Conflicting management priorities, increasing code complexity, labor shortages, and lack of training collide to keep developers from designing secure code.
As organizations move to a cloud–first approach, the challenges of cloud–native application development may be slowing development cycles. With that shift comes the need for greater security capabilities, according to an April survey by Tigera. In fact, most developers named security as the top challenge in cloud–native development cycles.
Developers are struggling to design security into their software as they face competing priorities, according to a recent study by Secure Code Warrior. Two–thirds of the participants admitted they routinely left known vulnerabilities and exploits in their code, and only 14% listed application security as a top priority.
That’s because, although they want to do the right thing, “their working environment doesn’t always make it easy for them to make it a priority,” said Secure Code Warrior co–founder and CEO Pieter Danhieux in a statement.
Possible reasons include increasing code complexity and developer labor shortages. Company culture and development methodology, as well as a lack of security skills, may also contribute.
As the Secure Code Warrior study says, “Many organizations are still employing traditional software development methodologies while navigating an ever–changing landscape of cybersecurity risks and demands.”
Yet security teams know that DevSecOps, or at minimum DevOps, approaches that emphasize security considerations at the beginning of software development are crucial. Done correctly, developers skilled in security can “improve productivity by reducing vulnerabilities that create rework, maintain software release velocity, and ensure quality code without compromising innovation,” according to Secure Code Warrior.
Although 41% of developers said functionality and security were equally important in their organization overall, they also said new features and functionality, application performance, and meeting deadlines outweigh security as management’s top priorities.
“Our study shows that developers are actually focused a lot on rework and not necessarily on new features, or on creating new features in a secure way,” Matias Madou, Secure Code Warrior’s CTO, told EE Times. “Their end–customers require new features and assume that quality is a given. So developers are focused on making products better, faster, slicker, and not on security as a top priority.”
Shifting secure code left isn’t easy
The top three barriers that prevent integrating secure code earlier in the development cycle — shifting left — are lack of time, planning, and prioritization.
Lack of time may be directly related to the labor shortage. “There will never be enough people for security,” Madou said. “For software security, the only way to break out of that pattern is to make sure developers are part of the security story.”
Both developers and security teams get their priorities and direction from management, Jon Jarboe, Cycode’s director of product marketing, told EE Times.
“One thing this report exposes is that they’re often not aligned: the security team’s priorities can be at odds with the development team’s priorities. So developers may be forced to choose between development goals and security.”
Nearly two–thirds of respondents said it’s difficult to write secure code free from vulnerabilities. Tools and training were cited most often as top security needs throughout the development lifecycle.
But security tools are more often designed for security teams than for developers, so they can be more disruptive than helpful, Jarboe said. “Those security tools also have to be designed for developers. Most security companies are probably addressing this now, but their progress or success in doing so varies.”
Where tools are used in the development process matters, too. Running testing tools just before product release won’t allow enough time to fix all the problems. How security tools are used and where they’re used in development must change, Jarboe explained.
The report also notes that developers say their companies rely on existing or pre–approved secure code and tooling, which can only address known vulnerabilities, instead of using the needed skills to write new, vulnerability–free code.
Code, development environments getting more complex
The increasing complexity of both code and development environments is definitely an issue, Madou said.
“If you ask what developers work on, it’s about quality of code and making things simpler,” he said. “The top priorities they listed when writing code are code quality and technical debt reduction, with the same number saying their top priority is application performance.”
Increasing environment complexity is due in part to developers continuing to work in both old and new languages and environments. Secure Code Warrior, for example, provides training in 60 different languages and frameworks.
“Software complexity has definitely been growing with the shift to cloud–native, as applications have been moving toward microservices,” Jarboe said. “These are now being developed by different teams which have to communicate with each other and with the security team, which can be hard and increases complexity within the company.”
All this places stress on the company culture. “So to be successful the culture of the organization must change the way things have always been done,” Jarboe said.
Yet these changes are especially difficult now because of all the parallel transformations developers have had to cope with, including the DevOps and agile movements, as well as the pandemic.
One thing that can help is an automated safety net, or guardrails. “Without [these], developers can’t always fix the problem at the velocity they need to meet deadlines,” Jarboe said. “But if you have automated testing that tells you when your code is broken, you can focus on fixing things rather than worrying about breaking things.”
The need for training and upskilling
Developers gave conflicting responses about the need for more training. While most rated their previous secure code training as good or excellent, 92% of respondents said others on their team require more training in security frameworks.
Even though code that contains vulnerabilities still ships, 81% said they regularly apply security training to their work. Yet only 43% said that training was highly relevant to their jobs, and more than half reported a lack of familiarity with common software vulnerabilities, how they can be exploited, and methods for avoiding them.
“Organizations don’t always give time to developers to upskill themselves,” Madou said. “The project deadline is often yesterday, so they have to crank out new features and functions and don’t think about security, but just focus on the organization’s short–term goals.”
It takes an average of about two years from when a vulnerability is created in code to when it’s found. As a result, organizations that want software security as a goal must plan years ahead, Madou explained. “They also have to consider the skillsets and training of new people coming on board.”
Often, developers can’t articulate what secure coding actually means. That’s because there are few lessons in university programs on how to create secure code.
“Why upskill yourself in coding? Because at the beginning of the development cycle you make mistakes, everyone does,” Madou said. “It’s only at the end of the cycle that you realize your code has a security impact and can be misused. So if you learn how to write secure code you will be seen as a good developer. In the report, most managers say they want security skills when they hire new developers.”
This article was originally published on EE Times.
Ann R. Thryft has written about manufacturing- and electronics-related technologies for Design News, Test & Measurement World, EDN, RTC Magazine, COTS Journal, Nikkei Electronics Asia, Computer Design, and Electronic Buyers’ News. Sheâ€™s introduced readers to several emerging trends: industrial cybersecurity for operational technology, industrial-strength metals 3D printing, RFID, software-defined radio, early mobile phone architectures, open network server and switch/router architectures, and set-top box system design. At EBN Ann won two independently judged Editorial Excellence awards for Best Technology Feature. Currently, she is the industrial control & automation designline editor at EE Times. She holds a BA in Cultural Anthropology from Stanford University and a Certified Business Communicator certificate from the Business Marketing Association (formerly B/PAA).