Sunday, April 04, 2010

Errata Security releases the results of the survey on secure coding practices

Errata Security released the results of a survey conducted over the week of Security B-Sides and the RSA Conference in San Francisco. The survey found that Microsoft SDL was the most common security development lifecycle chosen of the companies using formal methodologies, but Ad Hoc solutions are still more popular. Small companies are more likely to be using Agile development, and the corresponding SDL-Agile. The most common reason for not choosing to use a formal methodology was resource requirements.

Of those that responded they were choosing not to use a secure coding program, a lack of resources was by far the most common answer. No matter what the size of the company, participants said it was too time consuming, too expensive, and too draining on their resources. Another reason was that management had deemed it unnecessary. Management plays a key role in these decisions. The survey showed that developers look to management to set the security agenda, and are generally not self-starters when it comes to including security in their code.

Security in the SDLC is still a relatively new methodology. 43% not integrating security is a high number, but it's improving at a steady pace. The adoption of SDL-Agile, which was introduced in November '09, by almost all of the small development shops and several large companies shows us that people are ready to make the shift, they're just waiting for the right style to fit their needs.

Here are the press links covering the story, and a link to the actual paper:

Download the Survey Results (pdf): "Integrating Security Into the Software Development Lifecycle"

Dark Reading: "Survey Says: More Than Half of Software Companies Deploying Secure Coding Methods"

CSO Security and Risk: "Code Writers Finally Get Security? Maybe"

Microsoft SDL Blog: "Survey Results: Microsoft SDL awareness on the rise"

Jeff Jones Blog: "SDL AWARENESS AND ADOPTION HIGH AMONG SECURITY PROFESSIONALS"

Help Net Security: "Root issues causing software vulnerabilities"

No comments: