A recent survey by Errata Security found that security is starting to take hold at some software development firms, likely being driven by customer requirements.
Errata Security found that 50% of software development companies say "security is 'always' a concern in the development of their application." Many firms are still lacking a former software development lifecycle (SDLC). Only half of the firms that say security is 'always' a concern have a formal methodology in place.
Atlanta-based Errata Security surveyed 46 software development companies at the Security B-Sides gathering in San Francisco during the 2010 RSA Conference. While some customers are more aware of security and ensure that security requirements are well documented, software development companies generally have some catching up to do, said Marisa Fagan, a security project manager at Errata.
"Security will always get the short end of the stick because it's easier to find the profit in the other business drivers," Fagan said.
Fagan said software developers usually wait for a security incident to occur before calling in a security expert. "A company then looks to integrate secure coding practices as a response. So, in a way, the low number is actually a sign that hackers are not overrunning business," she said.
One trend that the survey paid great attention to was to which SDLC development methodology each organization subscribed to. What they found, was that methodologies vary greatly from shop to shop. However, three methodologies dominated the survey: Ad Hoc was the most popular SDLC, followed closely by Microsoft's Agile, with Waterfall holding onto the third slot.
So what makes these three methodologies different, and how do developers choose a method? "The companies that use them ascribe to a formalized pattern of software development that is efficient and discourages bugs," said Fagan. "While Agile focuses on short burst repetitions for ongoing projects, Waterfall is more appropriate for programs with very few version updates. An Ad Hoc method may or may not be formalized, and is unique to the company."
Microsoft has been supporting Agile within its methodology framework since early February, and it is already garnering support among application developers who consider security a top priority. According to the Errata report, most of the participants who listed Microsoft Agile considered security to "always" be a top priority.
Although Agile is in its infancy, Fagan says that's not a good reason for consumers to feel skeptical; "The Microsoft SDL and SDL-Agile are successful because they are supported heavily by Microsoft and the SDL Pro Network," she said. Jeremy Dallman, a security program manager with the Security Development Lifecycle Team at Microsoft said the software giant is just beginning to understand the impact the SDL is having on the ecosystem. Dallman said he is encouraged by the thousands of downloads his team has seen in the past 18 months of the new Agile development template in February. The SDL framework will be continually improved to combat new threats, Dallman said. "Microsoft's SDL process was created to provide clear guidance for embedding security and privacy into the company's culture and implementing a full-lifecycle approach to security that reduces the number and severity of vulnerabilities in software before it is released," Dallman said. "The same can be said for SDL-Agile. Since the SDL was created, we have frequently updated the guidance to address the evolving software ecosystem and new threats. We will continue to do the same for SDL-Agile by looking at the types of applications that use this methodology."
One of the reasons Agile has been successful in the early goings, is because it was able to "piggyback" on Microsoft's SDL: Organizations are finding it easy and productive by using the combination of Agile, along with Microsoft SDL.
According to Errata's survey, 18 of the 46 companies they polled said that their organization was not currently implementing a security development methodology. Fagan said she was not discouraged by the response because the concept is still relatively new.
So why aren't more companies pooling more resources towards a security development method? Fagan believes the onus falls on upper management. Once customers demand more security and upper management can make a business case for it, software development firms will add better security processes.
"These members of management make the decision not to use security software assurance because although the implementation is clear the costs and resource requirements for these methodologies are still largely unexplored," Fagan said.