Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/31/2010
02:33 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Survey Says: More Than Half of Software Companies Deploying Secure Coding Methods

Microsoft's Secure Development Lifecycle (SDL) one of the most popular tools among firms that practice secure coding, Errata Security report finds

First, the good news: around 57 percent of software firms practice some form of secure coding in the development of their products. But the bad news is that 43 percent are still not using formal secure development methods at all, according to a new report.

Errata Security surveyed professionals with software firms who were attending the RSA Conference and SecurityBSides earlier this month in San Francisco, as well as others online, to gather data on just how far along secure coding practices really are in software companies. Half of the 46 respondents said building secure products is always a concern at their firms, and 81 percent say they are aware of formal secure software development efforts such as Microsoft's SDL, BSIMM, SAMM, and CLASP.

Microsoft's SDL was the most popular tool for secure software development methods, with Microsoft SDL Agile at number two, with 35 percent of the respondents using Agile SDL, most of which were small development firms and several large companies in the survey. "The survey showed a big win for Microsoft's awareness program, but what I hope that Microsoft will learn from this is that small- to medium-sized software companies have different needs than the big guys. SDL-Agile is a good start, but now they need to re-evaluate the resource requirements with small company in mind," says Marisa Fagan, security project manager at Errata Security.

Fagan says among those companies not deploying a secure coding program, the main reason was a lack of resources. "No matter what the size of the company, participants said it was too time consuming, too expensive, and too draining on their resources," she says. "Another reason was that management had deemed it unnecessary...The survey showed that developers look to management to set the security agenda, and are generally not self-starters when it comes to including security in their code."

Chris Wysopal, CTO at Veracode, says the number of survey respondents not using formal secure coding methods doesn't seem low. "Many of these methodologies are fairly new and development organizations move slowly," he says. "Many development organizations don't have the process rigor or the resources to do anything more formal than use one tool or service as part of the development lifecycle."

Steve Lipner, senior director of security engineering strategy in Microsoft's Trustworthy Computing Group, said in a statement that Microsoft was encouraged by some of the survey results. "We are encouraged to see from the Errata Survey results that many companies are taking proactive security measures in their development processes and that the Microsoft SDL and SDL for Agile are being adopted to create more secure software," Lipner said.

Gary McGraw, CTO at Cigital and one of the creators of BSIMM, says BSIMM, a way to measure secure coding initiatives, is often confused with a secure coding methodology or tool: "BSIMM is a measuring stick," McGraw says. "Most organizations involved in BSIMM have their own methodologies." Microsoft, Adobe, and EMC, all BSIMM participants, use their own methods of secure development, for example, he says.

The Errata survey also found that static analysis is the most popular security testing process, with 57 percent of the companies saying they deploy it, followed closely by security code reviews (51 percent); and manual penetration testing (47 percent).

Veracode's Wysopal says the relatively high percentage of static-analysis users may have something to do with the "self-selecting group of leading edge security people attending RSA or Security B-Sides." He says most development teams he talks to don't use static analysis yet formally, but usage is on the rise.

The full report is available for download here (PDF).

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
AWS CISO Talks Risk Reduction, Development, Recruitment
Kelly Sheridan, Staff Editor, Dark Reading,  6/25/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1619
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session ...
CVE-2019-1620
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to upload arbitrary files on an affected device. The vulnerability is due to incorrect permission settings in affected DCNM software. An attacker could ex...
CVE-2019-1621
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to gain access to sensitive files on an affected device. The vulnerability is due to incorrect permissions settings on affected DCNM software. An attacker...
CVE-2019-1622
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to retrieve sensitive information from an affected device. The vulnerability is due to improper access controls for certain URLs on affected DCNM software...
CVE-2019-10133
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.