Knowledge vs. Behavior: Why Poor Coding Patterns Persist
Here’s a serious question: Have you ever done something you knew was bad for you? Perhaps you ordered yourself a delicious hamburger for dinner, knowing without a doubt that it was not going to align with your dietary goals, nor help you consume all those nutritious vegetables wilting in your fridge. Or maybe you shunned the gym for a quick gaming session, that soon spiraled into an all-nighter powered by way too much energy drink.
We all do things that are not the healthiest option sometimes, even when we have the knowledge to thread a more divine path. But how does this relate to software development?
According to new research in collaboration with Evans Data, it was revealed that 48% of developers knowingly leave vulnerabilities in their code. The State of Developer-Driven Security 2022 survey delves into the key insights and experiences of 1,200 active developers, illuminating their attitudes and challenges in the security realm. It’s clear that in terms of learned – not to mention reinforced – behaviors in code creation, we could be making much healthier security choices.
Security is a Low Priority for Development Teams
One of the headline findings in the survey was that just 14% of developers consider security a priority when coding. We already know that feature-building is king in the developer’s world, and across the board, they remain ill-equipped to make security part of their DNA. We need to demystify security in the developer’s world.
Cybersecurity is convoluted at the best of times, and while secure coding represents just one part of the overall landscape, it’s a complex cog in the system that requires specialist attention.
The survey revealed that the concept of working with secure code was often siloed for the average developer, with their focus limited to a single category as opposed to a holistic view of the fundamentals and beyond. Developers indicated a reliance on using existing, or pre-approved, code, rather than practice writing new code from scratch that is free from vulnerabilities. While security awareness regarding third-party components is paramount, so is testing existing code; these alone do not make a well-rounded, security-skilled developer.
Code-level vulnerabilities are often introduced by developers who have learned poor coding patterns with a lack of emphasis on writing secure code in their KPIs, which only reinforces this as an acceptable standard.
Security leaders can go a long way in improving initial awareness and identifying areas of the most pressing knowledge gaps, by first ensuring that the development cohort is shown the complete picture of what secure coding entails, as well as how to tackle a range of common issues and pitfalls. The reduction of vulnerabilities requires hands-on training in good, safe, coding patterns, in the languages and frameworks that are actively in use.
Context is vital in developer security upskilling, and devs need to be brought along on the journey when it comes to the security goals of the business.
The Effort of Enforcing Secure Coding
The Evans Data research revealed that a staggering 86% of developers find it challenging to practice secure coding, with 92% of developer managers also conceding that their teams need more training in security frameworks. As noted earlier, 48% of respondents admitted that they knowingly leave vulnerabilities in their code.
This paints a very concerning picture. It appears that, generally, developers are not getting frequent, adequate training, nor are they getting enough exposure to good security practices and hygiene.
Reading between the lines, it reinforces the crux of the issue: it’s simply not a priority for developers to consider security in their work, and shipping features at speed remains priority numero uno. Additionally, the training they receive does not build confidence or practical skills, nor does it help them understand the impact of their decision to ship vulnerable code.
If developers knew what was truly at stake when they chose to ship vulnerable code, they would quickly see there’s no scenario where it would be an acceptable business risk. With the average cost of a data breach coming in at USD $4.35 million, it’s imperative that we spend time and money on developer security upskilling now to avoid potential disaster later.
It will take a sizable culture shift to uplift developer-driven security, and it starts with educational pathways that move both engineers and the security team to greater clarity. With the continuous improvement of standards and skills relating to security, we can make healthier security habits for developers the new standard.
GitKraken Client helps teams systemize workflow processes so you can ensure security best practices for developers on your team, regardless of their experience level.