86% of developers do not see application security as a top priority
The developer-driven global security leader has released the results of his 2022 annual survey ‘The State of Developer-Driven Security’, which found that developers’ actions and attitudes toward software security are at odds. While many developers acknowledge the importance of implementing a security – based approach in the software development lifecycle, 86% do not see application security as a top priority when writing code.
The research found that more than half of the 1200 developers surveyed are unable to ensure that their code is protected from seven common vulnerabilities. This is another contributing factor – only 29% of developers believe that active practice in vulnerability – free code writing should be prioritized.
While developers and organizations recognize that threats and vulnerabilities in key applications may be mitigated earlier in the development process, they continue to take proactive measures to address the flaws. This survey to assess how developers can take more proactive steps and be empowered to adopt secure and effective coding practices.
Developers continue to face competing priorities and focus on the myriad of management barriers that prevent them from creating secure code earlier in the software development lifecycle. These were mainly due to time constraints in meeting deadlines (24%), or the lack of training or guidance for developers on how to implement secure coding from their managers (20%).
Training continues to have a major impact on the developers’ secure coding implementation with 81% using the knowledge gained from the training on a daily basis. However, while many developers are using training mechanisms on a daily basis, the research found that 67% are still knowingly launching vulnerabilities in their code. The results indicate that more diverse training experiences are needed now than ever before. One in four developers want more self-paced multimedia-led training and one in five believe that the training would be greatly enhanced if industry certification resulted.
“Developers want to do the right thing, and while they are starting to care more about security, their work environment does not always make it easy for them to make it a priority. The tools available to them – and the methods they use – often result in ‘going through,’ rather than actively reducing risk, and their priorities remain aligned with the security team, ”said Pieter Danhieux, Co – Founder and CEO, Secure Code Fame.
“While organizations encourage secure coding practices, developers do not know how they are defined in their day-to-day work, and what is expected of them. To achieve a higher code quality standard, organizations need to formalize secure coding standards as they relate to developers and lead behavior change that reinforces good coding patterns and enables speed security. ”
The additional results of the annual survey show the continuing hardships faced by developers in their secure coding journey:
36% cite meeting deadlines as a key reason why their coding remains fragile
33% do not know what makes their code vulnerable
30% feel that their in-house security training could be improved if they had more practical training with real-world scenarios and outcomes
30% say that the biggest concern with secure coding implementation and practice is dealing with the vulnerabilities introduced by collaborators.
Survey Methodology: The 2022 ‘Developer – Committed Security Situation’ survey is based on responses from 1,200 developers in Asia – Pacific, Europe and North America. The survey was conducted in December 2021.