IT pros turn a blind eye to secure coding

Nearly two-thirds of IT professionals say their organisations do not build products and services with security in mind, a Microsoft survey reveals

 Nearly two-thirds of IT professionals admit their organisations do not build products and services with security in mind, a Microsoft survey has revealed.

“This shows that now is the time to move beyond isolated implementations of secure development,” said Steve Lipner, partner director, Trustworthy Computing, Microsoft.  

“We need to move forward as an industry to secure development and adopting best practices that have been proven to work.”

The survey showed 61% of developers do not take advantage of existing mitigation technologies, such as address space layout randomisation (ASLR).

“Without such mitigations, developers are introducing potential vulnerabilities that can cause real risk,” said Lipner.

However, in the real world where developers are facing demands for new features and functionality on new and emerging platforms, security is seldom at the top of their minds, he said.

As the internet increasingly becomes part of the fabric of life, Lipner said if it is not secure, it can have a significant impact, making security a real concern.

“Microsoft believes that secure design and development is important, but is concerned that this is not happening to the extent that is should,” he said.

Lack of support and costs hold up security

According to Lipner, there are three main reasons that secure development is still not commonplace.

First, there is not enough support from management, which tends to focus on getting products and services to market and do not view security as a priority.

Second, there is a lack of support and training for developers.

Finally, companies are afraid that secure development will increase costs and could potentially delay the release of products and services.

“One of the reasons Microsoft is sponsoring the Security Development Conference 2013 is because it focuses on things that can enable organisations to move beyond these obstacles,” said Lipner.

Standardisation and compliance

Microsoft believes standardisation and compliance is one area that is important to helping management to accept the need for secure development.

“We know that were there are standards, best practices and compliance requirements, it is easier to get the C-suite to understand there is something they should be doing,” said Lipner.

For this reason, Microsoft has announced plans to conform with the first part of the ISO 27034 standard on application security.

Annex A of the standard identifies Microsoft’s Security Development Lifecycle (SDL) as an example that can help other organisations conform to ISO 27034.

Microsoft began developing the SDL around ten years ago and has made it available to the software industry for free use since 2007.  

The software company had published several papers about the implementation of the SDL aimed at specific industry sectors, with the latest focusing on the healthcare industry.

“The paper addresses the issues facing the healthcare industry and illustrates how the SDL can pay off in an industry where security is critical,” said Lipner.

“Industry-specific illustrations of benefits can help remove barriers to secure development.”

In addition to industry-specific papers on the SDL, Microsoft provides downloadable tools such as the threat modeling tool and guidance such as SDL for agile development.

Microsoft believes that ISO 27034 will help organisations on the supply side make the case for secure development to management and on the demand side will organisations something to ask for.

“The internet needs to get safer, which is what Microsoft hopes to accomplish and the reason it sponsors conferences and makes tools and information available,” said Lipner.

Read more on Application security and coding requirements