The idea that developers don’t care about application security is a myth. A recently released report found that not only do developers take application security seriously, they take the time to find and fix vulnerabilities in their applications.
“Developers want to create great code, and to them that also means code that won’t get their company breached,” CA Veracode wrote in a blog post.
CA Veracode released the State of Software Security Developer Guide based of the company’s annual State of Software Security report.
According to the report, in the past year developers documented mitigations for only 14.4 percent of flaws found. “The interesting thing here is that, for the most part, developers don’t try to game the system by rejecting findings primarily as false positives, or as mitigated by design,” according to the report.
The problem isn’t that developers don’t care about security, the problem is that they are not trained on secure code, according to the report. “Even though security defects are being introduced during the initial coding phase, the good news is that developers are fixing security flaws after the initial test – indicating that they do understand the importance of releasing secure code,” the company wrote.
The report found that when developers get proper security training, their ability to fix vulnerabilities and tackle security improves. “Remediation coaching from security experts helps developers improve fix rates by an average of 88 percent vs. developers who don’t use remediation coaching. And developers who receive eLearning courses have an average 19 percent higher fix rate,” CA Veracode wrote.
Other findings of the report included: DevOps and DevSecOps are accelerating, and vulnerabilities in components are a big blind spot to development teams.
In addition, the report provides best practices for application security: think like an attacker, bring greater discipline to component use, level up with DevSecOps, lean on security pros like they are consultants, and fight for training and use it.
“In the near future, developers will need to fit the profile of what we call the full spectrum engineer (FSE). An FSE is someone who is not just good at keeping up with the latest trends in design and implementation, but knows how to test for quality, performance, and security. The most desirable developers understand the complexities of deployment, and know how important it is to ensure code looks and behaves the same whether running in development, QA, staging, or production,” the report stated.