If you are in the security industry or follow news related to security breaches or threat intelligence, you know that the threat landscape is continually evolving. Attackers are constantly seeking out new ways to compromise potential victims on a broad or targeted scale. They attempt to exploit unpatched vulnerabilities, use deceitful tactics to trick users into installing malicious software, attempt to guess weak passwords, and other dirty tricks. Despite this reality, a concerning large number of organizations are still not developing applications with security in mind.
According to our latest Trust in Computing survey, conducted in nine countries for Microsoft by comScore, security wasn’t considered a “top priority” when building software by 42% of developers worldwide.
While security development processes have been shown to reduce the number and severity of vulnerabilities found in software, almost half of all developers (44%) don’t use a secure application program/process today.
The reasons for not using security development processes are varied. Thirty-four percent of developers say cost is the primary reason for not using a security development process, followed by lack of support and training (33%). Twenty-four percent say they don’t use a security development process because of a lack of management approval.
More information on the results from part two of the Trust in Computing study can be found here.
To help increase adoption of security development practices, Microsoft provides free, downloadable tools and guidance on its Security Development Lifecycle (SDL) Website. Resources such as the Simplified Implementation of the SDL, SDL for Agile guidance, the Threat Modeling Tool and the Attack Surface Analyzer can help automate and enhance the SDL process, gain efficiencies, and ease the implementation of the SDL. To help with implementation, Microsoft’s Partner Network includes a number of members committed to helping customers adopt secure development practices based on the SDL.
However, security isn’t the only benefit that comes out of implementing an SDL process, as writing secure code also leads to real cost savings. An independent study by the Aberdeen Group showed that companies adopting a “secure at the source” (meaning a Microsoft SDL-like) strategy realized a fourfold return on their annual investments in application security. Forrester found that those practicing SDL specifically reported a visibly better return on investment.
The Trust in Computing survey was designed to help measure current levels of trust in technology products and services in terms of security and privacy; and to identify where concerns may be slowing down technology adoption. comScore surveyed 4,500 consumers, IT professionals, and developers in Brazil, Canada, China, Germany, India, Japan, Russia, the United Kingdom, and the United States. For more on the results from part two of this study, I encourage you to download the information here.