Thursday, March 11, 2021, marks the one year anniversary of when the World Health Organization (WHO) officially assessed COVID-19 as a pandemic. To say that the last 12 months have been chaotic would be an understatement, with the entire business world undergoing a total transformation. At a surface level, we see clear and obvious ripple effects that COVID-19 has had on organizations, ranging from the meteoric rise in video calls and other virtual collaboration tools to sweatpants becoming the industry standard for work attire. Dig a little deeper and you’ll start to realize the lesser publicized, but equally noteworthy, impact that the pandemic has had on processes and people that are more ‘behind the scenes,’ but on the front lines in their own regard. For the purposes of this report, we’re talking specifically about software developers. We’ve previously discussed how developers are one of the many unsung heroes of the pandemic, working furiously in the background to enable companies to shift digital overnight and push the boundaries of innovation. However, little has been shared about how exactly they’ve fared and how their professional lives have changed through this all. To help shed a light on this, in late February 2021, Checkmarx commissioned a survey of U.S. software developers to get a pulse check into how the pandemic has impacted their day-to-day workflows, what’s been weighing on them most, how their views on application security have changed, and what they desire from organizations to be successful. Here’s what we found.
Heightened expectations around speed of software development bring new challenges, greater reliance on emerging tech for developers.When it comes to software development, time-to-market has long been a top – if not the top – priority for years. The pandemic has made speed even more paramount as organizations embrace digital transformation and seek greater software agility, innovation, and resilience. In fact, we discovered that nearly half (46%) of developers said the rate at which they’re expected to build and deploy software is somewhat or significantly faster now compared to before the pandemic. Considering that developers were already operating at an aggressive pace, with remote work adding another layer of stress, it’s understandable that when we then asked about the biggest work-related challenge they’ve faced throughout the pandemic, two points in particular topped their lists: keeping up with increased development speeds and demands (36%) and collaborating with key teams (e.g. dev, ops, and security) while remote (36%). Additional challenges weighing on their shoulders include increasing security ownership and responsibility (14%) and navigating headcount and resource reductions (11%). How are developers coping and meeting these expectations you ask? Our research shows that they’ve increased their reliance on a variety of tools and components in the last 12 months to work more efficiently. The top three:
- Open source
- Automated security testing tools
- Infrastructure as code
Pandemic repercussions have developers flocking to the cloud, but cloud-native security testing lags behind.While the transition to the cloud has been in the works for quite some time, there’s no debating that it’s been put into hyperdrive by the pandemic. Well over half (59%) of survey respondents said that the amount of application development they’re doing in the cloud now compared to the before the pandemic has increased somewhat or significantly. When asked about the top reason driving this migration, the ‘need for speed’ sentiment reigned supreme yet again, with 48% of developers saying that working in the cloud enables them to increase development and deployment speed. Meanwhile, over one in four (26%) said the flexibility with operating systems, languages, and platforms that cloud environments offer has resonated most, while 15% said improved application security. However, with all the benefits that the cloud presents comes a myriad of security concerns. Cloud applications comprise numerous components – each of which bring a distinct set of risks, and as a result, require specialized testing methodologies. Of particular worry, our survey found that one in six developers (15%) aren’t performing any security testing at all when building cloud-native applications. Additionally, when we asked developers that are building applications in the cloud which cloud-native technologies and components they’re performing security tests on, the results don’t paint a prettier picture. Just half said infrastructure as code, while 45% said APIs, 44% said microservices, 32% said containers, and 28% said serverless architectures. With cloud-native undoubtedly being here to stay, developers and organizations must balance rapid adoption of the technology with doing so in a secure manner.
Security is shifting into the hands of developers, spurring them to seek out opportunities for AppSec upskilling, training, and education.With every organization’s attack surface now being larger than ever before due to the rise in decentralized workforces, application security and building secure code must be a priority. While the debate rages on about who should be the primary owner of application security, our survey shows that one thing is certain – whether developers like it or not, it’s moving into their hands. In fact, we discovered that over half (55%) of respondents have taken on somewhat or significantly more application security responsibility over the course of the COVID-19 pandemic. As application security ownership continues its gradual shift from IT to DevOps to developers, securing the development pipeline is a skill they must learn. And, as it turns out, developers have recognized this need as well. When asked about the skills they’ve prioritized learning or improving during the pandemic, their top response was AppSec / secure coding (46%). We also found that they’re determined to increase their proficiency with emerging technologies and methodologies including API development (43%), cloud-native development (40%), IaC configuration (34%), and DevOps (31%).
So, what do developers need now more than ever to be successful?As we’ve illustrated throughout this report, developers are being tasked with more, especially when it comes to security ownership, while serving as the driving force behind innovation and transformation. However, it can’t just be a one-sided affair – they need support in return. When looking at security ownership specifically, we asked developers what would be the single most impactful thing their companies could do to make AppSec easier to manage going forward. They first and foremost asked for more opportunities for AppSec training (36%). The next biggest requests?
- Integrating security testing directly into their workflows (e.g. SCMs, CI/CDs, and IDEs) (27%)
- Investing more in automated security testing tools (23%)
- Streamlining collaboration between dev, ops and security teams (11%)
- Provide them with what they’ve expressed they want most – training and education. Ensure that secure coding training and AppSec education is relevant, accessible, timely, and impactful. It should be integrated in a non-intrusive manner that also brings lasting value, rather than adds a new, cumbersome ‘task’ to their plates.
- Invest in the right application security testing tools. Don’t try to fit a square peg into a round hole by forcing developers to adopt solutions that don’t integrate seamlessly into their existing software development pipelines and workflows. Additionally, ensure that the tools leverage automation capabilities that reduce manual tasks and continuously perform security scans from the first line of code written to after software is deployed and patches are released.
- Break down silos amongst software development stakeholders. Now, more than ever, finding ways to foster collaboration is critical to success as employees are spread across the globe while working remote. If dev, ops, and security teams are at odds, slowdowns, and potential security mishaps, will be exacerbated as tensions can’t be solved in real-time and face-to-face like in traditional office settings. At the end of the day, all of these teams are working toward the same goal – to push out secure software as quickly as possible – and they should operate as one, cohesive unit.
- Listen to developers and their needs. Given their massive workloads, find ways to alleviate unnecessary burdens and tasks. Additionally, set the standard across your organization that application security isn’t just developers’ responsibility – everyone must play a part. Finally, keep an eye out for signs of burnout and get ahead of this early.