Unless you have been under a rock recently, you will have noticed that rarely a day goes by without another serious security problem arising. While there is plenty of blame to go around for these endless security problems, part of this blame is directed towards developers responsible for writing bad code.
Both GitLab and DevOps surveys have found that 68% of security professionals feel less than half of developers can spot security vulnerabilities however, the majority feel that a programmer’s job is to write secure code.
At the same time nearly 70% of developers said that while they are expected to write secure code, they are given little guidance or help.
Another problem is that it seems many companies don’t take security seriously enough. Nearly 44% of those surveyed reported that they’re not judged on their security vulnerabilities.
If you were under pressure to get code out and you know no one is paying attention to the security aspects of this code, what would you do? Yes, you would most likely avoid the security aspect.
A recent study found that those who have been left to their own devices (such as many freelance programmers) didn’t bother to secure passwords in a business assignment. To describe this in simple terms, many developers didn’t think about security when writing their code.
The survey may be very recent however, the clash between security and developers is ancient. The creator of Linux, Linus Torvalds once said “Security problems are just bugs”
Torvalds along with many other programmers feel that security experts are getting in the way of creating productive code. Security often gets in the way of a programmer writing operational code therefore it is often not seen as a priority.
The problem is that security is often thought about far too late by Developers, often after the code has been written meaning they are quite often unaware of many security threats.
Sometimes security specialists poorly design the security architecture which can again lead to some security issues.
In order to fix this problem, developers must think before they begin to write the code and ensure they consult with security specialists far more regularly whilst the code is being written.