Shoddy Developer Security Practices Exposed By Study

A Microsoft study has exposed the fact that less than half of all developers implement any type of security development procedure when designing their applications.

Less than half of all developers use a security development process when building applications, according to a recent Microsoft study.

Lax Security

In a blog post, Tim Rains, director of Microsoft’s Trustworthy Computing effort, said results of a Microsoft study conducted by ComScore showed that security was not considered a “top priority” by 42 percent of developers worldwide when building software.

Moreover, Rains noted that while security development processes have been shown to reduce the number and severity of vulnerabilities found in software, nearly half of all developers – 44 percent – do not use a secure application program or process, according to the Microsoft Trust in Computing survey.

The reasons for not using security development processes are varied, Rains said. For 34 percent of developers, “cost is the primary reason for not using a security development process, followed by a lack of support and training – 33 percent,” he said.

Because of a lack of management approval, 24 percent indicated that they don’t use a security development process, he added.

The study also showed that globally, only about two-thirds of developers always take security into account when developing or contracting software. In India, 83 percent of developers always consider security when creating or contracting applications. This is followed by the United States where 72 percent always keep security concerns in mind when developing applications, the survey showed. More information on the survey can be found here.

To help increase adoption of security development practices, Microsoft provides free, downloadable tools and guidance on its Security Development Lifecycle (SDL) Website, Rains said. “Resources such as the Simplified Implementation of the SDL, SDL for Agile guidance, the Threat Modeling Tool and the Attack Surface Analyzer can help automate and enhance the SDL process, gain efficiencies and ease the implementation of the SDL,” he said. “To help with implementation, Microsoft’s Partner Network includes a number of members committed to helping customers adopt secure development practices based on the SDL.”Security Development Lifecycle (SDL) Website, Rains said. “Resources such as the Simplified Implementation of the SDL, SDL for Agile guidance, the Threat Modeling Tool and the Attack Surface Analyzer can help automate and enhance the SDL process, gain efficiencies and ease the implementation of the SDL,” he said. “To help with implementation, Microsoft’s Partner Network includes a number of members committed to helping customers adopt secure development practices based on the SDL.”

Better ROI

However, “security isn’t the only benefit that comes out of implementing an SDL process, as writing secure code also leads to real cost savings,” Rains added. “An independent study by the Aberdeen Group showed that companies adopting a “secure at the source” (meaning a Microsoft SDL-like) strategy realized a fourfold return on their annual investments in application security. Forrester found that those practising SDL specifically reported a visibly better return on investment.”

The Trust in Computing survey was designed to help measure current levels of trust in technology products and services in terms of security and privacy as well as to identify where concerns may be slowing down technology adoption, Rains said.

ComScore surveyed 4,500 consumers, IT professionals and developers in Brazil, Canada, China, Germany, India, Japan, Russia, the United Kingdom and the United States.

What do you know about Internet security? Find out with our quiz!

Originally published on eWeek.