Industry executives and experts share their predictions for 2023.  Read them in this 15th annual VMblog.com series exclusive.

Enabling Developers to be Security Driven

By Pieter Danhieux, CEO & Co-founder and Matias Madou, Co-Founder & CTO, Secure Code Warrior

As the new year draws closer, we wanted to share our 2023 predictions for the software development industry. Developers will continue to see things moving quickly, which means more code with tighter turnarounds, but we don't want to continue to see security suffer due to this speed. Keeping this in mind, here are our three software security predictions for 2023:

Code development teams will go to school

Here's an inconvenient truth as we head into the new year: Developers aren't really focused on security. Just 14 percent of them, in fact, view this as a top priority - behind ensuring code quality, improving application performance and solving real-world problems, according to research by Evans Data in conjunction with Secure Code Warrior. More concerning, the research showed that two-thirds of developers knew they were shipping code with vulnerabilities. One-third stated that they didn't know how to identify or fix common vulnerabilities, and one-quarter feel that fixing insecure code is someone else's job.

Clearly, this is a cultural mindset that must change, to the point where teams default to "security first" within the development process. The industry as a whole needs to adopt skills verification and training programs that enable team members to distinguish a poor coding pattern from a good one, to help them focus on building safe software from the start.

On an encouraging note, nine of ten developers admit they want training, according to our research. Many of them want practical sessions which leverage work-relevant, real-life examples; hands-on interactivity; and opportunities to actually practice writing secure code as part of their training. Given this, organizations should invest in more personalized, practical training to avoid "check the boxes" approaches conducted with static computer programs.

Quality code that is protected from the very beginning requires far less rework than code for which security remains an afterthought.

Incentives Will Become Necessary for Developers to be More Security Conscious

Developers will not become more security conscious if there is no incentive in place. It is up to companies to have a long-term strategy, and not a short-term one. Companies implementing a long-term strategy should understand that good quality, secure code will need less rework and is a good long-term investment. Once they understand this, they can provide developers with incentives to become security-conscious. Making secure code creation part of their annual review or their bonus are excellent ways to incentivize developers to operate at a higher standard, as well as minimize rework in the future.

A Strong Focus on Retaining Software Developer Talent

According to the US Bureau of Labor Statistics, the turnover rate of software developers is increasing. For some large organizations including Adobe, Oracle, and Cisco, the average tenure is well over five years. However, the average software engineer's tenure at some high-tech giants is under two years. The great resignation did of course help to bring this number down as well.

All in all, we clearly have to do something to retain talent, and while working from home can be a perk, it also creates less of a sense of belonging to the company, which makes it far more straightforward for developers to resign if they are enjoying the job less on a day-to-day basis.

Offering viable career pathways is crucial, giving the development cohort an opportunity to become better at what they do. Access to an upskilling platform, or letting them participate in a remote competition and feel more connected with their peers and the company can be fun and mutually beneficial as well, and it will give them a well-deserved break from the day-to-day stress they can experience.

We live in a very exciting and fast paced world of technology advancements and we don't expect it to slow down in 2023. By encouraging your code development teams to adopt skills verification and training programs, incentivizing your developers to be more security conscious, and focusing on retaining software developer talent, organizations will build security strength and start the new year in a great way.

##

ABOUT THE AUTHORS

Pieter Danhieux is the CEO and Co-Founder of Secure Code Warrior. He is a globally recognised security expert, with over 12 years' experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organisations, systems and individuals for security weaknesses. In 2016, he was recognised as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.

Matias Madou is the CTO and Co-Founder of Secure Code Warrior. He is a researcher and developer with more than 15 years of hands-on software security experience. He has developed solutions for companies such as HP Fortify and his own company Sensei Security. Over his career, Madou has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, he has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DEFCON, BSIMM, OWASP AppSec, and BruCon. Madou holds a Ph.D. in computer engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application.