Ask a typical software developer to name their top priority when writing code, and the answer will likely be “create new features.”
Because developers strive to produce code that meets a need and adds real business value, they tend to focus on creating as much functionality as possible. They want their code to be both efficient and elegant.
What, unfortunately, has less priority is safety. Many developers don’t see this as an area of focus and feel it’s the responsibility of others.
The problem was highlighted in a recent report by Evans Data, which examined the attitudes of 1,200 active developers. The survey found that only 14% of the group consider security a priority when coding.
While the result is alarming, it confirms that security is not on the radar screen for most developers. They fail to see that they have a role to play when addressing common vulnerabilities or issues.
Raising awareness of secure encryption
The report highlights the importance of raising awareness of secure encryption among the developer community. This is vital in a world where the cyber threat landscape is rapidly evolving, and organizations face new potential attacks daily.
Cybersecurity is a versatile, unruly beast at the best of times. While secure encryption represents only part of the overall landscape, it is a complex part of a system that requires specialist attention.
The study also found that the concept of working with secure code is something that the average developer finds rather stale. They tend to narrow their scope to a single category rather than take a more holistic view of the challenge. Many developers also indicated that they rely on using existing or pre-approved code rather than writing new code free of vulnerabilities.
Code-level vulnerabilities are usually introduced by developers who have learned poor coding patterns, which is unsurprising given the general lack of emphasis on writing secure code in their KPIs. This culture is not the developers’ fault, as they are not equipped to address long-standing security vulnerabilities in code.
Security leaders can go a long way in addressing this situation by ensuring that the development cohort has a complete picture of secure encryption. Testing and scanning pre-approved code is one function. Still, mitigating vulnerabilities requires hands-on training in good, fast coding patterns in the languages and frameworks in active use.
The Rise of DevSecOps
The concept of a DevSecOps methodology means that security is central to the software development process. It’s based on the idea that everyone is responsible for safety, and it’s an important consideration from the beginning of the software development lifecycle.
The problem, however, is that DevSecOps is far from becoming a standard in many organizations. In 2017, a survey by the Project Management Institute showed that 51% of organizations still use Waterfall for their software development.
That study is now five years old; however, recognizing how gradual change can take place within large enterprises, it is unlikely that there has been a sharp transition to the latest security-focused approaches.
Outdated processes like waterfall development can present an uphill battle for security professionals trying to cover all bases with a comprehensive strategy to protect against cyber threats. Fitting developers and their needs into this landscape afterward is a challenge.
However, this should not be used as an excuse for doing nothing. Development managers should organize comprehensive security training for their developers so that they can fully understand the challenge. They are better positioned to integrate security into their common technical stacks and workflows.
Lifting security out of the ‘too hard basket
The Evans Data report highlighted that 86% of developers consider coding securely challenging. At the same time, 92% of developer managers also admit their teams needed more training in security frameworks. A major concern was that 48% of respondents admitted to knowingly leaving vulnerabilities in their code.
The picture painted by these results is very worrying. It shows that many developers do not receive adequate security training or are insufficiently exposed to good security practices. The bottom line is that it’s just not a priority for developers to consider security in their work.
This is a situation that urgently needs to be addressed. With the number of cyber threats increasing daily, all developers need to understand their critical role in preventing attacks.
Senior leaders must take the necessary steps today to create a security-first culture within their developer teams. By encouraging them to use a DevSecOps approach, vulnerabilities can be removed from code before it is introduced into the IT infrastructure.
