Risk

3/31/2010
02:33 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Survey Says: More Than Half of Software Companies Deploying Secure Coding Methods

Microsoft's Secure Development Lifecycle (SDL) one of the most popular tools among firms that practice secure coding, Errata Security report finds

First, the good news: around 57 percent of software firms practice some form of secure coding in the development of their products. But the bad news is that 43 percent are still not using formal secure development methods at all, according to a new report.

Errata Security surveyed professionals with software firms who were attending the RSA Conference and SecurityBSides earlier this month in San Francisco, as well as others online, to gather data on just how far along secure coding practices really are in software companies. Half of the 46 respondents said building secure products is always a concern at their firms, and 81 percent say they are aware of formal secure software development efforts such as Microsoft's SDL, BSIMM, SAMM, and CLASP.

Microsoft's SDL was the most popular tool for secure software development methods, with Microsoft SDL Agile at number two, with 35 percent of the respondents using Agile SDL, most of which were small development firms and several large companies in the survey. "The survey showed a big win for Microsoft's awareness program, but what I hope that Microsoft will learn from this is that small- to medium-sized software companies have different needs than the big guys. SDL-Agile is a good start, but now they need to re-evaluate the resource requirements with small company in mind," says Marisa Fagan, security project manager at Errata Security.

Fagan says among those companies not deploying a secure coding program, the main reason was a lack of resources. "No matter what the size of the company, participants said it was too time consuming, too expensive, and too draining on their resources," she says. "Another reason was that management had deemed it unnecessary...The survey showed that developers look to management to set the security agenda, and are generally not self-starters when it comes to including security in their code."

Chris Wysopal, CTO at Veracode, says the number of survey respondents not using formal secure coding methods doesn't seem low. "Many of these methodologies are fairly new and development organizations move slowly," he says. "Many development organizations don't have the process rigor or the resources to do anything more formal than use one tool or service as part of the development lifecycle."

Steve Lipner, senior director of security engineering strategy in Microsoft's Trustworthy Computing Group, said in a statement that Microsoft was encouraged by some of the survey results. "We are encouraged to see from the Errata Survey results that many companies are taking proactive security measures in their development processes and that the Microsoft SDL and SDL for Agile are being adopted to create more secure software," Lipner said.

Gary McGraw, CTO at Cigital and one of the creators of BSIMM, says BSIMM, a way to measure secure coding initiatives, is often confused with a secure coding methodology or tool: "BSIMM is a measuring stick," McGraw says. "Most organizations involved in BSIMM have their own methodologies." Microsoft, Adobe, and EMC, all BSIMM participants, use their own methods of secure development, for example, he says.

The Errata survey also found that static analysis is the most popular security testing process, with 57 percent of the companies saying they deploy it, followed closely by security code reviews (51 percent); and manual penetration testing (47 percent).

Veracode's Wysopal says the relatively high percentage of static-analysis users may have something to do with the "self-selecting group of leading edge security people attending RSA or Security B-Sides." He says most development teams he talks to don't use static analysis yet formally, but usage is on the rise.

The full report is available for download here (PDF).

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11378
PUBLISHED: 2019-04-20
An issue was discovered in ProjectSend r1053. upload-process-form.php allows finished_files[]=../ directory traversal. It is possible for users to read arbitrary files and (potentially) access the supporting database, delete arbitrary files, access user passwords, or run arbitrary code.
CVE-2019-11372
PUBLISHED: 2019-04-20
An out-of-bounds read in MediaInfoLib::File__Tags_Helper::Synched_Test in Tag/File__Tags.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
CVE-2019-11373
PUBLISHED: 2019-04-20
An out-of-bounds read in File__Analyze::Get_L8 in File__Analyze_Buffer.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
CVE-2019-11374
PUBLISHED: 2019-04-20
74CMS v5.0.1 has a CSRF vulnerability to add a new admin user via the index.php?m=Admin&c=admin&a=add URI.
CVE-2019-11375
PUBLISHED: 2019-04-20
Msvod v10 has a CSRF vulnerability to change user information via the admin/member/edit.html URI.