The impact of COVID-19 has accelerated worldwide demand for increasing the provision of digital services, and in this digitized landscape, security is key. But digital transformation initiatives, combined with a hybrid workforce, have expanded attack surfaces and increased the chances of a breach. Additionally, the criticality of applications, together with the data they handle, make them a prime target for disruption, infiltration, and exploitation. Today, cybercriminals are deploying persistent, sophisticated attacks through multiple vectors in a bid to capitalize on software vulnerabilities, to weaponize and exploit them. Therefore, the need to deliver secure code is now more important than ever.
That said, no developer sets out to write potentially vulnerable code, but there are a myriad of reasons why coding errors happen and – under constant pressure to deliver applications faster – developers work in an environment of unrelenting rapid development and release frequency. Developers are only humans and susceptible to making mistakes – especially when under pressure. They need education and tools that empower them to ensure optimum code security and avoid delivering more opportunities into the hands of malicious actors.
Software development is a complex and fast-evolving environment, and to understand the challenges developers face, Checkmarx commissioned its 2021 DevOps Secure Coding Education Survey.
Conducted by Checkmarx and the online news source, Cyber Security Hub, between April – July 2021, the survey interviewed more than 800 developers across the globe to understand their thoughts and views on security education techniques being used both now and in the future.
The good news is that 70 percent of global developers know that secure coding education is an absolute necessity and an additional 26 percent say that it is a “nice-to-have.”
Developers lack confidence in code security
Ultimately, global developers see countless potential benefits from more secure coding education, but often they believe their organization doesn’t prioritize this effort. Despite 97 percent of surveyed respondents saying that secure coding education is either an “absolute necessity” or “nice-to-have,” 72 percent of respondents felt that the secure coding education they currently receive is less than adequate.
Only 25 percent of respondents said that the secure coding education they receive is sufficient. As a result, fewer than 30 percent of global developers are confident that the code they develop and deliver is secure.
Previously, in an on-premises environment, infrastructure, applications, and workload security were the domain of the operations and security teams. Now, as organizations move to modern application development and cloud-native environments, so security becomes more of a shared responsibility with many different stakeholders. To this point, the survey found that 81 percent of global developers view secure code as a shared responsibility between developers, the security team, and the overall organization.
Likewise, they are keen to receive more training and see many benefits both from an organizational and personal perspective. In terms of their preference in how this training is delivered, nearly two-thirds of global developers want interactive or video-based secure coding education. However, no matter the method, developers see many personal and organizational benefits from the right training.
The benefits to both the organization and the individual are well understood. 42 percent of survey respondents say that with better secure coding education, they would code more securely. 24 percent say they would save time for both themselves and the organization. 22 percent say they could develop even more code. And nearly 10 percent say they would save the organization money, deliver cost efficiencies, and need fewer resources.
Finally, 3 percent responded that they would remain working at the organization for longer.