Study: Majority of U.S. Developers Use No Secure Coding Processes

About one-fifth use Microsoft's Security Development Lifecycle (SDL) processes to help secure code.

More than 40 percent of software developers globally say that security isn't a top priority for them, and a similar percentage don't use a secure application program process, according to a new study.

The survey was conducted by comScore for Microsoft last year. comScore surveyed 4,500 consumers, IT professionals, and developers in Brazil, Canada, China, Germany, India, Japan, Russia, the United Kingdom and the United States. Microsoft highlighted the results of the study on its security blog.

On the development side, only about 62 percent "always" take security into account when developing or contracting for software applications. Thirty-one percent "usually" do, and 7 percent "never" do, the survey found.

The countries in which security is most heavily emphasized are India (79 percent) and Brazil (77 percent). After that, the figures drop significantly, with Canada coming in third at 61 percent and the U.K. and Germany next at 58 percent. In the United States, just 55 percent of developers consider security a "top priority". The only surveyed countries that came in at fewer than 50 percent were China, at 47 percent, and Japan, at a scary 33 percent.

Microsoft's secure coding process is called Security Development Lifecycle (SDL), and is one of the best-known resources in the industry. In the United States, however, the SDL isn't a part of most developers' regular practices, according to the survey. A scant 21 percent of U.S.-based developers said they use it, compared with 66 percent in China, 58 percent in India, 40 percent in Russia, 55 percent in Canada and 60 percent in Brazil. Overall, 47 percent of developers globally use SDL.

Comparatively, a staggering 76 percent of U.S. developers use no secure application program process (a small percentage use processes other than SDL, like OpenSAMM and Homeland Security Build Security In.) The only country with a higher percentage was Japan, which ended up at the very end of nearly every category, at 80 percent.

Why are the numbers for United States developers so bad? The primary reasons given to comScore were cost (21 percent), lack of support and training (26 percent) and, perhaps most worrisome, a lack of discussion of the topic (46 percent).

Tim Rains, Microsoft's director of Trustworthy Computing, pointed out in a blog post about the survey results that the benefits of secure coding practices go beyond better code: "writing secure code also  leads to real cost savings." He mentioned Aberdeen Group and Forrester studies confirming that companies that adopt secure development strategies gain significant return on investment (ROI).

Microsoft's SDL site includes a number of free tools, including an SDL Process Template for companies with more traditional development processes, and a MSF-Agile + SDL Process Template for Visual Studio Team System, for companies that have adopted Agile methodologies. The SDL is a 16-step plan that starts with core security training.

About the Author

Keith Ward is the editor in chief of Virtualization & Cloud Review. Follow him on Twitter @VirtReviewKeith.

comments powered by Disqus


  • Microsoft's Tools to Fight Solorigate Attack Are Now Open Source

    Microsoft open sourced homegrown tools it used to check its systems for code related to the recent massive breach of supply chains that the company has named Solorigate.

  • Microsoft's Lander on Blazor Desktop: 'I Don't See a Grand Unified App Model in the Future'

    For all of the talk of unifying the disparate ecosystem of Microsoft-centric developer tooling -- using one framework for apps of all types on all platforms -- Blazor Desktop is not the answer. There isn't one.

  • Firm Automates Legacy Web Forms-to-ASP.NET Core Conversions

    Migration technology uses the Angular web framework and Progress Kendo UI user interface elements to convert ASP.NET Web Forms client code to HTML and CSS, with application business logic converted automatically to ASP.NET Core.

  • New TypeScript 4.2 Tweaks Include Project Explainer

    Microsoft shipped TypeScript 4.2 -- the regular quarterly update to the open source programming language that improves JavaScript with static types -- with a host of tweaks including a way to explain why files are included in a project.

Upcoming Events