Safeguard
DevSecOps

What CISOs Get Wrong About Developer Security Habits

CISOs blame developer negligence for supply chain risk, but the real issue is alert noise, tool sprawl, and audits that miss day-to-day behavior. Here's what the data actually shows.

Priya Mehta
DevSecOps Engineer
8 min read

Ask a CISO what's standing between their organization and the next supply chain breach, and the answer usually starts with "developers." Too many personal access tokens with no expiration. Package installs from registries nobody vetted. Secrets pasted into Slack instead of a vault. The instinct is to read all of this as negligence — a training gap, a discipline problem, something a policy memo can fix.

That instinct is mostly wrong, and it's expensive. The 2024 XZ Utils backdoor (CVE-2024-3094) wasn't caught by a mandatory training module — it was caught by a Microsoft engineer, Andres Freund, noticing an extra 500 milliseconds of SSH login latency on March 29, 2024. Sonatype's 2024 State of the Software Supply Chain report counted 512,847 malicious open source packages published that year alone, a 156% jump from 2023. Developers aren't the weak link because they're careless. They're the weak link because the systems around them make insecure defaults the path of least resistance. Here's what CISOs consistently get backwards about developer security habits — and what actually moves the needle.

Do Developers Actually Ignore Security Warnings on Purpose?

No — most of the time they never see the warning in a form that means anything to them. Security tools generate findings in a language built for auditors, not for someone mid-sprint trying to ship a feature by Friday. A Static Application Security Testing (SAST) scan that returns 4,000 findings with no severity ranking, no exploitability context, and no line-level fix suggestion isn't a warning — it's noise. GitLab's 2023 Global DevSecOps Survey found that 42% of developers said security was "bolted on too late" in their pipeline to act on efficiently, and over half said they didn't have enough time to address every issue flagged.

When a team is drowning in low-signal alerts, the rational response isn't diligence — it's triage, and triage under deadline pressure means dismissing everything that doesn't look like it's on fire. CISOs who interpret a high dismissal rate as apathy are misreading a signal-to-noise problem as a culture problem. The fix isn't more warnings; it's fewer, better-prioritized ones that arrive inside the tools developers already live in — the pull request, not a quarterly compliance dashboard.

Is More Security Training the Right Response to Risky Coding Habits?

No — training changes what people know, not what they do under a deadline. Annual, compliance-driven security awareness training has become the default CISO response to almost any developer-caused incident, largely because it's easy to document for an auditor. But behavior and knowledge are different things. A developer can pass every module on secret management and still hardcode an API key into a config file at 6 p.m. on a release night, because the guardrail that should have caught it — a pre-commit secret scanner, a blocked merge — simply wasn't there.

GitHub's own research on its push protection feature found that once secret scanning was enforced at the point of commit rather than taught in a slide deck, leaked credential incidents in scanned repositories dropped substantially within the first year of rollout. The lesson isn't that training is worthless — it's that training without enforcement mechanisms in the workflow is a compliance artifact, not a security control. CISOs get more durable behavior change from one well-placed automated gate than from ten hours of annual e-learning.

Do More Security Tools in the Pipeline Mean Fewer Vulnerabilities?

No — tool sprawl frequently makes things worse. It's common for a mid-size engineering org to run a SAST scanner, a software composition analysis (SCA) tool, a container scanner, a secrets scanner, and a cloud security posture tool, each with its own dashboard, its own severity scale, and its own alert queue. A 2023 ESG survey commissioned by application security vendors found that organizations juggling more than 10 security tools reported lower confidence in their overall security posture than those running a consolidated stack — not because the tools were bad, but because nobody owned the aggregate picture.

Developers end up seeing the same underlying vulnerability flagged three different ways with three different severity scores, and instead of resolving conflicting signals, they resolve none of them. CISOs often measure progress by tool count and coverage percentage in a board deck, but coverage without correlation just multiplies the noise problem described above. The organizations that actually reduce mean-time-to-remediation are the ones that consolidate findings into a single prioritized queue tied to real exploitability and business context — not the ones with the longest tool list.

Is Unsanctioned Open Source and Shadow Dependency Use a Rare Edge Case?

No — it's the default state of modern software development, not an exception. The average commercial application now pulls in hundreds of open source dependencies, and each of those often drags in dozens more transitively. Nobody on the team explicitly "approved" the vast majority of that dependency graph; it arrived because a top-level package needed it. When a developer runs npm install or pip install on a Tuesday afternoon, they are, in practice, extending trust to a chain of maintainers and infrastructure they've never evaluated — because there is no realistic alternative workflow that lets them ship on time.

This became painfully concrete with incidents like the 2022 ua-parser-js compromise, where a hijacked maintainer account pushed cryptomining and credential-stealing code into a package downloaded millions of times a week, and again with the 2021 Codecov Bash Uploader breach, which sat undetected for roughly two months while it exfiltrated CI/CD secrets from customer environments. CISOs who treat these as isolated, "shouldn't have happened here" incidents miss that shadow dependency risk is structural to how software is built today. The realistic goal isn't eliminating unvetted dependencies — it's getting continuous visibility into what's actually running in production and flagging anomalous changes (a new maintainer, an unexpected postinstall script, a version bump with no corresponding commit history) before they reach a build.

Does Passing a Compliance Audit Mean Developers Are Following Secure Practices Day-to-Day?

No — audits measure a point-in-time snapshot, and secure development is a continuous state. SOC 2 Type II reports, ISO 27001 certifications, and annual penetration tests are essential for demonstrating due diligence to customers and regulators, but they typically sample a narrow window of evidence — a set of tickets, a handful of access reviews, a subset of repositories. A team can produce a clean audit trail for the sampled evidence while running dramatically different practices in the repositories, branches, and CI jobs that weren't sampled.

Verizon's 2024 Data Breach Investigations Report noted that the human element was a factor in 68% of breaches, and stolen credentials remained one of the most common initial access vectors — categories of risk that a checkbox compliance review is poorly suited to catch in real time, because they show up in day-to-day developer behavior between audit cycles, not in the artifacts an auditor requests once a year. CISOs who treat a passed audit as evidence that developer security habits are sound are conflating "we can prove compliance for this sample" with "we are secure everywhere, all the time." Continuous, automated enforcement closes that gap; annual attestation alone cannot.

How Safeguard Helps

Every misconception above traces back to the same root cause: security programs built around periodic human judgment instead of continuous, automated enforcement embedded in the developer's actual workflow. Safeguard is built to close that gap directly.

  • Signal, not noise, at the pull request. Safeguard correlates findings across your dependency graph, secrets, and build pipeline into a single prioritized view tied to real exploitability — so developers see the handful of issues that matter instead of a dashboard of thousands they'll never triage.
  • Continuous dependency visibility. Instead of a one-time SCA scan, Safeguard tracks your software supply chain continuously — flagging anomalous maintainer changes, unexpected postinstall scripts, and suspicious version bumps in real dependencies before they reach a production build, the same class of behavior behind incidents like ua-parser-js and the XZ Utils backdoor.
  • Enforcement at the commit and CI boundary, not just training after the fact — so secrets, malicious packages, and policy violations get blocked at the point of introduction, when it's cheapest and fastest to fix.
  • Audit-ready evidence generated continuously, not assembled once a year — giving CISOs a real-time picture of software supply chain posture that holds up between audit cycles, not just during them.

The developers at your organization aren't the problem. The gap between what your security program assumes about their day-to-day habits and what actually happens in the repository is. Safeguard is built to close that gap — with continuous enforcement in the places developers already work, not another dashboard they'll learn to ignore.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.