Only 14 per cent of developers consider security a priority when it comes to coding, according to Secure Code Warrior’s The State of Developer-Driven Security 2022 report. It’s a shockingly low figure and a reflection of the significant room for improvement when it comes to security considerations in a developer’s coding strategy, says Peter Danhieux, CEO and Co-Founder, Secure Code Warrior. Feature-building typically takes priority among development teams.
When considering developers’ opinions and perceptions of secure code, it’s perhaps little surprise that security is far down the list of priorities. Less than half (49pc) of all respondents in the survey said that it was an essential goal to set, while 29pc said it was nice to have, but not essential. Over one in ten (15pc) viewed it as another item to check off the to-do list.
This mindset is reflective of how the developer experience is typically not based on putting security first, or considering it a measure of software quality. Sixty-seven per cent of developers state that they still ship code with vulnerabilities, revealing the scale of the issue. To change the status quo, it’s important to define who is responsible for secure coding and the modern expectations of the security-skilled developer.
Clarifying for developers
Code-level vulnerabilities are, in many cases, introduced by developers who use poor coding patterns. The nature of modern software creation also sees many developers relying on reusing existing code, which may have inherent vulnerabilities, as opposed to writing secure code from scratch. This issue, combined with the fact that the writing of secure code can frequently fall outside of KPIs, is putting security firmly on the back-burner. A recent prominent example of exploitation with existing code was the Log4Shell breach affecting the widely used Log4j open source software. Log4j is a fundamental feature of most software used around the world, such as in Apple iCloud and Amazon Web Services, plus software development and security tools.
The first step in clarifying security for developers is improving awareness and filling knowledge gaps by enabling the development team to know what secure coding means for the business. The first step is testing and scanning pre-approved code, while also placing a focus on training in current frameworks and languages. While almost nine-in-ten (89pc) respondents stated in the survey that they have received sufficient training in secure coding skills, this was not the case when it came to training in specific security frameworks.
Half (50%) of respondents said that developers require significant training in security frameworks, with ISO/IEC 27034:2011, CIS Security Framework and PCI-DSS identified among the top areas where better training could be delivered. Ninety-two per cent of respondents also admitted that their teams required more training in security. This is just one step in bringing developers into the security journey of the business.
Siloed practices
Alongside effective training is the need to bring developers together. Siloed practices are common in the area of development, with each developer usually dedicated to one category, without visibility of the wider fundamentals. Almost a third of respondents (32 per cent) in the survey said that a senior development team member is usually assigned to fix security tickets, while under a quarter (24pc) said that it was the responsibility of everyone in the team. Leaders need to place focus on developer collaboration to encourage knowledge sharing and best practices.
Collaboration is also key in encouraging everyone in the business to take responsibility for security. This is especially crucial as cybersecurity threats continue to grow as organisations adopt software-driven technology. Legacy processes that fail to implement a shared approach can involve the task of essentially having to incorporate developers into an established strategy, without them being part of the process from the beginning.
Senior security professionals need to take the lead and incorporate developers into an uplifted strategy, which will involve familiarisation with their requirements, the providing of effective training, and security included into their tech stack and workflow. A DevSecOps approach for example puts security at the forefront and placed at the beginning of the software development lifecycle, without sacrificing on speed.
Moving up the priority list
Ultimately, developers are not receiving the frequent and adequate training that would allow them to incorporate security measures into their coding, along with the fact that exposure to security best practice is currently low among most. With 48pc of respondents believing that they leave vulnerabilities in code, another key issue is ensuring that security becomes a priority for developers. Leaders need to ensure that developers are able to build their confidence and practical skills, which will highlight to them the risks that come with signing off on vulnerable code. An overall cultural shift will be required to place developer-driven security at the forefront.
