SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Secure Code Warrior survey highlights attitudes towards coding security
Thu, 7th Apr 2022
FYI, this story is more than a year old

According to a new survey from Secure Code Warrior, only 29% of developers believe that writing vulnerability-free code should be prioritised.

The company's State of Developer-Driven Security 2022 survey collected information from 1,200 developers in Asia-Pacific, Europe, and North America, and found that developers' actions and attitudes toward software security are conflicting in the current climate.

The survey found that while many developers acknowledge the importance of applying a security-led approach in the software development lifecycle, 86% do not view application security as a top priority when writing code.

This may link in part to the finding that more than half of the 1200 developers surveyed were unable to ensure that their code was protected from seven common vulnerabilities.

Secure Code Warrior undertook the survey to help determine ways that developers can take proactive steps towards secure coding in order to prevent common attacks at the source.

They say developers continue to face competing priorities and cite numerous management-related barriers that are preventing them from creating secure code earlier in the development process. The most common barriers were found to be time constraints to meet deadlines (24%), or developers not having enough training or guidance on how to implement secure coding from their managers (20%).

A large percentage of the surveyed developers are, however, utilising training. 81% of respondents said they used the knowledge learned from training on a near-daily basis, but unfortunately, 67% are still knowingly shipping vulnerabilities in their code.

A demand for different training experiences was also found, with one out of four developers wanting more training guided by self-paced multimedia and one out of five believe training would be perceived as greatly improved if an industry certification was an outcome.

Secure Code Warrior co-founder and CEO Pieter Danhieux says there is a shift in the developer community, who are becoming more safety conscious, but working environments and processes often prevent them from reaching their full security potential.

"Developers want to do the right thing, and while they are starting to care more about security, their working environment doesn't always make it easy for them to make it a priority," he says.

"Often, the tools at their disposal - and methods they are deploying - result in getting by, rather than actively reducing risk, and their priorities remain misaligned with the security team."

He says behavioural change for good coding patterns will help organisations reach their full potential and create better security outcomes.

"While organisations encourage secure coding practices, developers are unclear on how they are defined in their day-to-day work, and what is expected of them.

"To reach a higher standard of code quality, organisations must formalise secure coding standards as they apply to developers, and guide a change in behaviour that reinforces good coding patterns and enables security at speed."