A discussion at SecTor on Rogue Secure Development

Last week I presented a new methodology for developing secure code called Rogue Secure Development(pdf). The talk was at SecTor in Toronto, and afterwards a lively discussion took place concerning the adoption of such a methodology. RSD is a 5 phase process that bakes in with the traditional Waterfall SDLC and focuses on bare-bones resource requirements for SMBs. The question I put forth to the audience was:

If there is a process that requires minimal amounts of resources, saves money, and creates robust code, what will it take to increase adoption?

There were many answers, but they were all summed up succinctly in 4 options.

1. People are killed, and a lack of a secure coding methodology is directly to blame.

2. Companies go bankrupt, and a lack of a secure coding methodology is directly to blame.

3. A nuclear power plant has a catastrophic meltdown, and a lack of a secure coding methodology is directly to blame.

4. Compliance forces adoption.

I found these dramatic and macabre options disturbing, so I asked, "Is there no business case for secure coding? No cost saving analysis? No risk management prescription?" The consensus in the room was that my suggestions, while potentially possible, weren't going to persuade anybody to break from the status quo. Interestingly, the only factor that seemed to have complete persuasive power was Compliance. In this particular audience, the threat of fines was more of a motivating stick than I've ever seen previously.

In March 2010, Errata did a study asking people what reasons they had if they were not using a secure development lifecycle. By far the most popular answer was resource constraints. The 4 options above would imply that, at least according to security folks, the reason people do not adopt secure coding is because of some black and white risk assessment telling them they are not in danger. So, does this mean that the people in the study aren't being honest with themselves, or that security professionals are out of touch with the motives of the development shops?

Errata Security releases the results of the survey on secure coding practices

Errata Security released the results of a survey conducted over the week of Security B-Sides and the RSA Conference in San Francisco. The survey found that Microsoft SDL was the most common security development lifecycle chosen of the companies using formal methodologies, but Ad Hoc solutions are still more popular. Small companies are more likely to be using Agile development, and the corresponding SDL-Agile. The most common reason for not choosing to use a formal methodology was resource requirements. Of those that responded they were choosing not to use a secure coding program, a lack of resources was by far the most common answer. No matter what the size of the company, participants said it was too time consuming, too expensive, and too draining on their resources. Another reason was that management had deemed it unnecessary. Management plays a key role in these decisions. The survey showed that developers look to management to set the security agenda, and are generally not self-starters when it comes to including security in their code. Security in the SDLC is still a relatively new methodology. 43% not integrating security is a high number, but it's improving at a steady pace. The adoption of SDL-Agile, which was introduced in November '09, by almost all of the small development shops and several large companies shows us that people are ready to make the shift, they're just waiting for the right style to fit their needs. Here are the press links covering the story, and a link to the actual paper: Download the Survey Results (pdf): "Integrating Security Into the Software Development Lifecycle" Dark Reading: "Survey Says: More Than Half of Software Companies Deploying Secure Coding Methods" CSO Security and Risk: "Code Writers Finally Get Security? Maybe" Microsoft SDL Blog: "Survey Results: Microsoft SDL awareness on the rise" Jeff Jones Blog: "SDL AWARENESS AND ADOPTION HIGH AMONG SECURITY PROFESSIONALS" Help Net Security: "Root issues causing software vulnerabilities"

POLL - What is your experience with security in the Software Development LifeCycle?

Errata Security is conducting a survey on the real world usage of software development methodologies such as Microsoft SDL, OWASP's SAMM, and BSIMM. We are interested in learning which organizations are successfully implementing these methods, and also the reasons companies are abstaining from using these methods. The survey went live over the weekend, and already we are collecting some very interesting experiences. The most noteworthy observation is how varied the responses have been. There appears to be no one correct solution for any two organizations. We will have this survey up through the RSA Conference and the following week, and see if any patterns emerge.

To participate in this short survey, go to http://bit.ly/ErrataSurvey. If you would like a copy of the results of this survey, there is a request button at the end of the survey where you can enter your email address.

In order to encourage participation in this survey, and to explain the reasons behind it, I will be giving a lightning talk at Security B-Sides in San Francisco on March 3 at 12:00 PST.

Please share the survey link with software developers, security experts, product managers, or anyone involved in product development. Thanks!