Study: Majority of U.S. Developers Use No Secure Coding Processes
About one-fifth use Microsoft's Security Development Lifecycle (SDL) processes to help secure code.
More than 40 percent of software developers globally say that security isn't a top priority for them, and a similar percentage don't use a secure application program process, according to a new study.
The survey was conducted by comScore for Microsoft last year. comScore surveyed 4,500 consumers, IT professionals, and developers in Brazil, Canada, China, Germany, India, Japan, Russia, the United Kingdom and the United States. Microsoft highlighted the results of the study on its security blog.
On the development side, only about 62 percent "always" take security into account when developing or contracting for software applications. Thirty-one percent "usually" do, and 7 percent "never" do, the survey found.
The countries in which security is most heavily emphasized are India (79 percent) and Brazil (77 percent). After that, the figures drop significantly, with Canada coming in third at 61 percent and the U.K. and Germany next at 58 percent. In the United States, just 55 percent of developers consider security a "top priority". The only surveyed countries that came in at fewer than 50 percent were China, at 47 percent, and Japan, at a scary 33 percent.
Microsoft's secure coding process is called Security Development Lifecycle (SDL), and is one of the best-known resources in the industry. In the United States, however, the SDL isn't a part of most developers' regular practices, according to the survey. A scant 21 percent of U.S.-based developers said they use it, compared with 66 percent in China, 58 percent in India, 40 percent in Russia, 55 percent in Canada and 60 percent in Brazil. Overall, 47 percent of developers globally use SDL.
Comparatively, a staggering 76 percent of U.S. developers use no secure application program process (a small percentage use processes other than SDL, like OpenSAMM and Homeland Security Build Security In.) The only country with a higher percentage was Japan, which ended up at the very end of nearly every category, at 80 percent.
Why are the numbers for United States developers so bad? The primary reasons given to comScore were cost (21 percent), lack of support and training (26 percent) and, perhaps most worrisome, a lack of discussion of the topic (46 percent).
Tim Rains, Microsoft's director of Trustworthy Computing, pointed out in a blog post about the survey results that the benefits of secure coding practices go beyond better code: "writing secure code also leads to real cost savings." He mentioned Aberdeen Group and Forrester studies confirming that companies that adopt secure development strategies gain significant return on investment (ROI).
Microsoft's SDL site includes a number of free tools, including an SDL Process Template for companies with more traditional development processes, and a MSF-Agile + SDL Process Template for Visual Studio Team System, for companies that have adopted Agile methodologies. The SDL is a 16-step plan that starts with core security training.
Keith Ward is the editor in chief of Virtualization Review. Follow him on Twitter @VirtReviewKeith.