AppSec Blog

AppSec Blog

How much do developers care about security?

3%

That's about how much developers care about security.

Starting last year I made a concerted effort to speak at developer conferences. The idea was to go directly to people who write actual code and help spread the word about application security. By speaking at technical conferences that appeal to top developers the goal was to reach out to people who really care about development and want to learn and apply everything they can. By getting these developers interested in security my hope was that they would, in some small way, lead by example since many of them are the ones that build the tools and frameworks that other developers rely upon.

It started last year at ÜberConf which is held in the Denver area. I knew it would be great show when I heard that, on some nights, sessions are attended until 11pm by scores of exhausted developers. Not only that, the conference organizer, Jay Zimmerman, makes sure there's plenty of great food on hand for breakfast, lunch and dinner. Highly recommended.

Then there's Devoxx which is held in Antwerp, Belgium and is known as the Java Community Conference. It's a large show with over 3000 attendees. Plus the cost is low enough that it sells out every year. The organizer, Stephan Janssen, does an incredible job.

And of course there's JavaOne which is held every year in San Francisco. As far as I can tell it's still the largest Java development conference in terms of attendance. Unfortunately, the folks from Google only speak at Devoxx given the recent legal issues between Oracle and Google.

As you can see I really avoided any security specific events in an attempt to get outside of the security echo chamber. And I think (or hope anyway) that the results were very good. I've had hundreds of developers in my talks who were extremely excited to be learning new things and about security in general. The feedback has been overwhelmingly positive.

But, if the feedback from speaking at developer conferences has been so great then why do developers, in general, not seem to care that much about security? Why do I say that developers only care about security 3% of the time?

Well, this percentage comes from a comparison of the number of security sessions to the total number of speaking slots at all the developer conferences I've spoken at (or am scheduled to speak at). As you can see below, on average, only about 3% of the talks are security related.



Conference# of
speaking
slots
# of
security
sessions
% of sessions
about security
Comments
ÜberConf 201115032.0%
Jazoon 201110732.8%
JavaOne 2011400153.75%See note [1]
Devoxx 20118822.3%
ÜberConf 201213542.96%
JAX Conf 20124025%See note [2]
JavaOne 2012442153.4%
Ĝredev 201212021.67%See note [3]
Total1482463.1%

While developers do find security interesting they just don't care about it as much as other stuff. This isn't a big surprise. In many organizations they're not incented to care about security. And while security is an interesting domain there are lots of other things that interest most developers even more. Developers like learning new things, using new tools and APIs, and building something that matters. Usually, security doesn't "matter". Heck, when I was focused solely on building web apps in the first half of my career I didn't care that much about security either!

Looking back over the conference agendas, the vast majority of the sessions covered cool new technologies like mobile, NoSQL, cloud, REST, functional programming, Scala, new APIs, and the list goes on. There just isn't as much room for security in the list of things that "matters". There's nothing wrong with this. In fact, this is as it should be.

We have to recognize that security isn't going to come first. We need to understand and care about the things that development teams care about and advocate security on their terms. Focus on the problems and technologies that they care about and give them tools and ideas on how to use them better by providing simple and effective ways to do things in a secure way.

At the same time we have to keep reaching out to developers because they're the ones who care enough and are smart enough to make a difference. We can't change what they care about but maybe we can work together so they care more than 3% of the time.

 

[1] I can't find the 2011 JavaOne content catalog online and can't get exact figures. However, I do remember there being a fair number of security talks so I put a low estimate of 400 speaking slots and kept the number of security sessions the same as the 2012.

[2] One of the two talks was not security focused but touched on security so I added it here.

[3] The schedule is not final so the counts are estimates based on the currently published agenda.

4 Comments

Posted July 23, 2012 at 4:05 PM | Permalink | Reply

John Allspaw

How much should developers care about security? What percentage is a target such that it would no longer be worthy of a blog post?

Posted July 24, 2012 at 3:53 AM | Permalink | Reply

Steven R

I dont really agree with your analysis. While quoting 3% is attention-grabbing (thats what brought me here), basing that on number of security talks in a developer conference is like judging the number of stalls displaying state-of-the-art airbag protection systems at a car expo. Thats not what people go there for primarily.

Developers going to these conferences are not going there to learn about security but rather new developments in their streams of work. There are separate security related conferences which talk about security. Perhaps it would be insightful to see how many of the attendees for conferences like OWASP, SANs etc. are developers.

Posted July 27, 2012 at 2:26 PM | Permalink | Reply

Jan Schaumann

Re John:
Security should be as much a concern for developers as performance or reliability. It should not even have a special "oh, right, that, too" status, but just be part of the process. If conferences commonly have (random number pulled out of thin air), say, 30% of their content covering performance, then I'd say having 30% security related material would be wonderful. Ie, Security should not be an outlier.

Re Steven:
| Perhaps it would be insightful to see how many of the attendees for
| conferences like OWASP, SANs etc. are developers.

Agreed, though I suspect that that number would be well below 10%.

Posted September 25, 2012 at 8:07 PM | Permalink | Reply

Sonja

I agree with the other comments... I'm not sure how much developers are supposed to care about security. I'm pretty sure they will get paid regardless of their regard for security, so why bother? Interesting topic.

Post a Comment






Captcha

* Indicates a required field.