Developers are increasingly prioritizing secure coding

Developers are increasingly prioritizing secure coding

Software companies and development teams have a long way to go before secure coding becomes part of their culture, but there are signs that both programmers and their companies are taking security more seriously.

While only 14% of developers see application security as their top priority when programming, two-thirds believe application security will become more important in the next 12-18 months, according to a survey of 1,200 software developers assets conducted by the security training company Secure. Code Warrior and market intelligence firm Evans Data Corp. Code quality, application performance, and resolving real-world problems are the top three priorities, accounting for more than half of developers (56%) , according to the survey.

Companies are making progress in embedding secure coding into their development culture, but still face significant challenges, says Pieter Danhieux, CEO and co-founder of Secure Code Warrior.

“The results are encouraging, as developers actively expect software security to become a higher priority,” he says. “However, there is a chasm that needs to be bridged. We know that old habits are hard to break, and organizations must take responsibility for creating environments that foster better code quality and security.”

warrior secure code Survey on the state of developer-driven security in 2022 aligns with previous studies on developer attitudes toward application security. A 2020 survey of open source contributors, for example, found that most programmers wanted to code new features, improve tools, and work on new ideas, while security ranked last in terms of priority.

This latest survey highlighted that incorporating security into the development pipeline remains a challenge. About half of developers (48%) knowingly submit code with vulnerabilities, while another 19% believe that some of their projects have known vulnerabilities.

The developer pointed to a variety of competing forces to explain the lack of focus on security. A quarter of developers (24%), for example, did not have enough time to integrate secure coding at the beginning of a project, while 19% of developers felt the company did not have a consistent plan to implement secure coding safe.

“The one thing all of these efforts have in common is a growing trust in the developer community to help drive these much-needed changes,” the survey report stated. “From a developer’s point of view, these security moves are more about ‘starting on the left’ rather than moving towards it, as the ultimate responsibility for starting the process correctly should start with them.”

Better security, less reprocessing
Developers understand that better application security helps teams be more productive in the long run. More than half of respondents see secure coding as a way to eliminate vulnerabilities (53%) and bugs (52%), which in turn eliminates future rework.

Additionally, 41% of developers placed functionality and security on an equal footing in their projects, with half (49%) seeing secure coding as an essential goal.

“Developers want to do a good job,” says Danhieux. “They’re not deliberately looking to create poor coding patterns or introduce security risks, but to avoid that, they need to be shown the right way, with training that makes sense, and actually given time to do it.”

However, application security training still falls short. Thirty percent of developers would like to see training focus on more real-world examples that are relevant to their work, while a quarter of developers (26%) want interactive training.

Vulnerability Fatalism
The survey also found that many companies lacked a definition of what constitutes secure software or what constitutes secure coding. The majority of companies (61%) used components and libraries that have been approved because they are believed to be secure, while nearly as many actively run analysis tools such as Static Application Security Testing (SAST) and security testing. of dynamic applications (DAST).

However, there is almost a sense of doom, that developers will never catch all vulnerabilities, and it remains to be seen whether companies will continue to push themselves to proactively protect code or react to the latest vulnerabilities, says Danhieux.

“If insecure code is considered an acceptable business risk, then there needs to be a review of the security program to realign it with the modern threat landscape, not to mention customer expectations and increasingly powerful regulatory and compliance measures in cybersecurity.” “, it says.

Leave a Comment