The recently released Secure Code Warrior State of Developer-Driven Security Survey revealed that developers continue to wrestle with secure coding practices in a working environment that has long prioritized features and functionality and speed at the expense of security.
Of the more than 1,200 developers who took part in the survey, only 14% named security as their top priority. Security was seen as a bottleneck—an astonishing 67% of these developers said they routinely left known vulnerabilities and exploits in their code and 48% shipped products with known vulnerabilities.
These statistics raise eyebrows, sure, but they are also unsurprising. In the survey, application security fell behind creating quality code, application performance and the ability to solve real-world problems on the list of developers’ priorities.
In many cases, these results showed that security is either ignored in favor of meeting demanding timelines, developers would rather improve an application’s performance or they simply lack the required training to fix security problems. Regardless of the reason, it is a continuing problem.
The Need to Balance Security in Development
As the survey showed, developers often worked with secure code in silos. Security controls were limited to a single category instead of a holistic view of fundamentals. In many cases, developers relied on existing or pre-approved code rather than writing new code free from vulnerabilities. This assumed that the code inserted meets proper security needs, but that assumption often fell short.
That said, developers who write code often find themselves inadvertently introducing vulnerabilities. This is not entirely the fault of those developers, but some of the blame lies with the cultural risk acceptance of the organization.
The software organizations themselves must put more onus on secure development. As we saw from the SolarWinds attack, deficiencies in code can lead to massive disruptions. While not all application vulnerabilities have the reach of SolarWinds, businesses often allow for too much risk to pass in their code; that gets passed on to customers and developers are made the scapegoats.
Provide Developers With the Right Skills
Security leaders must first ensure developers have the requisite skills to code securely and to make improvements. That includes not just writing the code but also how code is committed through the entire development process. Developers often need hands-on training in proper coding patterns created in the languages and frameworks they commonly use.
Organizations can no longer overlook security and ship potentially exploitable software. Security must be added earlier in the development process and be seen as imperative to success. The survey showed that many developers believe secure coding is out of their realm of expertise. A staggering 86% said they found it challenging to practice secure coding, while 92% of developer managers said their teams needed more training in security frameworks.
This highlighted that developers do not get the right kind of training—nor are they get enough exposure to security best practices. It also underscores that designing for security is not seen as an essential skill for developers to have.
Reasons for Optimism
While our survey highlighted a disturbing trend, it also offered reasons for hope. The survey showed that attitudes have changed, and 66% of developers expected security to become a more significant priority over the next 12 to 18 months. Hiring managers echoed this sentiment—82% expressed an interest in hiring developers who are knowledgeable in security over those who are not.
Businesses today have put themselves and their customers in a risky situation; organizational leaders must be agents of change to mitigate this risk. They need to apply a security-first mindset and empower their developers to better integrate security into the development process. Timelines must be revised to allow this to happen. If it continues, the current state of application security will only lead to more (and more severe) breaches. Now is the time to ensure DevOps teams and developers have better access to security training and more time to put those practices into action to ensure long term success.