Root issues causing software vulnerabilities

A survey on software security assurance conducted during the Security B-Sides conference shows 50% of software companies say security is “always a concern.” More than half of the participants of the Errata Security survey said they included preventative security activities in the development lifecycle of their product.

The most popular formal software security assurance methodology was the Microsoft SDL, followed closely by Microsoft SDL-Agile. 35% of companies are using the Agile SDLC, which explains the rapid adoption of the newly released SDL-Agile methodology.

The chart below shows the activity organizations use during development:

“There is still a large percentage of software companies who are not considering security the first time they write their application,” says Marisa Fagan, Security Project Manager for Errata Security, “Waiting until a bug appears in the news is like paying someone to follow behind you and unravel all of your hard work. It’s just a matter of time before they find a hole.”

The survey also showed that companies with product development teams of less that 10 members implement formal methodologies more successfully than companies of 100+ members, and these small companies also gave security training to a wider variety of roles. Larger companies more frequently used an Ad-Hoc or Custom methodology.

Awareness of these formal methodologies such as SDL, BSIMM, SAMM, and CLASP is high, at 81%, but 43% of companies are still choosing not to use one, claiming resource deficits as the main concern. Errata Security found that security tool vendors are increasing awareness by explaining where their tools fit in the security development lifecycle.

The complete survey is available here.