Monday, April 5, 2010

Secure Coding Practices Survey Results

Submitted by Ryan Barnett 04/06/2010

The results of an interesting survey was recently released by Errata Security entitled Integrating Security Into the Software Development Lifecycle. The survey was gathered during the recent RSA and Security B-Sides conferences in San Francisco and focused on attendees who worked at software companies. There were a number of interesting perspectives on the levels of success, or lack there or, of attempting to implement a software development life cycle (SDLC) into an organization. Here is the most telling takeway from a DarkReading story on the survey results:

Microsoft's SDL was the most popular tool for secure software development methods, with Microsoft SDL Agile at number two, with 35 percent of the respondents using Agile SDL, most of which were small development firms and several large companies in the survey. "The survey showed a big win for Microsoft's awareness program, but what I hope that Microsoft will learn from this is that small- to medium-sized software companies have different needs than the big guys. SDL-Agile is a good start, but now they need to re-evaluate the resource requirements with small company in mind," says Marisa Fagan, security project manager at Errata Security.

Fagan says among those companies not deploying a secure coding program, the main reason was a lack of resources. "No matter what the size of the company, participants said it was too time consuming, too expensive, and too draining on their resources," she says. "Another reason was that management had deemed it unnecessary...The survey showed that developers look to management to set the security agenda, and are generally not self-starters when it comes to including security in their code."
This is a key finding that organizations are facing, especially small to medium sized ones. Here is a comment from a survey participant that echoes this same sentiment:
Planning to move security further "left" in the cycle. Unfortunately, my executive management is more concerned with getting a product out the door than getting a secure product out the door. Until that changes, I don't know how successful I can be...
I have seen this issue first hand. If upper-management does not fully comprehend the impact of poor software security, then throwing process and technology at the problem won't help. C-level executives need guidelines so that they can make informed decisions about the possible consequences of producing insecure code. Last Wednesday an interesting report was released called "The Financial Management of Cyber Risk: An Implementation Framework for CFOs" and it is highly recommended that management reads it. Please pass this along.

No comments: