support mechanisms provided by platforms and integrated development environments (IDEs)⁷, thereby contributing to concrete measures that enhance the effectiveness of security practices.

Figure 2: Implementation status of security measures in GitHub Actions⁸

Furthermore, the analysis results and implications for improvement were shared with GitHub. By providing such feedback as knowledge contributing to the overall security of the CI/CD ecosystem, the Study also contributed to platform-level security enhancements.

Roles of Each Organization

Future Plans

NTT will collaborate with NTT DOCOMO BUSINESS to expand these initiatives across the entire NTT Group, thereby promoting the advancement of a group-wide security foundation.

NTT DOCOMO BUSINESS will leverage the findings of this study to further strengthen security across all services developed and delivered using CI/CD. By embedding security measures into the development process, the company will enhance service development based on the principles of security by design⁹. In addition, it will consider applying the results of this study to future improvements of its own CI/CD platform, Qmonus Value Stream¹⁰. Through these efforts, the company aims to deliver highly reliable services that customers can use with confidence and security.

[Publication Information]

Yusuke Kubo, Fumihiro Kanei, Mitsuaki Akiyama, Takuro Wakai, Tatsuya Mori, "Action Required: A Mixed-Methods Study of Security Practices in GitHub Actions," NDSS 2026.

[Glossary]

¹Software Repository Analysis
Software repository analysis refers to the collection and analysis of development data and configuration files contained in publicly available software repositories on the internet in order to clarify development practices and the implementation status of security measures.

²GitHub Actions
GitHub Actions is a CI/CD (Continuous Integration and Continuous Delivery) service provided by GitHub. It enables automated execution of tasks such as software testing, building, release, and updates based on predefined workflows, and is widely used to improve development efficiency and reduce human error.

³Network and Distributed System Security Symposium (NDSS)
NDSS is recognized as one of the leading international conferences in the field of cybersecurity, alongside USENIX Security Symposium, IEEE Symposium on Security and Privacy, and ACM Conference on Computer and Communications Security. Only papers that pass rigorous peer review by experts are accepted.

⁴According to the State of CI/CD Report 2024: The Evolution of Software Delivery Performance published by the Continuous Delivery Foundation (CDF) and SlashData™, 83% of developers were engaged in DevOps-related activities as of Q1 2024, indicating the widespread adoption of development automation including CI/CD.
Source: Continuous Delivery Foundation / SlashData™, "State of CI/CD Report 2024: The Evolution of Software Delivery Performance", https://cd.foundation/state-of-cicd-2024/

⁵GitHub
GitHub is one of the world's largest software development platforms, providing services for managing, sharing, and collaboratively developing source code over the internet. It is widely used by developers and organizations worldwide.

⁶Repository Selection Criteria
On GitHub, users can mark repositories with a "star" to bookmark them for easier reference. In this study, repositories with 10 or more stars were selected. Repositories with very few stars were excluded, as they may include many inactive projects or personal experimental repositories that are not suitable for analysis.

⁷ IDE (Integrated Development Environment)
An IDE is software that integrates essential development functions such as coding, editing, and testing into a single tool for developers. In recent years, IDEs have also incorporated features that assist in detecting coding errors and security issues during development.

⁸Security Measures in GitHub Actions
Security measures in GitHub Actions refer to representative countermeasures officially recommended by GitHub to reduce risks such as unauthorized modifications and information leakage in automated development and update processes. This study focused on the following five measures:

⁹Security by Design
Security by Design is an approach in which security measures are incorporated from the early stages of system and software design and development. Rather than adding countermeasures later, the goal is to create architectures that are less prone to vulnerabilities from the outset, ensuring continuous and efficient security.

¹⁰Qmonus Value Stream
Qmonus Value Stream is a CI/CD platform provided by NTT DOCOMO BUSINESS that manages and automates the entire process required to release applications into production, including build and testing. It supports verified cloud architectures and automated CI/CD pipelines, enabling developers to focus on business logic development and facilitating continuous value delivery.

About NTT

NTT is a leading global technology innovator, providing a broad range of services to both consumers and businesses. As a mobile operator and provider of infrastructure, networks, and services, NTT is dedicated to promoting a sustainable future through cutting-edge innovations. Our portfolio includes business consulting, AI-powered solutions, application services, global networks, cybersecurity, data center and edge computing, all supported by our deep global industry expertise. Generating over $90 billion in revenue and employing 340,000 professionals, we allocate 30% of our annual profits to fundamental research and development. With operations spanning more than 70 countries and regions, our clients include over 75% of Fortune Global 100 companies, alongside thousands of enterprises, government organizations, and millions of consumers.

About NTT DOCOMO BUSINESS, Inc.

NTT Communications Corporation changed its name to NTT DOCOMO BUSINESS, Inc. on July 1, 2025. As an Industrial and Regional DX Platformer that drives digital transformation across industries and communities, we are enabling the development of a decentralized, autonomous, and collaborative society where businesses and communities can thrive sustainably. Our mission is to unlock new value and help create prosperity for all.