The secret ingredient to more secure code is out and it’s simple: happiness.
That’s according to a sweeping annual survey of over 5,000 developers, which found that they are triple as likely to spot security issues if happy at work.
The finding might seem faintly ludicrous: most businesses nowadays aspire, superficially or otherwise, to creating a positive working environment and those that fail should hardly expect insecure code as the inevitable outcome.
(It is extremely likely, of course, that happiness is an outcome of other factors that are in themselves greater contributors to more considered code reviews/QA: adequately staffed teams, less pressure to ship code at an unreasonable pace..)
But with developers shipping code ever faster — under pressure from business leaders to iterate and innovate at pace — and the same survey showing that 28 percent of mature organisations have suffered an open source breach in past 12 months, business leaders may want to ask themselves how they can make their developers happier.
Open Source Code Security: Never More Important
Open source software security specialist Sonatype’s seventh annual DevSecOps community survey — which reached devs in UK, USA, India, Canada and the EU — is not all full of guidance on creating a merry bed of roses for developers however.
With software supply chain security firmly in the spotlight, following a string of security incidents, many businesses are looking closely at how to shore up the integrity of the code amid increasingly rapid development cycles. (The report found that 55 percent are deploying code to production at least weekly, up from 47 percent in 2019).
The security or otherwise of application code and beneath it/baked into it, open source code components is vital: hundreds of thousands of open source software packages are in production applications throughout the supply chain; many rife with issues ranging from outdated versions; understaffed projects; and existence of known security flaws.
Sonatype found that happy developers – those that feel secure in their job, have access to training and are being given the right tools – are 65 percent more likely to conduct rigours code checks. Dennis Orner, Software Engineer, TWT Digital Health commented in the survey that: “Security falls short when things get shipped under pressure. This is not the case as often when security is part of the process.”
When asked what caused the most friction in an organisation members of mature DevOps teams reported no friction, while others cited immature practices and management as key causes of disruption.
Derek Weeks, Vice President at Sonatype commented that: “Developer happiness based on mature DevOps practices is fundamental to the quality and delivery of secure software. By introducing mature DevOps practices, businesses can not only innovate faster, they can enhance their development teams’ job satisfaction, and ultimately differentiate themselves as employers – critical when so many companies face significant skills shortages and increased competition.”
Happiness of Developers and Breaches
Nearly one in five (24 percent) queried reported that they have suspected or have verified a breach within the last 12 months.
Breaches caused by the integration of open source components has dropped slightly to 21 percent following a sharp rise two years ago around the time of the Equifax breach, which they blamed on an open source framework.
Established DevOps security teams are 69 percent more likely to follow an open source governance policy. These governance policies sit as a guiding framework for security teams and layout step by step how organisations approach and handle the array of open source components it needs to operate. A key move for teams following a good governance policy is the implementation of software composition analysis tools.
However, only 45 percent of those operating mature DevOps practices say they keep a full software bill of materials for open source components that is used in their applications.
Mitesh Shanbhag, Assistant Vice President, Nomura International PLC, UK commented that: “The time between a vulnerability announcement and its exploits appearing in the wild is just three days, so being proactive is now a must.”