advertisement

A developer feeling burnt out may start making mistakes and potentially missing critical vulnerabilities and security issues.

Tired employee

[Images: Adobe Stock / DimaBerlin]

Fast Company Executive Board

The Fast Company Executive Board is a private, fee-based network of influential leaders, experts, executives, and entrepreneurs who share their insights with our audience.

BY Stuart McClure4 minute read

They say, “love is a battlefield,” but so is the developers’ role in the unrelenting fight against cybersecurity threats. As the digital landscape becomes increasingly complex, these developers find themselves at the forefront, facing more and more attacks with steep consequences if not caught and fixed in time.

This means less time spent writing code—and more time fighting vulnerabilities and threats. A Qwiet AI survey of developers found nearly 33% of respondents are spending a third of their time chasing and fixing bugs. And just like the search for love, this time spent looking for vulnerabilities, coupled with false positives, can be a drain on individuals and teams, leading to a drop in productivity and burnout. While the answer to finding love may be to “swipe right” to reduce developer fatigue, it will take a “shift left.”

TESTING DEVELOPERS’ RESILIENCE

For developers, their number one goal is to get code out the door. Organizations often prioritize the rapid delivery of features and functionalities to stay competitive, leading to a strong incentive for developers to quickly release code. But they are also challenged with having to produce secure code, something that is not always a part of programming education and something developers are not traditionally incentivized to do.

Compass Newsletter logo
Subscribe to the Compass newsletter.Fast Company's trending stories delivered to you daily

Many programs focus on teaching the fundamentals of programming languages, algorithms, and data structures but lack emphasis on the importance of secure coding. As a result, training programs may not adequately prepare developers to identify and address security vulnerabilities in their code, leading to a reactive response to security issues.

This can be especially challenging after a developer deploys the code, requiring urgent patches and updates and diverting attention from planned tasks. An example is a buffer overflow, a vulnerability that has existed for practically as long as programming has existed and is still one of the most common types of exploit. The fix is not difficult, but developers sometimes overlook these flaws in the development process, leading to potentially disastrous consequences. The reactive cycle of identifying, fixing, and potentially repeating the same security issues creates burnout for developers and can put the company at risk.

Another issue contributing to developer fatigue is false positives. According to the same developer survey by Qwiet, 70% of developers say application security is a top priority. So, while developers may accept spending a considerable amount of time investigating and addressing reported security issues, when it turns out to be a false positive, it takes a much higher mental load, contributing to fatigue.

This survey also found false positives to be one of the top ways security tools affect the development process. In fact, 91% responded that their security tools negatively impact their coding work. When developers consistently encounter inaccuracies in security tools, they may become desensitized or skeptical, potentially overlooking real security issues that require attention.

False positives can also create communication challenges between development and security teams. If developers consistently receive inaccurate security alerts, they may become less responsive to future notifications from the security team. 

The impact of developer fatigue can reverberate across an organization. A developer feeling burnt out may start making mistakes and potentially missing critical vulnerabilities and security issues. These errors impact the customer, forcing them to look for alternative applications. This leads to drops in revenue as well as risks to the brand and company reputation. 

THE SECURITY SOLUTION

To address developer fatigue, enterprises can take a “shift left” approach, addressing security concerns earlier in the software development lifecycle. It also means adopting a risk-based approach, allowing developers to focus on addressing the most critical security issues. Additionally, “Shift left” promotes collaboration between development, operations, and security teams, creating a shared responsibility for security.

Automated security testing tools, integrated early in the development process, reduce developer fatigue. It is clear that organizations need to implement strategies that improve the accuracy of these tools. This may include fine-tuning tool configurations, providing training to developers on how to interpret and prioritize security alerts, and investing in the latest scanning technology.

advertisement

Nearly 60% of the developers surveyed by Qwiet AI also want to use the most advanced technology to keep up with bad actors, followed closely by security tools that reduce time chasing vulnerabilities. That is where AI comes in.

THE RISE OF AI

AI tools are quickly taking on a bigger role in application development and security. 94% of developers said AI-based tools will be necessary in the next few years, and teams need to start using them now to keep pace. These tools can help with developer fatigue in several ways: from alleviating repetitive tasks, to producing clean code, to enhancing that code to creating feature-rich applications. 

But it is important to know AI isn’t going to do everything. AI, like any code-based tool, has its share of security concerns and it is crucial to strike a balance between its potential and risks. Developers will need to know when to utilize the technology to enhance what they are doing and the potential hazards. Some of these include library poisoning, or corrupting data to manipulate the AI responses in malicious ways, AI hallucinations, and unconstrained generation of harmful, biased or misleading information.

For organizations, incorporating AI tools is about finding the right tools for the job. This means considerations like using a publicly available large language model (LLM) or taking the time and effort to create a specialized LLM for the enterprise.

Above all, it is important that managers and executives be receptive to AI tools and encourage their use, while making sure the tools are secure. By doing so, organizations can empower their development teams, ease developer fatigue, and strengthen their applications against whatever threat comes next. What’s not to love about that?


Stuart McClure is the CEO of Qwiet AI and the founding author of the #1 cyber security hacking book, Hacking Exposed. Read more.


Explore Topics