Risk

3/31/2010
02:33 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Survey Says: More Than Half of Software Companies Deploying Secure Coding Methods

Microsoft's Secure Development Lifecycle (SDL) one of the most popular tools among firms that practice secure coding, Errata Security report finds

First, the good news: around 57 percent of software firms practice some form of secure coding in the development of their products. But the bad news is that 43 percent are still not using formal secure development methods at all, according to a new report.

Errata Security surveyed professionals with software firms who were attending the RSA Conference and SecurityBSides earlier this month in San Francisco, as well as others online, to gather data on just how far along secure coding practices really are in software companies. Half of the 46 respondents said building secure products is always a concern at their firms, and 81 percent say they are aware of formal secure software development efforts such as Microsoft's SDL, BSIMM, SAMM, and CLASP.

Microsoft's SDL was the most popular tool for secure software development methods, with Microsoft SDL Agile at number two, with 35 percent of the respondents using Agile SDL, most of which were small development firms and several large companies in the survey. "The survey showed a big win for Microsoft's awareness program, but what I hope that Microsoft will learn from this is that small- to medium-sized software companies have different needs than the big guys. SDL-Agile is a good start, but now they need to re-evaluate the resource requirements with small company in mind," says Marisa Fagan, security project manager at Errata Security.

Fagan says among those companies not deploying a secure coding program, the main reason was a lack of resources. "No matter what the size of the company, participants said it was too time consuming, too expensive, and too draining on their resources," she says. "Another reason was that management had deemed it unnecessary...The survey showed that developers look to management to set the security agenda, and are generally not self-starters when it comes to including security in their code."

Chris Wysopal, CTO at Veracode, says the number of survey respondents not using formal secure coding methods doesn't seem low. "Many of these methodologies are fairly new and development organizations move slowly," he says. "Many development organizations don't have the process rigor or the resources to do anything more formal than use one tool or service as part of the development lifecycle."

Steve Lipner, senior director of security engineering strategy in Microsoft's Trustworthy Computing Group, said in a statement that Microsoft was encouraged by some of the survey results. "We are encouraged to see from the Errata Survey results that many companies are taking proactive security measures in their development processes and that the Microsoft SDL and SDL for Agile are being adopted to create more secure software," Lipner said.

Gary McGraw, CTO at Cigital and one of the creators of BSIMM, says BSIMM, a way to measure secure coding initiatives, is often confused with a secure coding methodology or tool: "BSIMM is a measuring stick," McGraw says. "Most organizations involved in BSIMM have their own methodologies." Microsoft, Adobe, and EMC, all BSIMM participants, use their own methods of secure development, for example, he says.

The Errata survey also found that static analysis is the most popular security testing process, with 57 percent of the companies saying they deploy it, followed closely by security code reviews (51 percent); and manual penetration testing (47 percent).

Veracode's Wysopal says the relatively high percentage of static-analysis users may have something to do with the "self-selecting group of leading edge security people attending RSA or Security B-Sides." He says most development teams he talks to don't use static analysis yet formally, but usage is on the rise.

The full report is available for download here (PDF).

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
How Well Is Your Organization Investing Its Cybersecurity Dollars?
Jack Jones, Chairman, FAIR Institute,  12/11/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: When Harry Met Sally
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-7690
PUBLISHED: 2018-12-13
A potential Remote Unauthorized Access in Micro Focus Fortify Software Security Center (SSC), versions 17.10, 17.20, 18.10 this exploitation could allow Remote Unauthorized Access
CVE-2018-7691
PUBLISHED: 2018-12-13
A potential Remote Unauthorized Access in Micro Focus Fortify Software Security Center (SSC), versions 17.10, 17.20, 18.10 this exploitation could allow Remote Unauthorized Access
CVE-2018-8033
PUBLISHED: 2018-12-13
The OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. Both POST and GET requests to the httpService endpoint may contain three parameters: serviceName, serviceMode, and serviceContext. The exploitati...
CVE-2018-20127
PUBLISHED: 2018-12-13
An issue was discovered in zzzphp cms 1.5.8. del_file in /admin/save.php allows remote attackers to delete arbitrary files via a mixed-case extension and an extra '.' character, because (for example) "php" is blocked but path=F:/1.phP. succeeds.
CVE-2018-20128
PUBLISHED: 2018-12-13
An issue was discovered in UsualToolCMS v8.0. cmsadmin\a_sqlback.php allows remote attackers to delete arbitrary files via a backname[] directory-traversal pathname followed by a crafted substring.