Research released on Tuesday by Secure Code Warrior found that just 14% of developers surveyed listed application security as a top priority. Rather than focus on security, developers applied more traditional metrics, such as application performance and prioritizing software’s features and functionality.
The new research found that security had such a low priority that 67% of developers admitted that they routinely left known vulnerabilities and exploits in their code. The developers said they did that either because of tight deadlines, prioritizing functionality over security, or because they simply did not have the required training or knowledge on how to fix security issues.
Challenges of flawed code have received more attention in recent years, particularly as cloud computing opens up more opportunities for developers to push out updates and functionality more quickly.
While much of the top-level news was negative, there are some silver linings: some 66% of developers expected security to become more of a priority over the next 12 months to 18 months, and 82% of hiring managers expressed an interest in hiring developers who knew security over those who did not.
Stephen Gates, security evangelist at Checkmarx, said his company’s research from fall 2021 had similar findings: that organizations surveyed had, on average, been breached at least twice in the 12 months leading up to the survey as a direct result of a vulnerable application.
“Developers know that they need more security training, but they’re constantly pressured to shorten time-to-delivery,” Gates said. “Until application security can be made more seamless, unless it includes open-source testing, and until those testing capabilities are brought directly into the familiar processes and IDEs where developers are most comfortable, the security risks of their organizations will continue to escalate.”
Casey Bisson, head of product and developer relations at BluBracket, added that it just makes sense an overwhelming majority of developers would identify correctness of code and customer-business value as top priorities versus security. However, Bisson said that doesn’t mean developers don’t care about security.
“Developers are responsible for finding a path between technical constraints to meet business goals, and they know the perfect or most secure solution is worthless if it doesn’t solve a customer's problem,” Bisson said. “That said, when security is viewed as an impediment to progress, developers will find workarounds, and security will suffer. This data shows how important it is to give developers early, often, and automated feedback throughout the SDLC workflow on the security of their apps.”