Ask a typical software developer to name their top priority when writing code, and the answer is likely to be ‘creating new features'.
Striving to produce code that fulfils a need and adds real business value, developers tend to focus on creating as much functionality as possible. They want their code to be both efficient and elegant.
What is less of a priority, unfortunately, is security. Many developers simply don't see this as an area of focus and believe it to be the responsibility of others.
The issue was highlighted in a recent report compiled by Evans Data, which explored the attitudes of 1,200 active developers. It found that just 14% of the group consider security a priority when coding.
While the result is alarming, it confirms that security is simply not on the radar screen for most developers. They don't see that they have a role to play when it comes to tackling common vulnerabilities or issues.
Raising awareness of secure coding
The report emphasises the importance of increasing awareness of secure coding among the developer community. This is vital in a world where the cyberthreat landscape is rapidly evolving, and organisations face new potential attacks every day.
Cybersecurity is a multi-faceted, unwieldy beast at the best of times. While secure coding represents just one part of the overall landscape, it is a complex piece of a system that requires specialist attention.
The survey also revealed that the concept of working with secure code is something that is quite siloed for the average developer. They tend to limit their scope to a single category instead of having a more holistic view of the entire challenge. Many developers also indicated a reliance on using existing or pre-approved code rather than writing new code free from vulnerabilities.
Code-level vulnerabilities are typically introduced by developers who have learned poor coding patterns, which is unsurprising, given the general lack of emphasis on writing secure code in their KPIs. This culture is not the fault of the developers as they are not equipped to deal with long-standing security issues in code.
Security leaders can go a long way to addressing this situation by first ensuring that the development cohort is shown the complete picture of what secure coding entails. Testing and scanning pre-approved code is one function. Still, the reduction of vulnerabilities requires hands-on training in good, safe, coding patterns in the languages and frameworks that are actively in use.
The rise of DevSecOps
The concept of a DevSecOps methodology involves putting security at the very heart of the software development process. It is built on the idea that everyone shares responsibility for security, and it's a chief consideration from the very beginning of the software development lifecycle.
The problem, however, is that within many organisations, DevSecOps is a long way from becoming a standard. Back in 2017, a study by the Project Management Institute showed that 51% of organisations were still using Waterfall for their software development.
That study is now five years old; however, recognising how gradual changes can be within large enterprises, it's unlikely that there has been a sharp transition to the latest security-oriented methodologies.
Legacy processes such as waterfall development can create an uphill battle for security professionals trying to cover all bases with a comprehensive strategy to protect against cyberthreats. Retrofitting developers and their needs into this landscape is a challenge.
However, this should not be used as an excuse for doing nothing. Development managers need to arrange comprehensive security training for their developers so they can fully understand the challenge. They will then be better positioned to integrate security into their overall tech stacks and workflows.
Lifting security out of the ‘too hard' basket
The Evans Data report highlighted the fact that an alarming 86% of developers consider it to be a challenge to practice secure coding. At the same time, 92% of developer managers also concede that their teams needed more training in security frameworks. Of great concern was the fact that 48% of respondents admitted that they knowingly leave vulnerabilities in their code.
The picture painted by these results is very concerning. It shows that many developers are not getting adequate security training or sufficient exposure to good security practices. The bottom line is that it is simply not a priority for developers to consider security in their work.
This is a situation that needs to be urgently addressed. With the number of cyber threats increasingly daily, all developers need to understand the crucial role they play in preventing attacks.
Senior leadership need to take the steps necessary today to create a security-first culture within their developer teams. By encouraging them to adopt a DevSecOps approach to their work, vulnerabilities can be removed from code before it is introduced into the overall IT infrastructure.
The result will be improved security for the entire organisation.