Report: UK lags behind US in auditing code for security flaws

The US is leading the tech industry in auditing codebases for security issues, with the UK reportedly lagging well behind.

Germany was also identified as one of the nations that was underperforming when it comes to code auditing, despite significant cyber security challenges across the industry.

The findings came from open source software firm SUSE’s latest report, showing a disparity in the way in which the nations see code auditing as an operational priority.

According to the report, nearly half (45%) of respondents in the US regard code audits as a priority, and invest accordingly, while only 23% and 26% of respondents in Germany and the UK respectively adopt the same attitude.

SUSE’s global CTO Brent Schroeder said he believes that the US’ potentially more mature DevOps environments could be an influential factor.

“The US being ahead is probably more about the maturity of the US with DevOps and DevSecOps,” Schroeder told ITPro.

Citing his experience with meeting customers, Schroeder said the importance of bringing the integration of security and security practices into the developer pipeline and notes that “companies, at least in the US, are really starting to embrace and recognize that”.

“If they don’t bring security into the process, they encounter one of two things: One is the speed and agility with which code is delivered is significantly diminished because near the end of the process they have to do checks for security.

“They do everything they can to do the integration as quickly as possible but then releasing new applications, major new features into a production environment, they’ve got to pause to check with the security team: does this pass all the audits and the requirements?

“Or else you deliver vulnerabilities at scale.”

Who cares about source code audits?

Being aware of what is in one’s software supply chain is critical. Recent security incidents have demonstrated the importance of detecting, remediating, and monitoring vulnerabilities in applications.

Across the US, Germany, and the UK, an average of 33% of respondents to the survey believed that goals on source code audits would be revised upwards, rising to 46% if one only considers software and network engineers, technical architects, and developers.

95% also intended to review their software supply chain to increase security. This included 51% that had already done so, increasing to 68% of US-based respondents but going down to only 40% of those that are Europe-based.

Why are the UK and Germany lagging?

The difference in approach could potentially be attributed to governmental and regulatory approaches. 

In the US, the M-22-18 memorandum set a deadline for compliance with the National Institute of Standards and Technology (NIST) Secure Software Development Framework (SSDF), SP 800-218, and the NIST Software Supply Chain Guidance.

The M-22-18 memorandum, dated 14 September 2022, set clear dates for US government agencies to adopt the requirements. 

Ninety days were given for a software inventory, 120 days for a vendor communication process, and 270 days for attestation letters not posted publicly by software providers for “critical software”.

US companies keen to do business with government agencies must therefore ensure they comply with the NIST requirements, aimed at addressing software security and secure development practices.

The EU’s Network and Information Security (NIS) directive was the first piece of EU-wide legislation on cyber security but, as a briefing on NIS2 in February 2023 noted, implementation proved difficult and resulted in fragmentation across member states.

NIS2 entered into force on 16 January 2023 and is set to be implemented in each member states’ national law by 17 October 2024.