The US is leading the tech industry in auditing codebases for security issues, with the UK reportedly lagging well behind.
Germany was also identified as one of the nations that was underperforming when it comes to code auditing, despite significant cyber security challenges across the industry.
The findings came from open source software firm SUSE’s latest report, showing a disparity in the way in which the nations see code auditing as an operational priority.
According to the report, nearly half (45%) of respondents in the US regard code audits as a priority, and invest accordingly, while only 23% and 26% of respondents in Germany and the UK respectively adopt the same attitude.
RELATED RESOURCE
SUSE’s global CTO Brent Schroeder said he believes that the US’ potentially more mature DevOps environments could be an influential factor.
“The US being ahead is probably more about the maturity of the US with DevOps and DevSecOps,” Schroeder told ITPro.
Citing his experience with meeting customers, Schroeder said the importance of bringing the integration of security and security practices into the developer pipeline and notes that “companies, at least in the US, are really starting to embrace and recognize that”.
“If they don’t bring security into the process, they encounter one of two things: One is the speed and agility with which code is delivered is significantly diminished because near the end of the process they have to do checks for security.
“They do everything they can to do the integration as quickly as possible but then releasing new applications, major new features into a production environment, they’ve got to pause to check with the security team: does this pass all the audits and the requirements?
“Or else you deliver vulnerabilities at scale.”
Who cares about source code audits?
Being aware of what is in one’s software supply chain is critical. Recent security incidents have demonstrated the importance of detecting, remediating, and monitoring vulnerabilities in applications.
Across the US, Germany, and the UK, an average of 33% of respondents to the survey believed that goals on source code audits would be revised upwards, rising to 46% if one only considers software and network engineers, technical architects, and developers.
95% also intended to review their software supply chain to increase security. This included 51% that had already done so, increasing to 68% of US-based respondents but going down to only 40% of those that are Europe-based.
Why are the UK and Germany lagging?
The difference in approach could potentially be attributed to governmental and regulatory approaches.
In the US, the M-22-18 memorandum set a deadline for compliance with the National Institute of Standards and Technology (NIST) Secure Software Development Framework (SSDF), SP 800-218, and the NIST Software Supply Chain Guidance.
The M-22-18 memorandum, dated 14 September 2022, set clear dates for US government agencies to adopt the requirements.
Ninety days were given for a software inventory, 120 days for a vendor communication process, and 270 days for attestation letters not posted publicly by software providers for “critical software”.
US companies keen to do business with government agencies must therefore ensure they comply with the NIST requirements, aimed at addressing software security and secure development practices.
The EU’s Network and Information Security (NIS) directive was the first piece of EU-wide legislation on cyber security but, as a briefing on NIS2 in February 2023 noted, implementation proved difficult and resulted in fragmentation across member states.
NIS2 entered into force on 16 January 2023 and is set to be implemented in each member states’ national law by 17 October 2024.
-
RSAC Conference 2025: The front line of cyber innovationITPro Podcast Ransomware, quantum computing, and an unsurprising focus on AI were highlights of this year's event
-
Anthropic CEO Dario Amodei thinks we're burying our heads in the sand on AI job lossesNews With AI set to hit entry-level jobs especially, some industry execs say clear warning signs are being ignored
-
Big tech promised developers productivity gains with AI tools – now they’re being rendered obsoleteOpinion Big tech promised software developers huge benefits with AI tools, but now they face job cuts as companies ramp up automation.
-
Shifting left might improve software security, but developers are becoming overwhelmed – communication barriers, tool sprawl, and ‘vulnerability overload’ are causing serious headaches for development teamsNews Developers are becoming overwhelmed amid the 'shift left' in development practices, new research shows.
-
Anthropic’s new AI model could be a game changer for developers: Claude Opus 4 ‘pushes the boundaries in coding’, dramatically outperforms OpenAI’s GPT-4.1, and can code independently for seven hoursNews Claude Opus 4 boasts huge performance capabilities and is fine-tuned for software developers.
-
‘It’s far from showing its age’: Java might’ve just turned 30, but it’s still going strong and here to stayNews With Java celebrating its 30th anniversary, we look at the rise of the programming language and what the future holds.
-
Python’s popularity shows no signs of fading – here’s why software developers love itNews Python remains highly popular among developers for a number of key reasons, experts told ITPro.
-
AWS expands language support for Amazon Q DeveloperNews AWS has expanded support for languages in Amazon Q Developer, making it easier for developers to code in their first language.
-
AI was a harbinger of doom for low-code solutions, but peaceful coexistence is possible – developers still love the time savings and simplicity despite the allure of popular AI coding toolsNews The impact of AI coding tools on the low-code market hasn't been quite as disastrous as predicted
-
‘We’re trading deep understanding for quick fixes’: Junior software developers lack coding skills because of an overreliance on AI tools – and it could spell trouble for the future of developmentNews Junior software developers may lack coding skills because of an overreliance on AI tools, industry experts suggest.
