Developers spend 17 hours a week on security — but don't consider it a top priority

News
By published

More work on DevSecOps has been identified as a top priority for developer teams

Female software developer using AI coding tools on a desktop computer with light from screen reflecting in spectacles.
(Image credit: Getty Images)

Three quarters of developers spend more than 17 hours a week on security-related tasks — and one in four spends more than 25 hours each week.

That's according to a survey of 1,500 development heads, platform engineers and software engineers by security firm Checkmarx.

Despite security's heavy impact on workloads for developers, just 21% said that security is their top priority when coding — suggesting that perhaps spending more time up front could help avoid time spent on remediation down the line.

Just 42% of those surveyed said they understand the vulnerability tickets they're sent half of the time, though the majority (92.5%) of respondents rated the effectiveness of their security trainin as medium or high.

The Checkmarx report follows similar research from JFrog, that found half of developers spend 19% of their weekly hours on security-related tasks — often outside normal working hours and costing companies as much as $28,000 per developer per year.

The road to DevSecOps

The report examined how well development teams and security teams work together, in particular shifting from DevOps to more mature stages of development, security and operations (DevSecOps). Only 30% of companies are currently moving beyond "focusing only on the developer experience to building more sophisticated processes" — though 45% are now measuring code security.

"The massive increase in the number of development teams and DevOps pipelines within large organizations shows how critical it is for DevOps and security teams to build a shared culture for successful collaboration," said Martin Lindsay, Vice President of Regional Marketing at Checkmarx.

"With the ultimate goal of delivering high-performing code – which, by definition is secure code – these two teams are finding that improving the developer experience with application security is just the first step and that security must find a way to match the pace of agile development," Lindsay added.

Four stages to better security

According to Checkmark, there are four stages to DevSecOps. The first is merely reactive about security, in which application security is "bolted on" to development and can slow development, while the second sees security teams working to pass flaws to developers, but without support or guidance.

Moving to a developer experience focused system, security tools are embedded into the development environment. In a mature DevSecOps system, security and development teams work closely together and agree on policies with goals well aligned.

The report said: "With overall market maturity in its early stages, the Checkmarx study reveals that there is not yet wide adherence to established best practices for operation and measurement of effective DevSecOps. While organizations have made forward strides, there is still more progress to be made."

Nicole Kobie
Nicole Kobie

Freelance journalist Nicole Kobie first started writing for ITPro in 2007, with bylines in New Scientist, Wired, PC Pro and many more.

Nicole the author of a book about the history of technology, The Long History of the Future.

More about security
Ransomware concept image showing a warning symbol in red with binary code in background.

Healthcare systems are rife with exploits — and ransomware gangs have noticed
Application security concept image showing a digitized padlock placed upon a digital platform.

ESET looks to ‘empower’ partners with cybersecurity portfolio updates
A close-up of a digital dashboard showing stock market graphs overlaid onto a world map.

Financial services firms look to AI to improve resilience
See more latest
Most Popular
A close-up of a digital dashboard showing stock market graphs overlaid onto a world map.
Financial services firms look to AI to improve resilience
Male software engineer working on a laptop at a home office desk with two PC monitors sitting on top of desk.
‘This shift highlights not just a continuation but a broad acceptance of remote work as the norm’: Software engineers are sticking with remote work and refusing to budge on RTO mandates – and 21% would quit if forced back to the office
Ransomware concept image showing a warning symbol in red with binary code in background.
Healthcare systems are rife with exploits — and ransomware gangs have noticed
Application security concept image showing a digitized padlock placed upon a digital platform.
ESET looks to ‘empower’ partners with cybersecurity portfolio updates
Databricks logo and branding pictured on a MacBook Pro screen.
Databricks and Anthropic are teaming up on agentic AI development – here’s what it means for customers
Dell Technologies logo and branding pictured at the company&#039;s stall at Mobile World Congress (MWC) in Barcelona, Spain.
Scale of Dell job cuts laid bare as firm sheds 10% of staff in a year
Male employee sitting at a desk working on a laptop with earphones in and books scattered on desk.
Employees want purpose, and they’re willing to quit to find it – upskilling, career growth, and work-life balance have shifted priorities for workers
NHS logo displayed on a smartphone screen in white lettering on a blue background.
NHS supplier hit with £3m fine for security failings that led to attack
OpenAI logo and branding pictured at Mobile World Congress 2024 in Barcelona, Spain.
OpenAI announces five-fold increase in bug bounty reward
Digital handshake concept with Hand shake between two businessmen with digital hand
SYSPRO appoints Josef Al-Sibaie to spearhead global expansion