Training may help alleviate some of these issues, along with clearer directives by management.
While most would assume that developers are making cyber defenses a focal point, a new study has found that this may not be the case. According to Secure Code Warrior’s State of Developer-Driven Security 2022 survey, 86% of developers said they do not view application security as a top priority when writing code.
The survey of over 1,200 developers also found that more than half of the respondents said they are unable to guarantee their code is safe from common security vulnerabilities. In addition, only 29% of those surveyed said they believe that code writing free of vulnerabilities should be prioritized.
“Developers want to do the right thing, and while they are starting to care more about security, their working environment doesn’t always make it easy for them to make it a priority,” said Pieter Danhieux, co-founder and CEO of Secure Code Warrior. “Often, the tools at their disposal—and methods they are deploying—result in ‘getting by’, rather than actively reducing risk, and their priorities remain misaligned with the security team.”
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Prioritizing safety in coding
Despite the number of malware and ransomware attacks happening daily, many developers are not taking the necessary precautions to make sure their code will remain safe once it is put into action ahead of time. Many of those in the developer role are focusing on dealing with issues only after they arise, a point that needs to be more clearly communicated from businesses to their code writers, Danhieux says.
“While organizations encourage secure coding practices, developers are unclear on how they are defined in their day-to-day work, and what is expected of them,” he said. “To reach a higher standard of code quality, organizations must formalize secure coding standards as they apply to developers, and guide a change in behavior that reinforces good coding patterns and enables security at speed.”
The survey’s findings point to the ongoing hardships developers continue to face in their secure coding journey:
- 36% attribute the priority of meeting deadlines as reason their code still possesses vulnerabilities
- 33% don’t know what makes their code vulnerable
- 30% feel that their in-house security training could most be improved if it had more practical training with real-world scenarios and outcomes
- 30% say the biggest concern with the implementation and practice of secure coding is dealing with vulnerabilities introduced by co-workers
Training may be the fix for coding deficiencies
To help combat these problems, those at the executive level must do a better job of removing obstacles when developing code, according to the study. The time constraints being placed on those in these roles was cited as one major roadblock by 24% of respondents, while 20% said they need additional training and instruction on how to best implement secure coding from their managers.
Training still remains a driver for those in development positions, as 81% said they are still using the information taken from instruction on a daily basis. While this training is being employed regularly, 67% say there are still vulnerabilities within their code. This points to increased amounts of training in specific areas, such as code security, so that developers can ensure their code is safe. One-in-four developers say that they want more self-guided training and believe that industry certifications should be requisite for the position.
If developers are provided the training necessary to code while eliminating vulnerabilities, it can lead to organizations having fewer security breaches and help avoid the headaches associated with those cyberattacks in the future.