Share this article on:
The State of Developer-Driven Security 2022 survey by Secure Code Warrior has found that developers’ actions and attitudes toward software security are in conflict.
While many developers acknowledge the importance of applying a security-led approach in the software development lifecycle, Secure Code analysts have found 86 per cent do not view application security as a top priority when writing code.
The research found that more than half of the 1,200 developers surveyed are unable to ensure that their code is protected from seven common vulnerabilities. This is a contributing factor to another major finding – that only 29 per cent of developers believe the active practice of writing code free of vulnerabilities should be prioritised.
According to Pieter Danhieux, co-founder and CEO at Secure Code Warrior, developers want to do the right thing, and while they are starting to care more about security, their working environment doesn’t always make it easy for them to make it a priority.
“Often, the tools at their disposal – and methods they are deploying – result in ‘getting by’, rather than actively reducing risk, and their priorities remain misaligned with the security team.
“While organisations encourage secure coding practices, developers are unclear on how they are defined in their day-to-day work, and what is expected of them.
“To reach a higher standard of code quality, organisations must formalise secure coding standards as they apply to developers and guide a change in behaviour that reinforces good coding patterns and enables security at speed,” Danhieux said.
Despite developers and organisations recognising that threats and vulnerabilities in key applications could have been mitigated earlier in the development process, they continue to take reactive steps to address the flaws. Secure Code Warrior pursued this survey to assess how developers can take more proactive steps and be empowered to embrace effective secure coding practices.
Developers continue to face competing priorities and point to numerous management-related barriers that are preventing them from creating secure code earlier in the software development lifecycle. These are primarily due to time constraints to meet deadlines (24 per cent), or developers not having enough training or guidance on how to implement secure coding from their managers (20 per cent).
Training remains a major influence over developers’ application of secure coding as 81 per cent are utilising the knowledge gleaned from training on a near-daily basis. However, while many developers are utilising training mechanisms on a daily basis, the research found that 67 per cent are still knowingly shipping vulnerabilities in their code. The findings show that different training experiences are needed now more than ever. One out of four developers want more training guided by self-paced multimedia and one out of five believe training would be perceived as greatly improved if an industry certification was an outcome.
The annual survey’s additional findings point to the ongoing hardships developers continue to face in their secure coding journey:
The State of Developer-Driven Security 2022 survey is based on responses from 1,200 developers in Asia-Pacific, Europe and North America.
The survey was fielded in December 2021.
[Related: National data protection safeguards up for consultation under government action plan]