Study: Majority of U.S. Developers Use No Secure Coding Processes

About one-fifth use Microsoft's Security Development Lifecycle (SDL) processes to help secure code.

More than 40 percent of software developers globally say that security isn't a top priority for them, and a similar percentage don't use a secure application program process, according to a new study.

The survey was conducted by comScore for Microsoft last year. comScore surveyed 4,500 consumers, IT professionals, and developers in Brazil, Canada, China, Germany, India, Japan, Russia, the United Kingdom and the United States. Microsoft highlighted the results of the study on its security blog.

On the development side, only about 62 percent "always" take security into account when developing or contracting for software applications. Thirty-one percent "usually" do, and 7 percent "never" do, the survey found.

The countries in which security is most heavily emphasized are India (79 percent) and Brazil (77 percent). After that, the figures drop significantly, with Canada coming in third at 61 percent and the U.K. and Germany next at 58 percent. In the United States, just 55 percent of developers consider security a "top priority". The only surveyed countries that came in at fewer than 50 percent were China, at 47 percent, and Japan, at a scary 33 percent.

Microsoft's secure coding process is called Security Development Lifecycle (SDL), and is one of the best-known resources in the industry. In the United States, however, the SDL isn't a part of most developers' regular practices, according to the survey. A scant 21 percent of U.S.-based developers said they use it, compared with 66 percent in China, 58 percent in India, 40 percent in Russia, 55 percent in Canada and 60 percent in Brazil. Overall, 47 percent of developers globally use SDL.

Comparatively, a staggering 76 percent of U.S. developers use no secure application program process (a small percentage use processes other than SDL, like OpenSAMM and Homeland Security Build Security In.) The only country with a higher percentage was Japan, which ended up at the very end of nearly every category, at 80 percent.

Why are the numbers for United States developers so bad? The primary reasons given to comScore were cost (21 percent), lack of support and training (26 percent) and, perhaps most worrisome, a lack of discussion of the topic (46 percent).

Tim Rains, Microsoft's director of Trustworthy Computing, pointed out in a blog post about the survey results that the benefits of secure coding practices go beyond better code: "writing secure code also  leads to real cost savings." He mentioned Aberdeen Group and Forrester studies confirming that companies that adopt secure development strategies gain significant return on investment (ROI).

Microsoft's SDL site includes a number of free tools, including an SDL Process Template for companies with more traditional development processes, and a MSF-Agile + SDL Process Template for Visual Studio Team System, for companies that have adopted Agile methodologies. The SDL is a 16-step plan that starts with core security training.

About the Author

Keith Ward is the editor in chief of Virtualization & Cloud Review. Follow him on Twitter @VirtReviewKeith.

comments powered by Disqus


  • AI for GitHub Collaboration? Maybe Not So Much

    No doubt GitHub Copilot has been a boon for developers, but AI might not be the best tool for collaboration, according to developers weighing in on a recent social media post from the GitHub team.

  • Visual Studio 2022 Getting VS Code 'Command Palette' Equivalent

    As any Visual Studio Code user knows, the editor's command palette is a powerful tool for getting things done quickly, without having to navigate through menus and dialogs. Now, we learn how an equivalent is coming for Microsoft's flagship Visual Studio IDE, invoked by the same familiar Ctrl+Shift+P keyboard shortcut.

  • .NET 9 Preview 3: 'I've Been Waiting 9 Years for This API!'

    Microsoft's third preview of .NET 9 sees a lot of minor tweaks and fixes with no earth-shaking new functionality, but little things can be important to individual developers.

  • Data Anomaly Detection Using a Neural Autoencoder with C#

    Dr. James McCaffrey of Microsoft Research tackles the process of examining a set of source data to find data items that are different in some way from the majority of the source items.

  • What's New for Python, Java in Visual Studio Code

    Microsoft announced March 2024 updates to its Python and Java extensions for Visual Studio Code, the open source-based, cross-platform code editor that has repeatedly been named the No. 1 tool in major development surveys.

Subscribe on YouTube