Microsoft Study: Less Than Half of Developers Use a Security Process

Less than half of all developers use a security development process when building applications, according to a recent Microsoft study.

In a blog post, Tim Rains, director of Microsoft's Trustworthy Computing effort, said results of a Microsoft study conducted by ComScore showed that security was not considered a "top priority" by 42 percent of developers worldwide when building software.

Moreover, Rains noted that while security development processes have been shown to reduce the number and severity of vulnerabilities found in software, nearly half of all developers—44 percent—do not use a secure application program or process, according to the Microsoft Trust in Computing survey.

The reasons for not using security development processes are varied, Rains said. For 34 percent of developers, "cost is the primary reason for not using a security development process, followed by a lack of support and training—33 percent," he said.

Because of a lack of management approval, 24 percent indicated that they don't use a security development process, he added.

The study also showed that globally, only about two-thirds of developers always take security into account when developing or contracting software. In India, 83 percent of developers always consider security when creating or contracting applications. This is followed by the United States where 72 percent always keep security concerns in mind when developing applications, the survey showed. More information on the survey can be found here.

To help increase adoption of security development practices, Microsoft provides free, downloadable tools and guidance on its Security Development Lifecycle (SDL) Website, Rains said. "Resources such as the Simplified Implementation of the SDL, SDL for Agile guidance, the Threat Modeling Tool and the Attack Surface Analyzer can help automate and enhance the SDL process, gain efficiencies and ease the implementation of the SDL," he said. "To help with implementation, Microsoft's Partner Network includes a number of members committed to helping customers adopt secure development practices based on the SDL."

However, "security isn't the only benefit that comes out of implementing an SDL process, as writing secure code also leads to real cost savings," Rains added. "An independent study by the Aberdeen Group showed that companies adopting a "secure at the source" (meaning a Microsoft SDL-like) strategy realized a fourfold return on their annual investments in application security. Forrester found that those practicing SDL specifically reported a visibly better return on investment."

The Trust in Computing survey was designed to help measure current levels of trust in technology products and services in terms of security and privacy as well as to identify where concerns may be slowing down technology adoption, Rains said.

ComScore surveyed 4,500 consumers, IT professionals and developers in Brazil, Canada, China, Germany, India, Japan, Russia, the United Kingdom and the United States.


Originally published on eWeek.

Comments

  • There are no comments yet. Be the first to comment!

Leave a Comment
  • Your email address will not be published. All fields are required.

Top White Papers and Webcasts

  • As mobile devices have pushed their way into the enterprise, they have brought cloud apps along with them. This app explosion means account passwords are multiplying, which exposes corporate data and leads to help desk calls from frustrated users. This paper will discover how IT can improve user productivity, gain visibility and control over SaaS and mobile apps, and stop password sprawl. Download this white paper to learn: How you can leverage your existing AD to manage app access. Key capabilities to …

  • Targeted attacks and advanced threats are customized to infiltrate your unique IT infrastructure, evade conventional defenses, and remain hidden while stealing your corporate data. To detect these criminal intrusions, analysts and security experts agree that organizations should deploy advanced threat protection as part of an expanded security monitoring strategy. For this comparative analysis of breach detection systems, product analysis reports and comparative analysis reports are used to create the security …

Most Popular Programming Stories

More for Developers

Latest Developer Headlines

RSS Feeds