Software companies and development teams have a long way to go before secure coding becomes part of their culture, but there are signs that both programmers and their companies are taking security more seriously.
While only 14% of developers consider application security as their top priority when coding, two-thirds believe that application security will become more important in the next 12 to 18 months, according to a survey of 1,200 active software developers conducted by security training firm Secure Code Warrior and market intelligence firm Evans Data Corp. Code quality, application performance, and solving real-world problems are the three top priorities, accounting for more than half of developers (56%), the survey found.
Companies are showing progress in incorporating secure coding into their development culture but are still facing significant challenges, says Pieter Danhieux, CEO and co-founder of Secure Code Warrior.
"The results are encouraging, in that developers are actively expecting software security to become a higher priority," he says. "However, there is a chasm there that must be overcome. We know old habits are hard to break, and organizations need to take responsibility for creating environments that foster better code quality and security."
Secure Code Warrior's State of Developer-Driven Security 2022 survey aligns with previous studies of developers' attitudes toward application security. A 2020 survey of open source contributors, for example, found that most programmers wanted to code new features, improve tools, and work on new ideas, while security came in dead last in terms of priority.
This latest survey highlighted that incorporating security into the development pipeline is still challenging. About half of developers (48%) knowingly ship code with vulnerabilities, while another 19% believe that some of their projects have known vulnerabilities.
The developer pointed to a variety of competing forces to explain the lack of focus on security. A quarter of developers (24%), for example, did not have enough time to integrate secure coding at the start of a project, while 19% of developers felt the company did not have a cohesive plan for implementing secure coding.
"The one thing that all of these efforts have in common is an evolving reliance on the developer community to help drive these much-needed changes," the survey report stated. "From a developer's point of view, these security movements are more about 'starting left' rather than shifting towards it, since the ultimate responsibility to begin the process correctly should start with them."
Better Security, Less Rework
Developers understand that better application security does help teams be more productive in the long run. More than half of respondents see secure coding as way of eliminating vulnerabilities (53%) and errors (52%), which in turn eliminates future rework.
In addition, 41% of developers placed functionality and security on equal footing in their projects, and half (49%) considered secure coding as an essential goal.
"Developers want to do a good job," Danhieux says. "They don't seek to deliberately create poor coding patterns or introduce security risks, but in order to avoid that, they need to be shown the correct way, with training that makes sense, and that they are actually given time to do."
Application security training, however, still falls short. Thirty percent of developers would like to see training focus on more real-world examples that are relevant to their work, while a quarter of developers (26%) want interactive training.
The survey also found that many companies lacked a definition of what makes up a secure program or constitutes secure coding. Most companies (61%) used components and libraries that have been approved because they are believed to be secure, while nearly as many actively run analysis tools, such static application security testing (SAST) and dynamic application security testing (DAST).
Yet there is almost a sense of fatalism — that developers will never catch all vulnerabilities — and it remains to be seen if companies will continue to strive to proactively secure code or react to the latest vulnerabilities, says Danhieux.
"If insecure code is considered an acceptable business risk, then there needs to be an overhaul of the security program to realign it with the modern threat landscape, not to mention customer expectations and increasingly potent compliance and regulatory measures in cybersecurity," he says.