While Most Developers Worry About Security, Many Development Teams Lack a Dedicated Security Expert
January 22, 2020

Eric Sheridan
WhiteHat Security

While nearly 75 percent of developers worry about the security of their applications, and 85 percent rank security as very important in the coding and development process, nearly half of their teams lack a dedicated security expert.
 
These are among the findings of a recent survey of 103 industry professionals at DeveloperWeek Austin in November, 2019.
 
The survey also found that while 57 percent of participants feel their teams have the right application security tools in place to incorporate security into the software development lifecycle (SDLC), 14 percent do not feel that they've been given the proper solutions to do so, and one-third weren't sure what their company provided. For those respondents who do utilize application security tools, 33 percent scan for vulnerabilities daily, 29 percent weekly and 20 percent monthly; this means that 82 percent scan their applications monthly at a minimum. The remaining 18 percent scanned either quarterly, annually or at random.

Surprisingly, 43 percent of respondents still focus on meeting their application release deadlines over security, which echoes an ongoing issue in the development community. Often, pressures to deliver a functional application by these dates cause coders to take security shortcuts or disregard it altogether. However, a promising 57 percent are realizing that application security should be a key part of the SDLC — and are prioritizing security practices over these demanding deadlines. 
 
Regardless, more than half (52 percent) of participants have experienced burnout as a result of the intense pressures to deliver the applications on time — and securely. When employees are burnt out, their performance can lag, impacting their personal life, professional growth and their company's deliverables.
 
What this research shows is that, while developers' concerns about securing their code are on an upward trajectory, it's clear the industry has a long way to go. Developers are on the front lines when it comes to protecting their organizations from cyberattacks, and they need the right tools and training to handle this burden. With applications being increasingly targeted by digital adversaries, it is vital that organizations and developers incorporate standard security protocols within DevOps, a practice known as DevSecOps. This should include regular cybersecurity training, an application security team lead and a holistic application security platform that can identify vulnerabilities in development, deployment and beyond.

Interestingly, despite this advice, 70 percent of developers have not received security certifications in their current or prior roles, and only 30 percent have. Developer respondents also provided insight into the skills needed in the field. While coding and security chops are important, soft skills are becoming more highly valued than ever when hiring new talent. Turns out, it's all about the wider group and shared responsibility. Forty-nine percent of developers say teamwork and interpersonal skills are most essential, with problem solving following in second place at 34 percent. Fourteen percent ranked communications and writing as most important, while leadership was ranked least important.
 
We are seeing strides in development and application security practices following this study. While there are still some concerns and areas for improvement, we are excited that developers are taking significant notice of this long deprioritized issue and taking steps to keep up with today's cyber risks.

Eric Sheridan is Chief Scientist at WhiteHat Security
Share this

Industry News

January 26, 2023

Ubuntu Pro, Canonical’s comprehensive subscription for secure open source and compliance, is now generally available.

January 26, 2023

Mirantis, freeing developers to create their most valuable code, today announced that it has acquired the Santa Clara, California-based Shipa to add automated application discovery, operations, security, and observability to the Lens Kubernetes Platform.

January 25, 2023

SmartBear has integrated the powerful contract testing capabilities of PactFlow with SwaggerHub.

January 25, 2023

Venafi introduced TLS Protect for Kubernetes.

January 25, 2023

Tricentis announced the general availability of Tricentis Test Automation, a cloud-based test automation solution that simplifies test creation, orchestration, and scalable test execution for easier collaboration among QA teams and their business stakeholders and faster, higher-quality, and more durable releases of web-based applications and business processes.

January 24, 2023

Harness announced the acquisition of Propelo.

January 23, 2023

Couchbase announced its Couchbase Capella Database-as-a-Service (DBaaS) offering on Azure.

January 23, 2023

Mendix and Software Improvement Group (SIG) have announced the release of Mendix Quality & Security Management (QSM), a new cybersecurity solution that provides continuous deep-dive insights into security and code quality to immediately address risks and vulnerabilities.

January 23, 2023

Trunk announces the public launch of CI Analytics.

January 23, 2023

Panaya announced a new Partnership Program in response to ongoing growth within its partner network over the past year.

January 23, 2023

Cloudian closed $60 million in new funding, bringing the company’s total funding to $233 million.

January 19, 2023

Progress announced the R1 2023 release of Progress Telerik and Progress Kendo UI.

January 19, 2023

Wallarm announced the early release of the Wallarm API Leak Management solution, an enhanced API security technology designed to help organizations identify and remediate attacks exploiting leaked API keys and secrets, while providing on-going protection against hacks in the event of a leak.

January 19, 2023

ThreatModeler launched Threat Model Marketplace, a cybersecurity asset marketplace offering pre-built, field-tested threat models to be downloaded — free for a limited time — and incorporated into new and ongoing threat modeling initiatives.

January 18, 2023

Software AG has launched new updates to its webMethods platform that will simplify the process by which developers can find, work on and deploy new APIs and integration tools or capabilities.