Software Developers and Security: a love-hate relationship

Recently, GitLab performed a survey on over 4,000 developers and operators, with interesting results.

This year, over 4,000 respondents – across various industries, roles, and geographic locations – candidly shared their experiences, helping us uncover what software professionals require in order to
innovate rapidly.
By uncovering best practices and unmet needs, the Global Developer Report: DevSecOps is one small step for software professionals to share their thoughts, and one giant leap for IT leaders to remove roadblocks to help teams thrive and offer the strongest contributions to software development.
Using these insights as a guide, IT leaders can employ a solution-focused approach to creating a seamless
software development lifecycle – from planning to monitoring.

https://learn.gitlab.com/c/2019-global-develope

This survery has been performed on a population of 4,000 developers and operators, and 68% of the security professionals believe it’s a programmer’s job to write secure code, but they also think less than half of developers can spot security holes.

The survey may be new, but the clash between security and developers is ancient. As Linus Torvalds, Linux’s creator, once said, “security problems are just bugs.” And security hardening patches should never result “in killing processes. The only process I’m interested in is the development process, where we find bugs and fix them.”
Torvalds continued, “From a security standpoint, when you find invalid access, and you mitigate it, you’ve done a great job, and your hardening was successful, and you’re done. “Look ma, it’s not a security issue anymore,” and you can basically ignore it as “just another bug” that is now in a class that is no longer your problem.”
See also
But merely fixing the security issue is only the beginning of a programming fix. Torvalds wrote, “From a developer standpoint, things really are not done. Not even close. From a developer standpoint, the bad access was just a symptom, and it needs to be reported and debugged, and fixed, so that the bug actually gets corrected.”
In short, Torvalds, and many other programmers see security experts as getting in the way of creating productive code. Security to them is not job No. 1 if it gets in the way of making working code. Good programs require both security and functionality.

https://www.zdnet.com/article/no-love-lost-between-security-specialists-and-developers/

From GitLab’s viewpoint, the answer is a good DevOps practice. One of the keys to this is to make security a part of DevOps. Then, the combined team is three times more likely to discover bugs before code is merged. 


References


Related posts

Comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.