A research from Secure Code Warrior has revealed an attitudinal shift in the software development industry, with organizations bucking traditional practices for DevOps and Secure DevOps.
The global survey of professional developers and their managers found 70% of organizations recognize the importance of secure coding practices, with results indicating an industry-wide shift from reaction to prevention is underway.
Dr. Matias Madou, CTO at Secure Code Warrior, said, “We are seeing a fundamental shift in mindsets across the world, as the industry slowly moves from reactive, band-aid solutions rolled out after a breach, to the proactive and human-led practice of writing quality software that is intrinsically free from vulnerabilities right from the very first keystroke.”
“This research shows that ‘secure code’ is becoming synonymous with ‘quality code’ within software development, and security is becoming the responsibility of development teams and leaders—not just AppSec professionals,” he said.
Secure coding practices
Reactive practices like using tools on deployed applications and manually reviewing code for vulnerabilities were the top two practices respondents associated with coding securely.
However, a proactive shift in mindset was evidenced across the globe, with 55% of the developers surveyed also recognising secure coding as the active, ongoing practice of writing software protected from vulnerabilities.
Managers and developers are misaligned
55% of managers surveyed said secure coding was practised and integrated throughout the entire development process, compared to only 43% of developers.
Conversely, 36% of developers consider secure coding during development but not the design phase, as opposed to 32% of managers.
Secure code an increasing indicator of success
While those surveyed identified ‘application performance’ and ‘functionality and features’ as the most common success metrics within software development (67% and 62% respectively), 79% of respondents said the importance of ‘secure code’ was growing in prominence.
Application security is shifting
46% of respondents said development leads and teams should be responsible for application security rather than AppSec teams (24%).
81% of developers surveyed said they were accountable for any vulnerable code produced.
Developers motivated to upskill
‘Increased productivity and efficiency’, ‘curiosity’ and ‘avoiding problems caused by insecure code’ were identified as the leading intrinsic motivators to learn secure coding (20%, 14% and 11% respectively).
Despite only 10% of respondents listing career advancement as a personal motivator, 81% of managers were more likely to hire talent with secure coding skills.
More training is needed
91% of managers surveyed said they faced greater than average difficulty when implementing secure coding practices within their organization, despite 97% of respondents believing they were sufficiently trained. Perhaps, this is because 88% of developers surveyed said coding securely was challenging.
Madou added, “With OWASP’s Top 10 software vulnerabilities causing more security breaches over the past two decades than any others, now is the time for businesses to upskill developers to gain the knowledge and skills needed to stamp out insecure code and prevent issues from occurring in the first place.”