Study: Majority of U.S. Developers Use No Secure Coding Processes -- Visual Studio Magazine

Study: Majority of U.S. Developers Use No Secure Coding Processes

About one-fifth use Microsoft's Security Development Lifecycle (SDL) processes to help secure code.

By Keith Ward
07/16/2013

More than 40 percent of software developers globally say that security isn't a top priority for them, and a similar percentage don't use a secure application program process, according to a new study.

The survey was conducted by comScore for Microsoft last year. comScore surveyed 4,500 consumers, IT professionals, and developers in Brazil, Canada, China, Germany, India, Japan, Russia, the United Kingdom and the United States. Microsoft highlighted the results of the study on its security blog.

On the development side, only about 62 percent "always" take security into account when developing or contracting for software applications. Thirty-one percent "usually" do, and 7 percent "never" do, the survey found.

The countries in which security is most heavily emphasized are India (79 percent) and Brazil (77 percent). After that, the figures drop significantly, with Canada coming in third at 61 percent and the U.K. and Germany next at 58 percent. In the United States, just 55 percent of developers consider security a "top priority". The only surveyed countries that came in at fewer than 50 percent were China, at 47 percent, and Japan, at a scary 33 percent.

Microsoft's secure coding process is called Security Development Lifecycle (SDL), and is one of the best-known resources in the industry. In the United States, however, the SDL isn't a part of most developers' regular practices, according to the survey. A scant 21 percent of U.S.-based developers said they use it, compared with 66 percent in China, 58 percent in India, 40 percent in Russia, 55 percent in Canada and 60 percent in Brazil. Overall, 47 percent of developers globally use SDL.

Comparatively, a staggering 76 percent of U.S. developers use no secure application program process (a small percentage use processes other than SDL, like OpenSAMM and Homeland Security Build Security In.) The only country with a higher percentage was Japan, which ended up at the very end of nearly every category, at 80 percent.

Why are the numbers for United States developers so bad? The primary reasons given to comScore were cost (21 percent), lack of support and training (26 percent) and, perhaps most worrisome, a lack of discussion of the topic (46 percent).

Tim Rains, Microsoft's director of Trustworthy Computing, pointed out in a blog post about the survey results that the benefits of secure coding practices go beyond better code: "writing secure code also leads to real cost savings." He mentioned Aberdeen Group and Forrester studies confirming that companies that adopt secure development strategies gain significant return on investment (ROI).

Microsoft's SDL site includes a number of free tools, including an SDL Process Template for companies with more traditional development processes, and a MSF-Agile + SDL Process Template for Visual Studio Team System, for companies that have adopted Agile methodologies. The SDL is a 16-step plan that starts with core security training.

About the Author

Keith Ward is the editor in chief of Virtualization & Cloud Review. Follow him on Twitter @VirtReviewKeith.

Printable Format

comments powered by Disqus

Featured

Visual Studio 2022 Getting VS Code 'Command Palette' Equivalent

As any Visual Studio Code user knows, the editor's command palette is a powerful tool for getting things done quickly, without having to navigate through menus and dialogs. Now, we learn how an equivalent is coming for Microsoft's flagship Visual Studio IDE, invoked by the same familiar Ctrl+Shift+P keyboard shortcut.
.NET 9 Preview 3: 'I've Been Waiting 9 Years for This API!'

Microsoft's third preview of .NET 9 sees a lot of minor tweaks and fixes with no earth-shaking new functionality, but little things can be important to individual developers.
Data Anomaly Detection Using a Neural Autoencoder with C#

Dr. James McCaffrey of Microsoft Research tackles the process of examining a set of source data to find data items that are different in some way from the majority of the source items.
What's New for Python, Java in Visual Studio Code

Microsoft announced March 2024 updates to its Python and Java extensions for Visual Studio Code, the open source-based, cross-platform code editor that has repeatedly been named the No. 1 tool in major development surveys.
Microsoft Build 2024 Sessions Listed: Copilots, Copilots & More Copilots

Microsoft today announced the session catalog for its Build developer conference next month in Seattle, with AI unsurprisingly dominating the event.

Subscribe on YouTube

.NET Insight

Email Address*Country*

Please type the letters/numbers you see above.

Upcoming Training Events

0 AM

Visual Studio Live! Chicago
April 29-May 3, 2024

VSLive! 2-Day Training Seminar: Building Cloud-Ready, Resilient Systems in .NET
June 4-5, 2024

VSLive! 4-Day Hands-On Training Seminar: Full Stack Hands-On Development with .NET (Core)
July 16-19, 2024

Visual Studio Live! Microsoft HQ
August 5-9, 2024

Live! 360 2-Day Hands-On Seminar: Swimming in the Lakes of Microsoft Fabric and AI - A Hands-on Experience
August 20-21, 2024

VSLive! 4-Day Hands-On Training Seminar: Hands-on with Blazor
September 17-20, 2024

VSLive! 2-Day Hands-On Training Seminar: Developing Secure ASP.NET Web Apps
September 24-25, 2024

Live! 360 Orlando
November 17-22, 2024

VSLive! 4-Day Hands-On Training Seminar: Full Stack Hands-On Development with .NET (Core)
December 10-13, 2024

Free Webcasts

> More Webcasts