Secure Code Warrior

Developers have motivations to learn about secure coding…so why aren’t they?

When it comes to learning about secure coding, what are the primary motivations for developers, and how can they be leveraged to design and implement a successful application security program?

When it comes to learning about secure coding, what are the primary motivations for developers, and how can they be leveraged to design and implement a successful application security program? In 2020, Secure Code Warrior engaged with Evans Data Corp. to conduct primary research into developers’ attitudes towards secure coding, secure code practices, and security operations (register your interest for your copy here).

When surveyed, developers claim they see the value in secure code training. And 80% of development managers say they’re more likely to hire developers with secure coding skills. So with these skills in such high demand, why is there still such a shortage of security-trained developers? 

Lack of motivation on the part of developers does not seem to be the core issue. Developers are motivated and when asked about the sources of their motivation for learning secure code training, this is what they told us:

  • 35% of respondents were driven by company-related concerns
  • 24%  were motivated for personal reasons
  • 41% were driven by both personal and company motivations. 

And when we  dug a little deeper, we found that the top 5 personal motivators for secure code training are:

  1. Increased productivity and efficiency
  2. Curiosity/personal interest
  3. Avoidance of problems caused by insecure code
  4. Potential career advancement
  5. More efficient use of human resources

When considering company-centric motivations, developers understand how learning secure code practices might increase productivity. Managers can see how practicing secure coding might allow for more efficient use of their human resources. And while motivations differ from region to region, on a global scale, the desire for increased productivity and efficiency remains the one constant.  

That said, developers are not always driven to learn about secure coding by external factors, such as employer demands. In many cases, decisions are self-motivated. Developers care about what they create and are proud of their work, as is shown when we look at the top four reasons that attract developers to study secure coding. While 25% of developers say they want to create value for their companies, the same percentage say that they would like to enhance the quality of their code. For others, it’s all about kudos, visibility, and recognition in the workplace. 70% say that they are recognized by their company when secure code is written. And, as previously stated, 80% of development managers are more likely to hire developers with secure coding skills.

Developers are motivated – so why are they not more engaged? 

If security skilled developers are so valued and the motivation to learn is there, why are they in such short supply?

As we’ve seen, developers have clear reasons to increase their secure coding skills, but remain averse to much of the current security training out there. Very few seek it out. Based on this research, we believe the answer is relatively simple: The current secure coding training available is inadequate, because it fails to fully address the key factors that attract developers to secure coding in the first place.

Let’s look at each of these factors. 

When it comes to increasing value and efficiency and enhancing the quality of their code, developers need training that makes secure coding intrinsic to their daily process. They need the skills to identify and fix vulnerabilities as they code – right from the start. For maximum relevance and immediate applicability, that training should take place in the specific language:framework they use every day. Traditional training approaches don’t deliver this  and many developers find them incredibly boring and irrelevant.  

As champions of change in secure coding, Secure Code Warrior makes secure coding a positive and engaging experience for developers. We believe training must be delivered in a way that inspires developers to want to learn. This calls for ‘hands-on, interactive and work relevant simulations and challenges that inspire participants to bake security features into their code right from the start. This highly interactive developer-centric training approach places developers motivations to learn at the heart of your application security program. If you'd like to see how it all comes together, book a demo now.

You can also register your interest to receive a copy of our upcoming Whitepaper, Shifting from reaction to prevention: The changing face of application security here.