Developers spend 17 hours a week on security — but don’t consider it a top priority

Three quarters of developers spend more than 17 hours a week on security-related tasks — and one in four spends more than 25 hours each week.

That’s according to a survey of 1,500 development heads, platform engineers and software engineers by security firm Checkmarx.

Despite security’s heavy impact on workloads for developers, just 21% said that security is their top priority when coding — suggesting that perhaps spending more time up front could help avoid time spent on remediation down the line.

Just 42% of those surveyed said they understand the vulnerability tickets they’re sent half of the time, though the majority (92.5%) of respondents rated the effectiveness of their security trainin as medium or high.

The Checkmarx report follows similar research from JFrog, that found half of developers spend 19% of their weekly hours on security-related tasks — often outside normal working hours and costing companies as much as $28,000 per developer per year.

The road to DevSecOps

The report examined how well development teams and security teams work together, in particular shifting from DevOps to more mature stages of development, security and operations (DevSecOps). Only 30% of companies are currently moving beyond “focusing only on the developer experience to building more sophisticated processes” — though 45% are now measuring code security.

“The massive increase in the number of development teams and DevOps pipelines within large organizations shows how critical it is for DevOps and security teams to build a shared culture for successful collaboration,” said Martin Lindsay, Vice President of Regional Marketing at Checkmarx.

“With the ultimate goal of delivering high-performing code – which, by definition is secure code – these two teams are finding that improving the developer experience with application security is just the first step and that security must find a way to match the pace of agile development,” Lindsay added.

Four stages to better security

According to Checkmark, there are four stages to DevSecOps. The first is merely reactive about security, in which application security is “bolted on” to development and can slow development, while the second sees security teams working to pass flaws to developers, but without support or guidance.

Moving to a developer experience focused system, security tools are embedded into the development environment. In a mature DevSecOps system, security and development teams work closely together and agree on policies with goals well aligned.

The report said: “With overall market maturity in its early stages, the Checkmarx study reveals that there is not yet wide adherence to established best practices for operation and measurement of effective DevSecOps. While organizations have made forward strides, there is still more progress to be made.”