Over the next 12 months, software development will likely become faster and more iterative as businesses focus on upgrading applications and transforming customer experience. As they do so, organizations will continue facing many security challenges and need to strengthen their ability to defend their organizational security posture. Here are three predictions for the next year in secure software development:
1. Increased Requests for Software Bills of Materials
All major organizations should have learned something from the onslaught of supply chain attacks in the past couple of years. The cost of these breaches will continue to rise, but forecasts about the precise financial impact are deceptive, given the incalculable damage inflicted by an attack on the scale of SolarWinds.
Organizations will realize they need to include developers in their security strategies to prevent themselves from becoming supply chain attack victims. Developers seldom have much reason to prioritize security; their main concern is building features and many have little security training. A global survey of 1200 developers conducted by Evans Data Corp and commissioned by Secure Code Warrior found that just 41% of surveyed developers strongly agreed that they had sufficient training in secure coding. In light of this, it is hardly surprising that security risks persist, especially as developers use open-source and third-party software components which may already have bugs and vulnerabilities.
As a result, comprehensive and current software bills of materials (SBOMs) – inventories of components and dependencies – will increasingly become a standard ask from software buyers, in addition to trust and safety audits. Code is already coming under the security spotlight before developers accept it, and we expect that trend to continue during 2023. Every organization must be fully aware that a vendor may not care about security as much as they do, and due diligence is essential. The best vendors will ensure that a lot of this information is publicly accessible, as it really should be a point of pride.
2. Heightened Security Consciousness
Organizations will recognize that without incentives, it is difficult to make developers more security conscious. Some companies will realize they must implement a long-term strategy to address this. These organizations understand that high-quality, secure code will need less rework and is a good investment. Having grasped this, they will incentivize developers to become more security-aware. Making secure code creation part of their annual review or their bonus, for example, is an excellent way to incentivize developers to operate at a higher standard.
Secure coding practices must be endorsed by management and given the proper consideration, authority and budget to succeed. For example, the Evans Data Corp poll found that 67% of developers knowingly ship code with vulnerabilities. When asked to explain their reasoning, 36% of respondents said it was because they needed to meet a release deadline. This indicates how developers, traditionally measured on speed, may require new benchmarks agreed upon by management to code properly and securely. The initially increased use of budget is likely to be made up later by less need for revisions, patches and post-deployment work. 2023 is expected to be a year when security-first organizations tackle these challenges.
3. A Year of Focus on Talent Retention
According to the U.S. Bureau of Labor Statistics, the turnover rate of software developers is increasing. For some large organizations, including Adobe, Oracle and Cisco, the average tenure is well over five years. However, the average software engineer's tenure at some renowned tech giants is under two years. The great resignation following the relaxation of pandemic health restrictions did, of course, help bring this number down as well.
Companies will have to do something to retain talent. While working from home can be a perk, it creates a reduced sense of belonging to the company, making it far more straightforward for developers to resign if they are enjoying the job less on a day-to-day basis.
Organizations will craft more enticing career pathways, giving the development cohort an opportunity to become better at what they do. Writing secure code and learning about the constant proliferation of threats and vulnerabilities is not easy, which is why many cybersecurity roles go unfilled. Access to an upskilling platform or enabling developers to participate in a remote competition and feel more connected with their peers and the company can be fun and mutually beneficial as well, giving them a well-deserved break from day-to-day stress. Organizations need continuous, interactive learning, investing time and resources into developer enablement that is much more than a check-box exercise.