"Need for speed" heightens expectations (and security risks) for software development

The onus is increasingly falling on developers, who have a greater reliance on emerging technologies, a study by Checkmarx finds.

woman developer with colleague

Image: iStock/nd3000

When it comes to software development, time-to-market has long been a top–if not the main–priority for years. A new study finds that nearly half (46%) of developers said the rate at which they're expected to build and deploy software is somewhat or significantly faster now compared to before the pandemic.

The pandemic has made speed even more paramount as organizations embrace digital transformation and seek greater software agility, innovation and resilience, observed James Brotsos, developer experience evangelist at application security testing provider Checkmarx, which conducted the study in late February.

Considering that developers were already operating at an aggressive pace, with remote work adding another layer of stress, it's understandable that when asked about the biggest work-related challenge they've faced throughout the pandemic, two points topped their lists: Keeping up with increased development speeds and demands (36%) and collaborating with key teams (e.g. dev, ops and security) while remote (36%), Brotsos said.

Additional challenges weighing on their shoulders include increasing security ownership and responsibility (14%) and navigating headcount and resource reductions (11%).

SEE: The essential 10 programming languages developers need to know this year (TechRepublic)

To cope, Checkmarx's research shows that developers have increased their reliance on a variety of tools and components in the last 12 months to work more efficiently. The top three are open source, automated security testing tools and infrastructure as code, he said.

Software developers have flocked to the cloud, but testing lags

While the transition to the cloud has been in the works for quite some time, there's no debating that it's been put into hyperdrive by the pandemic. Well over half (59%) of survey respondents said that the amount of application development they're doing in the cloud now compared to before the pandemic has increased somewhat or significantly.

When asked about the top reason driving this migration, the "need for speed" sentiment emerged again, with 48% of developers saying that working in the cloud enables them to increase development and deployment speed, Brotsos said.

Meanwhile, over one in four (26%) said flexibility with operating systems, languages, and platforms that cloud environments offer has resonated most, while 15% cited improved application security, he said.

However, with all the benefits that the cloud presents come a myriad of security concerns. Cloud applications comprise numerous components–each of which brings a distinct set of risks, and as a result, require specialized testing methodologies.

One of the most worrisome findings was that one in six developers (15%) aren't performing any security testing at all when building cloud-native applications, Brotsos noted.

"While the percentage may seem minimal at first glance … if you really look at it, this means that one out of every six developers isn't taking any AST steps in the cloud, which could leave a large portion of apps vulnerable,'' he said. "As cloud-native development becomes the gold-standard across the industry, there needs to be a significant shift in this regard."  

Additionally, when developers were asked when building applications in the cloud, which cloud-native technologies and components they're performing security tests on, just half said infrastructure as code, while 45% said APIs, followed by 44% who said microservices. Other respondents cited containers (32%) and serverless architectures (28%).

With cloud-native undoubtedly here to stay, Brotsos said, developers and organizations must balance rapid adoption of the technology with doing so in a secure manner.

Security is shifting into the hands of developers

With every organization's attack surface now being larger than ever before due to the rise in decentralized workforces, application security and building secure code must be a priority, he said. While the debate rages on about who should be the primary owner of application security, the Checkmarx survey indicated that over half (55%) of respondents have taken on somewhat or significantly more application security responsibility over the course of the COVID-19 pandemic.

As application security ownership continues its gradual shift from IT to DevOps to developers, securing the development pipeline is a skill they must learn, according to Brotsos. Respondents agreed. When asked about the skills they've prioritized learning or improving during the pandemic, their top response was AppSec/secure coding (46%).

The survey further found that developers are determined to increase their proficiency with emerging technologies and methodologies including API development (43%), cloud-native development (40%), IaC configuration (34%) and DevOps (31%).

What developers need more than ever to be successful

When asked what the single most impactful thing is their companies could do to make application security easier to manage, developers cited more opportunities for AppSec training (36%). This was followed by integrating security testing directly into their workflows (e.g. SCMs, CI/CDs, and IDEs) (27%), followed by investing more in automated security testing tools (23%) and streamlining collaboration between dev, ops and security teams (11%).

As application security continues to move under developers, Checkmarx advises a number of measures organizations should take:

  • Provide them with training and education.

  •  Invest in the right application security testing tools.

  • Break down silos among software development stakeholders.

  • Listen to developers and their needs.

The need for breakneck software development is only going to continue, especially as organizations transition full-time to hybrid work environments and continue down the path of DX, Brotsos said.

"As with any job, these expectations are unsustainable long term if change isn't implemented,'' he said. "Organizations must listen to the requests and concerns that developers are voicing and provide them with the proper resources to keep up with this accelerated demand. At the end of the day, it should be a give and take dynamic."

Also see