Developer Survey 1 Results - Part 1
Key Conclusion: Developers in general do not know about OWASP or the OWASP Top 10.
There were 64 responses to the developer survey, which was open from 10/16/2011 through 11/18/2011 (via surveymonkey.com). That is not enough to be an exhaustive sample, but it is enough to see some compelling data and learn some things. The purpose of this post is to capture the very top level of information we can gather from the data. There were some biases in the backgrounds and experience levels of those that responded. I'll try to illustrate those here and show some of the first level of results.
Of the respondents, 2 of 3 had "More than ten years" of experience building software (42, 65.6%). Another 21.9% (14) had "Five to ten years". There were 5 and 3 people with "Two to five years" and "Less than two years" respectively. So overall, the respondents were fairly senior software builders.
Popular industries included "Professional, Scientific, and Technical Services", "Information" and "Finance and Insurance" with 17, 15 and 15 respondents each. There were several respondents in retail, health care and other areas. I used a standard set of categories and I'm hoping that there may be some interesting differences in the more detailed analysis. Unfortunately, this also did not have very substantial diversity across industries.
OK, so now it gets interesting. Of these people, how many do you think said security was a "Top Priority"? 5 out of 64, or 7.8%. The majority of people (35, 54.7%) said security was a "Major Concern". Together, that's only about 62% that said security was a major or top priority! 24 (37.5%) more said that it was a "Small Concern". Nobody said it was "Not a concern". Can we declare victory now? Of course not. I didn't expect the "Top Priority" group to be very large, but I suppose I thought that "Small Concern" might be 10-20% as opposed to nearly 40%!
Let's go a little further. Given the choice (select multiple) of "Are you familiar with?", 20 (31.3%) said they were familiar with "OWASP". 14 (21.9%) said they were familiar with "OWASP Top 10". 2 (3.1%) said they were familiar with "MITRE CWE Top 25". A whopping 67.2% (43) said that they were familiar with "None of the above". Honestly, this didn't surprise me, but I think it might surprise some people out there.
The group was split on whether they believe they have produced software with vulnerabilities. In response to this: "Have you ever had a security vulnerability identified in software that you were involved in building?", 33 (51.6%) said "Yes" while 31 (48.4%) said "No". I'm guessing that most people in the security industry would assert that those that said "No" just don't know their code has security holes.
There is some significant interesting data to follow, including specifics about which types of vulnerabilities builders are familiar with, what practices are in place to assure security in software development, and suggestions around specific steps that security folks (breakers) can take to better communicate about security with developers (builders). I'm excited to get deeper into the analysis and will post about it along the way.
For now, the major take away has to be that even senior builders are not aware of OWASP and the OWASP Top Ten. Developers (Builders) need to work harder to learn about application security and OWASP is a good resource to start with. Breakers need to acknowledge that there is a disconnect in communication of information and training about application security practices. Breakers need to stop blaming developers for poor application security and revisit their outreach and collaboration strategies. I believe both sides need to work harder to communicate and learn. At the same time, project managers and people that set corporate direction need to be educated to invest in security and build it in from the beginning. Ultimately, management is to blame if developers don't think security is a high priority.