Following Best Coding Practices Doesn't Always Mean Better Security

wiredmikey writes "While some best practices such as software security training are effective in getting developers to write secure code, following best practices does not necessarily lead to better security, WhiteHat Security has found. Software security controls and best practices had some impact on the actual security of organizations, but not as much as one would expect, WhiteHat Security said in its Website Security Statistics Report. The report correlated vulnerability data from tens of thousands of Websites with the software development lifecycle (SDLC) activity data obtained via a survey. But there is good news — as organizations introduced best practices in secure software development, the average number of serious vulnerabilities found per Website declined dramatically over the past two years. 'Organizations need to understand how different parts of the SDLC affects how vulnerabilities are introduced during software development,' Jeremiah Grossman, co-founder and CTO of WhiteHat said. Interestingly, all the Websites tested under the study, 86 percent had at least one serious vulnerability exposed to attack every single day in 2012, and on average, resolving vulnerabilities took 193 days from the time an organization was first notified of the issue."

"best practice" and surveys

[bickerdyke]

Asking software companies if the require their developers to adhere to "best practice" won't lead to any usefull number at all.

Or does anyone think anyone would admit to use only second-best programming standards?

Let alone the question what programming techniques count as "best practice".

Rules should be treated like guidelines

If secure coding could be described by a few simple rules, coders would have already been replaced by programs.

Best practices

[philip.paradis]

"Best practices" is such a wonderful term; its sheer flexibility permits the person invoking it to assure his audience that he meant exactly what he said, even when he didn't say much of substance.

Now if you'll excuse me, I'm late for a game of bullshit bingo.

Re:Following best architectural design practices

[hairyfeet]

Or to just cut past all the damned metaphors just because you teach your programmers not to have Bobby Drop Tables size screw ups doesn't mean there isn't a bazillion other ways they can screw up.

Re:Following best architectural design practices

[chrismcb]

Of course it does, and TFA even says so. Of course going to "software security training" isn't exactly a "best practice" either. Just because someone goes to a training session doesn't mean they'll learn anything.
Following best practices in code will most definitely make your code more secure. But more secure is very relative. You can still have plenty of vulnerabilities, just fewer than before.
Best practices or no, we all make mistakes, and plenty of them. It only takes one mistake to leave a hole. Whether it is a simple bug, or a design flaw. And the bad guys only need to find one flaw. So yes Best Practices help. But it doesn't mean your code is going to be Fort Knox.

Re: No surprise

[mattpalmer1086]

Been there, done that, made redundant.

This was at a software house selling payment processing middleware that had to be PA-DSS compliant. Achieved compliance, role made redundant.

They clearly made a risk reward calculation and decided the benefit of securing the product was outweighed by the cost of slowing development. Particularly as everyone else's security also sucked and there was no particular liability for them if a breach occurred. It's a classic externality.

I'm also on the steering committee for an initiative trying to improve software security and resilience. They also figured out that the market was failing here, and only legislation for software liability or some other mechanism to correct the externality had any chance of improving the situation. But the cure might be worse than the disease. ..