theDocumentId => 1133319 Survey Says: More Than Half of Software Companies ...

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/31/2010
02:33 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Survey Says: More Than Half of Software Companies Deploying Secure Coding Methods

Microsoft's Secure Development Lifecycle (SDL) one of the most popular tools among firms that practice secure coding, Errata Security report finds

First, the good news: around 57 percent of software firms practice some form of secure coding in the development of their products. But the bad news is that 43 percent are still not using formal secure development methods at all, according to a new report.

Errata Security surveyed professionals with software firms who were attending the RSA Conference and SecurityBSides earlier this month in San Francisco, as well as others online, to gather data on just how far along secure coding practices really are in software companies. Half of the 46 respondents said building secure products is always a concern at their firms, and 81 percent say they are aware of formal secure software development efforts such as Microsoft's SDL, BSIMM, SAMM, and CLASP.

Microsoft's SDL was the most popular tool for secure software development methods, with Microsoft SDL Agile at number two, with 35 percent of the respondents using Agile SDL, most of which were small development firms and several large companies in the survey. "The survey showed a big win for Microsoft's awareness program, but what I hope that Microsoft will learn from this is that small- to medium-sized software companies have different needs than the big guys. SDL-Agile is a good start, but now they need to re-evaluate the resource requirements with small company in mind," says Marisa Fagan, security project manager at Errata Security.

Fagan says among those companies not deploying a secure coding program, the main reason was a lack of resources. "No matter what the size of the company, participants said it was too time consuming, too expensive, and too draining on their resources," she says. "Another reason was that management had deemed it unnecessary...The survey showed that developers look to management to set the security agenda, and are generally not self-starters when it comes to including security in their code."

Chris Wysopal, CTO at Veracode, says the number of survey respondents not using formal secure coding methods doesn't seem low. "Many of these methodologies are fairly new and development organizations move slowly," he says. "Many development organizations don't have the process rigor or the resources to do anything more formal than use one tool or service as part of the development lifecycle."

Steve Lipner, senior director of security engineering strategy in Microsoft's Trustworthy Computing Group, said in a statement that Microsoft was encouraged by some of the survey results. "We are encouraged to see from the Errata Survey results that many companies are taking proactive security measures in their development processes and that the Microsoft SDL and SDL for Agile are being adopted to create more secure software," Lipner said.

Gary McGraw, CTO at Cigital and one of the creators of BSIMM, says BSIMM, a way to measure secure coding initiatives, is often confused with a secure coding methodology or tool: "BSIMM is a measuring stick," McGraw says. "Most organizations involved in BSIMM have their own methodologies." Microsoft, Adobe, and EMC, all BSIMM participants, use their own methods of secure development, for example, he says.

The Errata survey also found that static analysis is the most popular security testing process, with 57 percent of the companies saying they deploy it, followed closely by security code reviews (51 percent); and manual penetration testing (47 percent).

Veracode's Wysopal says the relatively high percentage of static-analysis users may have something to do with the "self-selecting group of leading edge security people attending RSA or Security B-Sides." He says most development teams he talks to don't use static analysis yet formally, but usage is on the rise.

The full report is available for download here (PDF).

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-37436
PUBLISHED: 2021-07-24
Amazon Echo Dot devices through 2021-07-02 sometimes allow attackers, who have physical access to a device after a factory reset, to obtain sensitive information via a series of complex hardware and software attacks. NOTE: reportedly, there were vendor marketing statements about safely removing pers...
CVE-2021-32686
PUBLISHED: 2021-07-23
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP before version 2.11.1, there are a couple of issues found in the SSL socket. First, a race condition between callback and ...
CVE-2021-32783
PUBLISHED: 2021-07-23
Contour is a Kubernetes ingress controller using Envoy proxy. In Contour before version 1.17.1 a specially crafted ExternalName type Service may be used to access Envoy's admin interface, which Contour normally prevents from access outside the Envoy container. This can be used to shut down Envoy rem...
CVE-2021-3169
PUBLISHED: 2021-07-23
An issue in Jumpserver 2.6.2 and below allows attackers to create a connection token through an API which does not have access control and use it to access sensitive assets.
CVE-2020-20741
PUBLISHED: 2021-07-23
Incorrect Access Control in Beckhoff Automation GmbH & Co. KG CX9020 with firmware version CX9020_CB3011_WEC7_HPS_v602_TC31_B4016.6 allows remote attackers to bypass authentication via the "CE Remote Display Tool" as it does not close the incoming connection on the Windows CE side if t...