How do developers define "secure coding"?
A version of this article appeared in TechRepublic. It has been updated and syndicated here.
It has been an uphill - yet essential - battle to create an environment where the goals of the security team and their developer counterparts are aligned. We’ve got a long way to go, but the obstacles that stand in the way of the synergy needed to open the door to shared responsibility for software security are becoming abundantly clear. Smart companies want to evolve their strategy to avoid those pitfalls, find a productive way forward, and use DevSecOps to its full people-powered potential.
What I wasn’t anticipating, is that the perception of what constitutes the act of secure coding is up for debate. According to brand new research in collaboration with Evans Data, this sentiment was revealed in black and white. The State of Developer-Driven Security 2022 survey delves into the key insights and experiences of 1200 active developers, illuminating their attitudes and challenges in the security realm.
One of the headline findings was that just 14% of developers consider security a priority when coding. While this shows there is enormous room for improvement, it confirms what we knew already: feature-building is king in the developer’s world, and they remain ill-equipped to make security part of their DNA. However, when coupled with data on developer definitions of what secure coding means to them, it is cause for concern.
These perceptions are driven by developer experience in their working day, and it speaks to the environment of many organizations, which is that developers are simply not a focal point in the fight against common vulnerabilities. Their enablement is critical, but in the meantime, we must quickly get on the same page with the scope of “secure coding”, and what we should expect from a security-skilled developer.
We need to demystify security in the developer’s world.
Cybersecurity is a multi-faceted, unwieldy beast at the best of times, and while secure coding represents just one part of the overall landscape, it is a complex cog in the system that requires specialist attention.
The survey revealed that the concept of working with secure code was quite siloed for the average developer, with their scope often limited to a single category as opposed to a holistic view of the fundamentals and beyond. Developers indicated a reliance on using existing (or pre-approved) code, rather than the practice of writing new code that is free from vulnerabilities. While security awareness regarding third-party components (especially patching, and the Log4Shell debacle is a great example: 30% of instances remain unpatched since December) is very important, as is testing existing code, these alone do not meet a functional level of secure coding ability.
Code-level vulnerabilities are introduced by developers who have learned poor coding patterns, and a lack of emphasis on writing secure code in their KPIs (coupled with a lackluster security culture) only reinforces this as an acceptable standard.
Security leaders can go a long way in improving initial awareness and identifying areas of the most pressing knowledge gaps, by first ensuring that the development cohort is shown the complete picture of what secure coding entails. Testing and scanning pre-approved code is one function, but the reduction of vulnerabilities requires hands-on training in good, safe, coding patterns, in the languages and frameworks that are actively in use.
Context is vital in developer upskilling, and they need to be brought on the journey when it comes to the security goals of the business.
Many organizations need to upgrade their security programs.
With an explosion of software-driven tech making way for the rapid growth of cybersecurity incidents in the last decade, we’re all scrambling to keep up with threat actors working around the clock to uncover exploits in valuable systems.
The DevSecOps methodology is built on the idea that everyone shares responsibility for security - developers included - and it’s a chief consideration from the very beginning of the SDLC. The problem is, especially in large companies, they may be very far away from implementing DevSecOps as a standard. In 2017, a study by the Project Management Institute showed that 51% of organizations were still using Waterfall for their software development. That study is now five years old, but knowing how gradual changes can be in large enterprises, it’s unlikely that there has been a sharp transition to the latest security-oriented methodologies. These legacy processes can create an uphill battle for security professionals trying to cover all bases with a comprehensive strategy to protect against cyber threats, and retrofitting developers and their needs into this landscape is a challenge.
However, we can’t use this as an excuse. The security pros in the business can utilize developers in an uplifted strategy; they just need to get familiar with their needs and consider them as part of their defensive play. They need comprehensive training, and any responsibility for security needs to be implemented with respect to their tech stack and workflow.
Secure coding = the “too hard” basket?
The Evans Data research brought to light that a staggering 86% of developers find it challenging to practice secure coding, with 92% of developer managers also conceding that their teams needed more training in security frameworks. Worryingly, 48% of respondents admitted that they knowingly leave vulnerabilities in their code.
This paints a very concerning picture. It appears that, generally, developers are not getting frequent, adequate training, nor are they getting enough exposure to good security practices and hygiene. Reading between the lines, it reinforces the crux of the issue: it simply is not a priority for developers to consider security in their work. That, and the training they receive does not build their confidence or practical skills, nor does it help them understand the impact of their decision to ship vulnerable code.
The Colonial Pipeline ransomware attack was one of the most disruptive supply chain security incidents in the past year, sparking fear that half of the gas supply on the United States east coast would be cut off for an indeterminate period. Thankfully, they were back up and running quickly, but not without significant apprehension in the community. It was one of those crucible moments where the general public faced the prospect of a cyber incident seriously affecting an element of the physical world that isn’t necessarily thought of as software-driven, or a risk for a cyberattack. And all of that chaos was made possible by two old, unpatched vulnerabilities, one of which was the insidious, yet widely known, SQL injection. If developers knew what was truly at stake when they chose to ship vulnerable code, they would quickly see there is no scenario where that is an acceptable business risk.
Functional “P-P-T” is not up to the developer.
The famous “golden triangle” of People, Process, and Tools is not achievable without carefully considered strategy, and developers are not in a position to assimilate into a working security process without consideration of their needs and challenges.
It will take a sizeable culture shift to uplift developer-driven security, and it starts with educational pathways that move both engineers and the security team to greater clarity.
The perception of what constitutes the act of secure coding is up for debate. According to recent research in collaboration with Evans Data, this sentiment was revealed in black and white. The State of Developer-Driven Security 2022 survey delves into the key insights and experiences of 1200 active developers, illuminating their attitudes and challenges in the security realm.
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoChief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
A version of this article appeared in TechRepublic. It has been updated and syndicated here.
It has been an uphill - yet essential - battle to create an environment where the goals of the security team and their developer counterparts are aligned. We’ve got a long way to go, but the obstacles that stand in the way of the synergy needed to open the door to shared responsibility for software security are becoming abundantly clear. Smart companies want to evolve their strategy to avoid those pitfalls, find a productive way forward, and use DevSecOps to its full people-powered potential.
What I wasn’t anticipating, is that the perception of what constitutes the act of secure coding is up for debate. According to brand new research in collaboration with Evans Data, this sentiment was revealed in black and white. The State of Developer-Driven Security 2022 survey delves into the key insights and experiences of 1200 active developers, illuminating their attitudes and challenges in the security realm.
One of the headline findings was that just 14% of developers consider security a priority when coding. While this shows there is enormous room for improvement, it confirms what we knew already: feature-building is king in the developer’s world, and they remain ill-equipped to make security part of their DNA. However, when coupled with data on developer definitions of what secure coding means to them, it is cause for concern.
These perceptions are driven by developer experience in their working day, and it speaks to the environment of many organizations, which is that developers are simply not a focal point in the fight against common vulnerabilities. Their enablement is critical, but in the meantime, we must quickly get on the same page with the scope of “secure coding”, and what we should expect from a security-skilled developer.
We need to demystify security in the developer’s world.
Cybersecurity is a multi-faceted, unwieldy beast at the best of times, and while secure coding represents just one part of the overall landscape, it is a complex cog in the system that requires specialist attention.
The survey revealed that the concept of working with secure code was quite siloed for the average developer, with their scope often limited to a single category as opposed to a holistic view of the fundamentals and beyond. Developers indicated a reliance on using existing (or pre-approved) code, rather than the practice of writing new code that is free from vulnerabilities. While security awareness regarding third-party components (especially patching, and the Log4Shell debacle is a great example: 30% of instances remain unpatched since December) is very important, as is testing existing code, these alone do not meet a functional level of secure coding ability.
Code-level vulnerabilities are introduced by developers who have learned poor coding patterns, and a lack of emphasis on writing secure code in their KPIs (coupled with a lackluster security culture) only reinforces this as an acceptable standard.
Security leaders can go a long way in improving initial awareness and identifying areas of the most pressing knowledge gaps, by first ensuring that the development cohort is shown the complete picture of what secure coding entails. Testing and scanning pre-approved code is one function, but the reduction of vulnerabilities requires hands-on training in good, safe, coding patterns, in the languages and frameworks that are actively in use.
Context is vital in developer upskilling, and they need to be brought on the journey when it comes to the security goals of the business.
Many organizations need to upgrade their security programs.
With an explosion of software-driven tech making way for the rapid growth of cybersecurity incidents in the last decade, we’re all scrambling to keep up with threat actors working around the clock to uncover exploits in valuable systems.
The DevSecOps methodology is built on the idea that everyone shares responsibility for security - developers included - and it’s a chief consideration from the very beginning of the SDLC. The problem is, especially in large companies, they may be very far away from implementing DevSecOps as a standard. In 2017, a study by the Project Management Institute showed that 51% of organizations were still using Waterfall for their software development. That study is now five years old, but knowing how gradual changes can be in large enterprises, it’s unlikely that there has been a sharp transition to the latest security-oriented methodologies. These legacy processes can create an uphill battle for security professionals trying to cover all bases with a comprehensive strategy to protect against cyber threats, and retrofitting developers and their needs into this landscape is a challenge.
However, we can’t use this as an excuse. The security pros in the business can utilize developers in an uplifted strategy; they just need to get familiar with their needs and consider them as part of their defensive play. They need comprehensive training, and any responsibility for security needs to be implemented with respect to their tech stack and workflow.
Secure coding = the “too hard” basket?
The Evans Data research brought to light that a staggering 86% of developers find it challenging to practice secure coding, with 92% of developer managers also conceding that their teams needed more training in security frameworks. Worryingly, 48% of respondents admitted that they knowingly leave vulnerabilities in their code.
This paints a very concerning picture. It appears that, generally, developers are not getting frequent, adequate training, nor are they getting enough exposure to good security practices and hygiene. Reading between the lines, it reinforces the crux of the issue: it simply is not a priority for developers to consider security in their work. That, and the training they receive does not build their confidence or practical skills, nor does it help them understand the impact of their decision to ship vulnerable code.
The Colonial Pipeline ransomware attack was one of the most disruptive supply chain security incidents in the past year, sparking fear that half of the gas supply on the United States east coast would be cut off for an indeterminate period. Thankfully, they were back up and running quickly, but not without significant apprehension in the community. It was one of those crucible moments where the general public faced the prospect of a cyber incident seriously affecting an element of the physical world that isn’t necessarily thought of as software-driven, or a risk for a cyberattack. And all of that chaos was made possible by two old, unpatched vulnerabilities, one of which was the insidious, yet widely known, SQL injection. If developers knew what was truly at stake when they chose to ship vulnerable code, they would quickly see there is no scenario where that is an acceptable business risk.
Functional “P-P-T” is not up to the developer.
The famous “golden triangle” of People, Process, and Tools is not achievable without carefully considered strategy, and developers are not in a position to assimilate into a working security process without consideration of their needs and challenges.
It will take a sizeable culture shift to uplift developer-driven security, and it starts with educational pathways that move both engineers and the security team to greater clarity.
A version of this article appeared in TechRepublic. It has been updated and syndicated here.
It has been an uphill - yet essential - battle to create an environment where the goals of the security team and their developer counterparts are aligned. We’ve got a long way to go, but the obstacles that stand in the way of the synergy needed to open the door to shared responsibility for software security are becoming abundantly clear. Smart companies want to evolve their strategy to avoid those pitfalls, find a productive way forward, and use DevSecOps to its full people-powered potential.
What I wasn’t anticipating, is that the perception of what constitutes the act of secure coding is up for debate. According to brand new research in collaboration with Evans Data, this sentiment was revealed in black and white. The State of Developer-Driven Security 2022 survey delves into the key insights and experiences of 1200 active developers, illuminating their attitudes and challenges in the security realm.
One of the headline findings was that just 14% of developers consider security a priority when coding. While this shows there is enormous room for improvement, it confirms what we knew already: feature-building is king in the developer’s world, and they remain ill-equipped to make security part of their DNA. However, when coupled with data on developer definitions of what secure coding means to them, it is cause for concern.
These perceptions are driven by developer experience in their working day, and it speaks to the environment of many organizations, which is that developers are simply not a focal point in the fight against common vulnerabilities. Their enablement is critical, but in the meantime, we must quickly get on the same page with the scope of “secure coding”, and what we should expect from a security-skilled developer.
We need to demystify security in the developer’s world.
Cybersecurity is a multi-faceted, unwieldy beast at the best of times, and while secure coding represents just one part of the overall landscape, it is a complex cog in the system that requires specialist attention.
The survey revealed that the concept of working with secure code was quite siloed for the average developer, with their scope often limited to a single category as opposed to a holistic view of the fundamentals and beyond. Developers indicated a reliance on using existing (or pre-approved) code, rather than the practice of writing new code that is free from vulnerabilities. While security awareness regarding third-party components (especially patching, and the Log4Shell debacle is a great example: 30% of instances remain unpatched since December) is very important, as is testing existing code, these alone do not meet a functional level of secure coding ability.
Code-level vulnerabilities are introduced by developers who have learned poor coding patterns, and a lack of emphasis on writing secure code in their KPIs (coupled with a lackluster security culture) only reinforces this as an acceptable standard.
Security leaders can go a long way in improving initial awareness and identifying areas of the most pressing knowledge gaps, by first ensuring that the development cohort is shown the complete picture of what secure coding entails. Testing and scanning pre-approved code is one function, but the reduction of vulnerabilities requires hands-on training in good, safe, coding patterns, in the languages and frameworks that are actively in use.
Context is vital in developer upskilling, and they need to be brought on the journey when it comes to the security goals of the business.
Many organizations need to upgrade their security programs.
With an explosion of software-driven tech making way for the rapid growth of cybersecurity incidents in the last decade, we’re all scrambling to keep up with threat actors working around the clock to uncover exploits in valuable systems.
The DevSecOps methodology is built on the idea that everyone shares responsibility for security - developers included - and it’s a chief consideration from the very beginning of the SDLC. The problem is, especially in large companies, they may be very far away from implementing DevSecOps as a standard. In 2017, a study by the Project Management Institute showed that 51% of organizations were still using Waterfall for their software development. That study is now five years old, but knowing how gradual changes can be in large enterprises, it’s unlikely that there has been a sharp transition to the latest security-oriented methodologies. These legacy processes can create an uphill battle for security professionals trying to cover all bases with a comprehensive strategy to protect against cyber threats, and retrofitting developers and their needs into this landscape is a challenge.
However, we can’t use this as an excuse. The security pros in the business can utilize developers in an uplifted strategy; they just need to get familiar with their needs and consider them as part of their defensive play. They need comprehensive training, and any responsibility for security needs to be implemented with respect to their tech stack and workflow.
Secure coding = the “too hard” basket?
The Evans Data research brought to light that a staggering 86% of developers find it challenging to practice secure coding, with 92% of developer managers also conceding that their teams needed more training in security frameworks. Worryingly, 48% of respondents admitted that they knowingly leave vulnerabilities in their code.
This paints a very concerning picture. It appears that, generally, developers are not getting frequent, adequate training, nor are they getting enough exposure to good security practices and hygiene. Reading between the lines, it reinforces the crux of the issue: it simply is not a priority for developers to consider security in their work. That, and the training they receive does not build their confidence or practical skills, nor does it help them understand the impact of their decision to ship vulnerable code.
The Colonial Pipeline ransomware attack was one of the most disruptive supply chain security incidents in the past year, sparking fear that half of the gas supply on the United States east coast would be cut off for an indeterminate period. Thankfully, they were back up and running quickly, but not without significant apprehension in the community. It was one of those crucible moments where the general public faced the prospect of a cyber incident seriously affecting an element of the physical world that isn’t necessarily thought of as software-driven, or a risk for a cyberattack. And all of that chaos was made possible by two old, unpatched vulnerabilities, one of which was the insidious, yet widely known, SQL injection. If developers knew what was truly at stake when they chose to ship vulnerable code, they would quickly see there is no scenario where that is an acceptable business risk.
Functional “P-P-T” is not up to the developer.
The famous “golden triangle” of People, Process, and Tools is not achievable without carefully considered strategy, and developers are not in a position to assimilate into a working security process without consideration of their needs and challenges.
It will take a sizeable culture shift to uplift developer-driven security, and it starts with educational pathways that move both engineers and the security team to greater clarity.
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demoChief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
A version of this article appeared in TechRepublic. It has been updated and syndicated here.
It has been an uphill - yet essential - battle to create an environment where the goals of the security team and their developer counterparts are aligned. We’ve got a long way to go, but the obstacles that stand in the way of the synergy needed to open the door to shared responsibility for software security are becoming abundantly clear. Smart companies want to evolve their strategy to avoid those pitfalls, find a productive way forward, and use DevSecOps to its full people-powered potential.
What I wasn’t anticipating, is that the perception of what constitutes the act of secure coding is up for debate. According to brand new research in collaboration with Evans Data, this sentiment was revealed in black and white. The State of Developer-Driven Security 2022 survey delves into the key insights and experiences of 1200 active developers, illuminating their attitudes and challenges in the security realm.
One of the headline findings was that just 14% of developers consider security a priority when coding. While this shows there is enormous room for improvement, it confirms what we knew already: feature-building is king in the developer’s world, and they remain ill-equipped to make security part of their DNA. However, when coupled with data on developer definitions of what secure coding means to them, it is cause for concern.
These perceptions are driven by developer experience in their working day, and it speaks to the environment of many organizations, which is that developers are simply not a focal point in the fight against common vulnerabilities. Their enablement is critical, but in the meantime, we must quickly get on the same page with the scope of “secure coding”, and what we should expect from a security-skilled developer.
We need to demystify security in the developer’s world.
Cybersecurity is a multi-faceted, unwieldy beast at the best of times, and while secure coding represents just one part of the overall landscape, it is a complex cog in the system that requires specialist attention.
The survey revealed that the concept of working with secure code was quite siloed for the average developer, with their scope often limited to a single category as opposed to a holistic view of the fundamentals and beyond. Developers indicated a reliance on using existing (or pre-approved) code, rather than the practice of writing new code that is free from vulnerabilities. While security awareness regarding third-party components (especially patching, and the Log4Shell debacle is a great example: 30% of instances remain unpatched since December) is very important, as is testing existing code, these alone do not meet a functional level of secure coding ability.
Code-level vulnerabilities are introduced by developers who have learned poor coding patterns, and a lack of emphasis on writing secure code in their KPIs (coupled with a lackluster security culture) only reinforces this as an acceptable standard.
Security leaders can go a long way in improving initial awareness and identifying areas of the most pressing knowledge gaps, by first ensuring that the development cohort is shown the complete picture of what secure coding entails. Testing and scanning pre-approved code is one function, but the reduction of vulnerabilities requires hands-on training in good, safe, coding patterns, in the languages and frameworks that are actively in use.
Context is vital in developer upskilling, and they need to be brought on the journey when it comes to the security goals of the business.
Many organizations need to upgrade their security programs.
With an explosion of software-driven tech making way for the rapid growth of cybersecurity incidents in the last decade, we’re all scrambling to keep up with threat actors working around the clock to uncover exploits in valuable systems.
The DevSecOps methodology is built on the idea that everyone shares responsibility for security - developers included - and it’s a chief consideration from the very beginning of the SDLC. The problem is, especially in large companies, they may be very far away from implementing DevSecOps as a standard. In 2017, a study by the Project Management Institute showed that 51% of organizations were still using Waterfall for their software development. That study is now five years old, but knowing how gradual changes can be in large enterprises, it’s unlikely that there has been a sharp transition to the latest security-oriented methodologies. These legacy processes can create an uphill battle for security professionals trying to cover all bases with a comprehensive strategy to protect against cyber threats, and retrofitting developers and their needs into this landscape is a challenge.
However, we can’t use this as an excuse. The security pros in the business can utilize developers in an uplifted strategy; they just need to get familiar with their needs and consider them as part of their defensive play. They need comprehensive training, and any responsibility for security needs to be implemented with respect to their tech stack and workflow.
Secure coding = the “too hard” basket?
The Evans Data research brought to light that a staggering 86% of developers find it challenging to practice secure coding, with 92% of developer managers also conceding that their teams needed more training in security frameworks. Worryingly, 48% of respondents admitted that they knowingly leave vulnerabilities in their code.
This paints a very concerning picture. It appears that, generally, developers are not getting frequent, adequate training, nor are they getting enough exposure to good security practices and hygiene. Reading between the lines, it reinforces the crux of the issue: it simply is not a priority for developers to consider security in their work. That, and the training they receive does not build their confidence or practical skills, nor does it help them understand the impact of their decision to ship vulnerable code.
The Colonial Pipeline ransomware attack was one of the most disruptive supply chain security incidents in the past year, sparking fear that half of the gas supply on the United States east coast would be cut off for an indeterminate period. Thankfully, they were back up and running quickly, but not without significant apprehension in the community. It was one of those crucible moments where the general public faced the prospect of a cyber incident seriously affecting an element of the physical world that isn’t necessarily thought of as software-driven, or a risk for a cyberattack. And all of that chaos was made possible by two old, unpatched vulnerabilities, one of which was the insidious, yet widely known, SQL injection. If developers knew what was truly at stake when they chose to ship vulnerable code, they would quickly see there is no scenario where that is an acceptable business risk.
Functional “P-P-T” is not up to the developer.
The famous “golden triangle” of People, Process, and Tools is not achievable without carefully considered strategy, and developers are not in a position to assimilate into a working security process without consideration of their needs and challenges.
It will take a sizeable culture shift to uplift developer-driven security, and it starts with educational pathways that move both engineers and the security team to greater clarity.
Table of contents
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Resources to get you started
10 Key Predictions: Secure Code Warrior on AI & Secure-by-Design’s Influence in 2025
Organizations are facing tough decisions on AI usage to support long-term productivity, sustainability, and security ROI. It’s become clear to us over the last few years that AI will never fully replace the role of the developer. From AI + developer partnerships to the increasing pressures (and confusion) around Secure-by-Design expectations, let’s take a closer look at what we can expect over the next year.
OWASP Top 10 For LLM Applications: What’s New, Changed, and How to Stay Secure
Stay ahead in securing LLM applications with the latest OWASP Top 10 updates. Discover what's new, what’s changed, and how Secure Code Warrior equips you with up-to-date learning resources to mitigate risks in Generative AI.
Trust Score Reveals the Value of Secure-by-Design Upskilling Initiatives
Our research has shown that secure code training works. Trust Score, using an algorithm drawing on more than 20 million learning data points from work by more than 250,000 learners at over 600 organizations, reveals its effectiveness in driving down vulnerabilities and how to make the initiative even more effective.
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.