News

Study: Majority of U.S. Developers Use No Secure Coding Processes

About one-fifth use Microsoft's Security Development Lifecycle (SDL) processes to help secure code.

More than 40 percent of software developers globally say that security isn't a top priority for them, and a similar percentage don't use a secure application program process, according to a new study.

The survey was conducted by comScore for Microsoft last year. comScore surveyed 4,500 consumers, IT professionals, and developers in Brazil, Canada, China, Germany, India, Japan, Russia, the United Kingdom and the United States. Microsoft highlighted the results of the study on its security blog.

On the development side, only about 62 percent "always" take security into account when developing or contracting for software applications. Thirty-one percent "usually" do, and 7 percent "never" do, the survey found.

The countries in which security is most heavily emphasized are India (79 percent) and Brazil (77 percent). After that, the figures drop significantly, with Canada coming in third at 61 percent and the U.K. and Germany next at 58 percent. In the United States, just 55 percent of developers consider security a "top priority". The only surveyed countries that came in at fewer than 50 percent were China, at 47 percent, and Japan, at a scary 33 percent.

Microsoft's secure coding process is called Security Development Lifecycle (SDL), and is one of the best-known resources in the industry. In the United States, however, the SDL isn't a part of most developers' regular practices, according to the survey. A scant 21 percent of U.S.-based developers said they use it, compared with 66 percent in China, 58 percent in India, 40 percent in Russia, 55 percent in Canada and 60 percent in Brazil. Overall, 47 percent of developers globally use SDL.

Comparatively, a staggering 76 percent of U.S. developers use no secure application program process (a small percentage use processes other than SDL, like OpenSAMM and Homeland Security Build Security In.) The only country with a higher percentage was Japan, which ended up at the very end of nearly every category, at 80 percent.

Why are the numbers for United States developers so bad? The primary reasons given to comScore were cost (21 percent), lack of support and training (26 percent) and, perhaps most worrisome, a lack of discussion of the topic (46 percent).

Tim Rains, Microsoft's director of Trustworthy Computing, pointed out in a blog post about the survey results that the benefits of secure coding practices go beyond better code: "writing secure code also  leads to real cost savings." He mentioned Aberdeen Group and Forrester studies confirming that companies that adopt secure development strategies gain significant return on investment (ROI).

Microsoft's SDL site includes a number of free tools, including an SDL Process Template for companies with more traditional development processes, and a MSF-Agile + SDL Process Template for Visual Studio Team System, for companies that have adopted Agile methodologies. The SDL is a 16-step plan that starts with core security training.

About the Author

Keith Ward is the editor in chief of Virtualization & Cloud Review. Follow him on Twitter @VirtReviewKeith.

comments powered by Disqus

Featured

  • Compare New GitHub Copilot Free Plan for Visual Studio/VS Code to Paid Plans

    The free plan restricts the number of completions, chat requests and access to AI models, being suitable for occasional users and small projects.

  • Diving Deep into .NET MAUI

    Ever since someone figured out that fiddling bits results in source code, developers have sought one codebase for all types of apps on all platforms, with Microsoft's latest attempt to further that effort being .NET MAUI.

  • Copilot AI Boosts Abound in New VS Code v1.96

    Microsoft improved on its new "Copilot Edit" functionality in the latest release of Visual Studio Code, v1.96, its open-source based code editor that has become the most popular in the world according to many surveys.

  • AdaBoost Regression Using C#

    Dr. James McCaffrey from Microsoft Research presents a complete end-to-end demonstration of the AdaBoost.R2 algorithm for regression problems (where the goal is to predict a single numeric value). The implementation follows the original source research paper closely, so you can use it as a guide for customization for specific scenarios.

  • Versioning and Documenting ASP.NET Core Services

    Building an API with ASP.NET Core is only half the job. If your API is going to live more than one release cycle, you're going to need to version it. If you have other people building clients for it, you're going to need to document it.

Subscribe on YouTube