Considering software security during the application development process is one of the most effective approaches to mitigating malicious attacks, and for many organizations it is a priority. While a majority of developers worldwide place a strong emphasis on security during development, however, nearly half lack a formal security application process, according to a recent comScore study for Microsoft.
The second part of Microsoft’s “Trust in Computing” survey of IT professionals in nine countries found that 44 percent of developers do not currently use a secure development process. Additionally, 42 percent do not rate software security as their top priority in development. In general, programmers are aware of threats, with 62 percent saying they always consider security when building or buying software applications, and just 7 percent saying this is rarely or never the case. According to Microsoft, however, more should be done to secure applications.
“Attackers are constantly seeking out new ways to compromise potential victims on a broad or targeted scale,” Tim Rains, director of Microsoft’s Trustworthy Computing, wrote in a recent blog post introducing the study. “They attempt to exploit unpatched vulnerabilities, use deceitful tactics to trick users into installing malicious software, attempt to guess weak passwords, and other dirty tricks. Despite this reality, a concerning large number of organizations are still not developing applications with security in mind.”
The global breakdown
For 97 percent of global developers, security is at least considered during development, but it is only the top priority for 58 percent, according to the study. These rates vary substantially by country, however. In Japan, just 33 percent of developers named security as a top priority, while nearly 80 percent considered it a top priority in both Brazil and India. In the United States, the rate was 55 percent, with 8 percent saying security is not a decision criterion at all.
In the United States, 72 percent of developers said they considered security threats during development, putting the country 10 percentage points above the global average. However, just 24 percent of those in the U.S. reported using a a secure application program or process such as Microsoft’s Secure Development Lifecycle, Homeland Security Build Security In, OpenSAMM or BSIMM.
The most commonly cited reasons for not using such processes globally are cost (34 percent of respondents) and lack of support (33 percent), followed by the fact that doing so has not been discussed (27 percent) and a lack of management approval (24 percent). In the U.S., however, a lack of discussion was the most common impediment, cited by 46 percent of respondents. Rains urged against such dismissiveness in his blog post, suggesting that the benefits of implementing a secure development program are extensive.
“Security isn’t the only benefit that comes out of implementing an SDL process, as writing secure code also leads to real cost savings,” he wrote, highlighting an Aberdeen Group study which found that companies that secured their applications during development reported a fourfold return on investment.
Given the value of implementing a secure development process and the widespread appreciation among programmers for security, organizations have a strong incentive to close the adoption gap surrounding such programs. With practices such as peer code review and the use of static analysis software, organizations can formalize the security checks they have in place during the application building process.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.