I love the Olympics! I can’t wait to watch the events from London this summer. Countries, teams, individuals, all competing to be number one in their chosen event. One of the greatest things about the Olympics is how inclusive it is. A wide variety of competitions are included in the Summer and Winter Olympics. Chess, Art,Plunge for Distance, Curling, and Trampoline have all featured in past Olympics or are active petitions for inclusion in a future Olympics. This got me thinking. Why isn’t Programming on the Olympic roster?
Programming should be an Olympic event!
Programmers train as hard as any other participant in the Olympics. It takes blood, sweat and tears to become the best programmer at your school, company, city, or country. I’m going to contact Jacques Rogge, President of the International Olympic Committee, to request the selection committee include Programming in a future Olympics. Your support will help my request. Sign our petition to add Programming to the Olympics!
Programming Event: the United States vs. the European Union
My company, Veracode, sees the security quality of the thousands of applications submitted to our Platform for analysis by developers around the world. Using our testing information and analyst research, we’ve created a mock programming face-off between the United States and the European Union to predict who would win and why. Much has been written comparing the different approaches the two regions take to secure their software and applications, but who is gold medal material?
Veracode Logins By Country – Wednesday, May 2, 2012 at 1:34:44 PM EDT
Round 1: Data Analysis
After looking at the security scores from thousands of applications Veracode has scanned since 2010, we found that applications produced by EU-based organizations are typically more secure. Like a panel of judges scoring gymnasts’ routines, there is a wide range of inputs we take into account when judging security quality. For this round, one of the ways we judge security quality is to create a flaw density metric that is made up of application size and total flaws per application. We determined that applications from the United States have an average flaw density of 60 flaws per megabyte while applications from the EU only have about 35.
We also looked specifically at the OWASP Top 10 flaws present in applications from each region. The average flaw density for the OWASP Top 10 is 19 flaws per MB for the EU and 43 flaws per MB for the US. Using these figures there is an even greater discrepancy of application security between the US and EU. You can see from the scoreboard below that, on average, there is more than double the number of flaws per MB in applications coming from companies with headquarters in the United States.
Round one goes to the EU!
Editor’s Note: (1) We bundled all EU countries together to balance the dataset. (2) We don’t actually know what country the developer is in who wrote the code, we only know what company/country/continent their work represents.
Round 2: Security Practices
In February 2012, analyst firm Quocirca released “Outsourcing the problem of software security,” a report focused on examining security practices of companies in the US and UK.1 The report draws on Quocirca research to depict and compare how organizations are approaching software security and the effectiveness of their methods.
Despite our flaw density findings above, Quocirca’s report offers several key facts that earn US companies some serious points for having more software security practices built-in to their software development and deployment processes. For instance, Quocirca reports that 15-25% more companies in the United States check their software against the OWASP Top10 and CWE/SANS Top 25 for flaws. Additionally, consumers in the US seem to be more wary of software security risk than those in the UK, with 50% of US-based companies reporting that they have customers that require they demonstrate software security practices (compared to only 20% of those based in the UK). Finally, organizations in the US reported higher spending on programmer and developer training than organizations in the UK.1 Just like any other sport, the team that invests more in their lineup will have a leg up on the competition.
Although US companies reported a higher level of attention to application/software security in practice, the Quocirca report points to the UK having more sophisticated software policy and regulations. Surveyed organizations reported that 50% of auditors in the UK require demonstration of software security practice – about 10% more than those in the US.1
While the UK earned points for their more stringent auditing processes, Round 2 still goes to the US for overall security practices!
Round 3: Rules & Regulations
We then looked at the rules that each team plays by in their programming efforts. The European Union uses government policy and enforcement as its primary approach to software security quality regulation. The recently adopted EU Software Regulations were created to ensure that user data would only be used for “explicit and legitimate purposes.”2 While this legislature addresses data privacy, it has an immediate effect on application and software security. Because applications are the gateway to data, any laws that are designed to protect data inherently increase application security.
The United States suffered penalties in Round 3 of the contest for their lack of centralized data or security legislation directly comparable to that of the EU. In the US, data protection and software security measures are adopted as needed to fit within compliance guidelines and industry practices or are applied in the wake of a data breach. Although the US has proposed legislature concerning software and data regulation (i.e. SOPA/PIPA,CISPA, and the Cyber Security Public Awareness Act), they have not yet passed any software or data laws that have an economy-wide impact.
Round 3 goes to the European Union!
The Winners Podium
Considering the differences between each region’s approach to security and the results we see from the Veracode Platform, our research brings us a few conclusions. First, the European Union is currently producing safer software and applications than the US. This is because the security model in place in the European Union provides a mandatory set of regulations to follow for development and deployment as well as a method for enforcement, whereas in the US it is up to individual companies and consumers to require that certain security practices be followed.
And this brings me back to where I began. By our score, the European Union would win this contest two rounds to one. If Programming actually became an Olympic event, who do you think would win? Could the United States prevail if both sides had to follow the same set of rules or would the EU still win gold?
Would you like to see Programming included in the Olympics? Sign the petition.
1. Tarzey, Bob, Clive Longbottom, and Quocirca. Outsourcing the Problem of Software Security. Veracode. N.p., Feb. 2012. Web. 24 Apr. 2012. http://info.veracode.com/Quocirca_Outsourcing_Software_security.html
2. European Union. European Commission. Article 29 Working Party. Europa. N.p., 2 Mar. 2012. Web. 3 May 2012. http://ec.europa.eu/justice/data-protection/article-29/index_en.htm
3. European Union. European Commission. EUR-Lex – 31995L0046 – EN. Europa. N.p., n.d. Web. 3 May 2012. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:NOT
4. European Union. European Commission. Protection of Personal Data in the European Union. Brussels, 2010. PDF file.