Risk

3/31/2010
02:33 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Survey Says: More Than Half of Software Companies Deploying Secure Coding Methods

Microsoft's Secure Development Lifecycle (SDL) one of the most popular tools among firms that practice secure coding, Errata Security report finds

First, the good news: around 57 percent of software firms practice some form of secure coding in the development of their products. But the bad news is that 43 percent are still not using formal secure development methods at all, according to a new report.

Errata Security surveyed professionals with software firms who were attending the RSA Conference and SecurityBSides earlier this month in San Francisco, as well as others online, to gather data on just how far along secure coding practices really are in software companies. Half of the 46 respondents said building secure products is always a concern at their firms, and 81 percent say they are aware of formal secure software development efforts such as Microsoft's SDL, BSIMM, SAMM, and CLASP.

Microsoft's SDL was the most popular tool for secure software development methods, with Microsoft SDL Agile at number two, with 35 percent of the respondents using Agile SDL, most of which were small development firms and several large companies in the survey. "The survey showed a big win for Microsoft's awareness program, but what I hope that Microsoft will learn from this is that small- to medium-sized software companies have different needs than the big guys. SDL-Agile is a good start, but now they need to re-evaluate the resource requirements with small company in mind," says Marisa Fagan, security project manager at Errata Security.

Fagan says among those companies not deploying a secure coding program, the main reason was a lack of resources. "No matter what the size of the company, participants said it was too time consuming, too expensive, and too draining on their resources," she says. "Another reason was that management had deemed it unnecessary...The survey showed that developers look to management to set the security agenda, and are generally not self-starters when it comes to including security in their code."

Chris Wysopal, CTO at Veracode, says the number of survey respondents not using formal secure coding methods doesn't seem low. "Many of these methodologies are fairly new and development organizations move slowly," he says. "Many development organizations don't have the process rigor or the resources to do anything more formal than use one tool or service as part of the development lifecycle."

Steve Lipner, senior director of security engineering strategy in Microsoft's Trustworthy Computing Group, said in a statement that Microsoft was encouraged by some of the survey results. "We are encouraged to see from the Errata Survey results that many companies are taking proactive security measures in their development processes and that the Microsoft SDL and SDL for Agile are being adopted to create more secure software," Lipner said.

Gary McGraw, CTO at Cigital and one of the creators of BSIMM, says BSIMM, a way to measure secure coding initiatives, is often confused with a secure coding methodology or tool: "BSIMM is a measuring stick," McGraw says. "Most organizations involved in BSIMM have their own methodologies." Microsoft, Adobe, and EMC, all BSIMM participants, use their own methods of secure development, for example, he says.

The Errata survey also found that static analysis is the most popular security testing process, with 57 percent of the companies saying they deploy it, followed closely by security code reviews (51 percent); and manual penetration testing (47 percent).

Veracode's Wysopal says the relatively high percentage of static-analysis users may have something to do with the "self-selecting group of leading edge security people attending RSA or Security B-Sides." He says most development teams he talks to don't use static analysis yet formally, but usage is on the rise.

The full report is available for download here (PDF).

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6485
PUBLISHED: 2019-02-22
Citrix NetScaler Gateway 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5 before build 69.5 and Application Delivery Controller (ADC) 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5...
CVE-2019-9020
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc...
CVE-2019-9021
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR reading functions in the PHAR extension may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse the file...
CVE-2019-9022
PUBLISHED: 2019-02-22
An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. dns_get_record misparses a DNS response, which can allow a hostile DNS server to cause PHP to misuse memcpy, leading to read operations going past the buffer allocated for DNS data. This affects php_parser...
CVE-2019-9023
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcom...