As we all know, and as I have referenced in previous posts, attacks on software of all types remain on the increase. Best practice is for software developers to prioritise security in their code. However, best practice does not always mean in-practice, as a recently published survey shows.

A few months ago, Microsoft commissioned comScore to look at attitudes and behaviours towards security. The company surveyed 4,500 consumers, IT professionals, and developers in Brazil, Canada, China, Germany, India, Japan, Russia, the United Kingdom and the United States. In an era where we are continually reminded about the importance of cyber security, I found the software developer results astounding.

The top-line finding of the survey is that 42% of developers worldwide do not consider security a priority when building software. Added to that, only 62% always take security into account when developing or contracting for software applications and incredibly 7% never do. I ask myself: who is employing these developers?

When you look at the UK the numbers become even more depressing. A third – yes, that is one in three developers – don’t use any secure application programme process. I am incredulous that so many UK-based developers continue to ignore the issue despite the fact that security development processes have been proven to reduce the number and severity of vulnerabilities found in software.

Thankfully, the survey does shed some light on why this is happening. 34% of developers cite cost as the primary reason for not using a security development process. 33% haven’t been trained or have no access to support in this area, while nearly one quarter (24%) say a lack of management approval is the reason. So it seems it is not just the developers but also their employers that are at fault. But please take note; while we do still operate in times of tight budget constraints, there is a plethora of free Microsoft and open source tools and guidance available on the internet. Oh, and an interesting aside – the comScore survey shows that it is the offshore software development locations that where security is most heavily emphasised.

I have written previously about the cost benefits of building security into the development process. Research and analysis organisations like Forrester, Aberdeen Group and IDC have demonstrated the link between increased ROI and software that is initially developed to be secure. With the free tools and guidance mentioned above, investment in secure software development processes is not big. Of course, some organisations get it, but why don’t the rest do more to protect themselves? I am sure it will make a big difference in the long run.