Key Takeaways:
• 91% of developers undergo security training annually, yet over a fifth (21%) engage in risky behavior, such as using public computers to access work data and networks.
• Respondents enter a significant range of sensitive data into generative AI platforms, with potential risks involving developer secrets (30%), privileged credentials (24%), customer information (28%), social security numbers (25%), health data (24%), and more.
• 60% of developers manage 100 or more secrets; practices like hard-coding secrets in source code (65%) and keeping secrets in clear text (55%) prevail.
• 78% of developers see generative AI as a challenge to data security, however 83% of respondents note their organizations have already invested in AI technology to manage and/or analyze data.
• 68% of developers have used passkeys for work applications, yet only 36% believe FIDO2 and passkeys could replace passwords.
• Over half (54%) of developers spend 5 to 15 hours each week just managing secrets, showing a clear need for solutions to cut down this time.
SANTA BARBARA, Calif. (October 18, 2023) – Bitwarden, the credential management leader, today announced the results of its inaugural developer survey: "Decoding Tomorrow: Developer Secrets, Security and the Future of Passkeys." For the report, Bitwarden surveyed more than 600 developers to understand respondents’ behaviors around security best practices, as well as their perceptions on the adoption and implementation of passwordless authentication, secrets management, and the cybersecurity risks associated with the rise of generative AI.
Training vs. Doing: Uncovered Security Risks
The survey shows that 91% of developers have regular security training, yet the application of these practices paints a different picture. Despite ongoing training, 65% admit to hard-coding secrets in source code and 55% keep secrets in clear text, elevating the risk of data exposure and security breaches.
The risks associated with these practices are clear. Nearly three-quarters (72%) of developers have been impacted by a data breach, with 24% reporting substantial damage and disruption to their company. More than a fifth (21%) of respondents disclosed they use public computers to access work data, emphasizing the need for continuous education, robust security protocols, and organizational support to address cybersecurity threats.
Why Secure-By-Design is Easier Said Than Done
Ninety-four percent of developers find secure-by-design principles ‘very’ or ‘extremely important,’ yet 26% find implementation time-consuming and 18% cite understaffing and tight deadlines as barriers. Despite understanding the importance of implementing secrets management solutions, 65% of developers hard-code secrets in source code and 55% manage and share secrets in clear text and messaging apps. These findings highlight the need for organizational frameworks to support seamless integration of secure-by-design principles.
Passwordless Authentication: Balancing Security and Convenience
Sixty-eight percent of developers have embraced passkeys for work applications, indicating a shift towards modern authentication technologies. Over a third (36%) see FIDO2 and passkeys as likely successors to passwords.
There's momentum in building passkey features for employees, with 87% of respondents actively developing them and 89% planning to implement them within the organization. However, for customer-facing passkey features, 83% indicate developing and 41% planning to implement, showing a more measured approach towards external user authentication.
Developers show a mix of optimism and concern towards new authentication methods. Thirty-six percent of developers envision FIDO2 and passkeys as dominant, reflecting trust in these technologies. Nearly half (48%) revealed that wider adoption will be a challenge over the next five years due to passwordless technology’s compatibility with legacy systems and password-dependent applications. Other respondents consider education and adoption (17%) as hurdles for transitioning users to new authentication systems, and balancing security benefits with user readiness.
Additionally, 40% are prioritizing increasing two-factor authentication (2FA) adoption, and 33% are focusing on enhancing password security. This suggests a balanced approach towards augmenting authentication security as passkey adoption continues to rise alongside greater industry acceptance and support.
AI: A Renewed Need for Cybersecurity
Seventy-eight percent of developers see generative AI as a major challenge for data security and more than a third (38%) consider it the biggest cyber threat to organizations over the next five years. Despite concerns, 83% of developers revealed that their organizations have invested in AI technology to manage and/or analyze data. Respondents also disclosed that they are entering a significant range of sensitive data into generative AI platforms, including developer secrets (35%), employee review data (30%), meeting details (29%), and more. The data showcases the fine line between harnessing AI's potential and mitigating its inherent risks.
“The 2024 developer survey highlights a move towards modern authentication like passkeys in work applications,” said Bitwarden CEO Michael Crandell. “However, it also shows risky practices continue despite regular security training. This data underscores the industry-wide challenge of translating security awareness into action. It's clear there's a need for accessible tools to help the developer community and organizations manage secrets securely, enforce strong authentication, and handle the risks of AI, while keeping innovation on track.”