DEVELOPMENT
State of Developer Time Loss 2024: How Arnica’s Pipelineless Security Can Help
November 5, 2024
In 2024, Atlassian & Developer Experience published the State of Developer Report. Developers were asked to identify the key challenges hinder productivity, slow development cycles, and increase the risk of security vulnerabilities. Issues like technical debt, insufficient documentation, and inefficient build processes create friction, while distractions and unclear direction further exacerbate these problems. With these challenges in mind, it's clear that the need for more streamlined development workflows and proactive risk management has never been greater.
In this blog, we’ll explore how Arnica’s innovative, pipelineless approach helps address these pain points head-on, empowering developers to focus on what they do best—building secure, high-quality code without the constant drag of technical debt and security risks.
Technical debt was the most significant factor in time loss, according to 59% of developers surveyed. Technical debt refers to the long-term consequences of cutting corners during development to meet short-term deadlines. Over time, quick fixes (or lack of action) accumulate, leading to risky or fragile code. For developers, technical debt becomes a major drain on productivity, as they are forced to repeatedly revisit and fix old code, which may have gone untended for years, instead of focusing on new features or improvements.
Managing technical debt can become overwhelming, particularly when security vulnerabilities, legacy code, or outdated frameworks are involved. This can also expose the organization to security risks that become harder to track and manage over time.
Arnica’s pipelineless approach enables real-time detection and remediation of code risks, effectively reducing the accumulation of technical debt related to security issues.
The traditional approaches to Application Security scanning – IDE security plugins and CI/CD based scanners – both have serious drawbacks that contribute to technical and security debt. IDE plugins suffer from low adoption rates (we typically see <20% adoption at organizations with more than 50 developers). CI/CD pipeline based scanners require engineering effort to configure, typically resulting in AppSec needing to prioritize which pipelines get scanners (and in turn which pipelines will not be scanned).
Arnica's security solution scans every new code push for vulnerabilities. This proactive scanning approach, paired with rich developer mitigation workflows, results in 91% of code risks never reaching production branches, empowering developers to merge code with far less technical and security debt.
Not only does Arnica directly prevent the creation of new technical debt, but it also eliminates existing technical debt by conducting daily scans, revalidating existing risks in code, and prioritizing remediation for still-valid risks. The outcomes of these scans can range from providing additional remediation paths, detecting newly introduced fixes, identifying merged fixes, or even automatically resolving existing security findings.
Arnica’s pipelineless approach dramatically reduces the technical and security debt added to production and, in turn, the effort required to pay down technical debt over time, freeing developers, DevOps, and AppSec teams to work on more impactful projects.
Documentation is crucial for onboarding new team members, reducing knowledge silos, and ensuring consistency in how code is written and maintained. And yet, 41% of developers indicated that insufficient documentation had a significant impact on their time loss. Without proper documentation, developers often spend excessive amounts of time searching for critical information, asking colleagues for help, or reverse-engineering solutions.
When documentation is lacking or incomplete, it increases friction in a developer’s workflow, often leading to confusion about potential fixes, best practices, or risks associated with certain components of the codebase. This can also result in poor decision-making, as developers don’t have access to the full context of a project, perpetuating technical debt and creating security vulnerabilities.
Arnica helps developers move quickly by providing rich, relevant context with every finding as well as quick wins directly in chat and in pull request comments. The net result of this is that for any given security finding, developers are less reliant on documentation or tribal knowledge in order to understand the finding or how to easily fix it. For example, for Static Application Security Testing (SAST) findings, Arnica uses the context of your source code to provide AI-generated code recommendations directly to the developers to mitigate the risk along with full context of the type of risk, the severity, where it exists, and more, all without needing to dig for that information. This same approach of providing both context and the recommended mitigation path is taken across SCA, third-party package reputation risk, open-source licensing risk, and more.
Build processes can often become slow, overly complex, and inefficient. In fact, 27% of developers say that a bloated build process hinders their ability to work efficiently. This problem can be caused or exacerbated by adding further complexity in the form of traditional AppSec scanners in CI/CD pipelines. Additionally, CI/CD based scanners can result in extended scan times, further stalling the build process.
When build processes are sluggish or prone to failure, bottlenecks are introduced, slowing down the entire development team. When it comes to security, risks identified at build are identified too late, forcing developers to stop their current work and address “old” issues, which derails their productivity and focus.The issue isn't just that developers are tasked with addressing security risks in previously published code, but that they must also find the right fixes to resolve these risks for the build to succeed. This becomes more complicated when the original owner or author of the code has left the company – which adds another layer of confusion for the developer.
With Arnica’s pipelineless approach, security scans take place within feature branches on every code push, providing context-rich, real-time feedback to developers, eliminating the need for separate build-stage security scans. Arnica also scans the main and production branches, ensuring 100% code coverage at all times. This significantly reduces the risk of breaking the build process due to code risks "spilling" from feature to main or production branches, while also cutting down on the time developers spend waiting for builds to complete and simplifying the overall build process.
Additionally, Arnica builds a behavior graph that automatically identifies active contributors in code repositories, allowing for the automatic assignment of CODEOWNERS. This helps teams identify the developers best suited to help mitigate a risk in a given branch, even if the developer who pushed the risk in the first place has left the company. Arnica enables development velocity and security and simplifies the build process without compromising code security and quality, while also creating a positive experience for both developers and AppSec teams.
According to the State of Developer 2024 report, the modern developer’s day is often filled with distractions: meetings, emails, chats, and constant context-switching between tasks. Lack of deep work time was cited by 27% of developers, who struggle to find uninterrupted time to focus on complex tasks. Deep work is essential for solving challenging problems, designing efficient systems, and writing quality code, especially when dealing with complicated or high-risk code.
When developers are constantly interrupted, it affects their ability to achieve a flow state, where they can work uninterrupted for long periods of time. This leads to delays in delivering critical features, as developers spend more time reorienting themselves after each interruption. More importantly, a lack of focus can lead to errors and overlooked risks, which compounds the problem in the long run and has a significant impact on development velocity.
Additionally, traditional AppSec tools require developers to login to the tool in order to receive alerts and notifications related to code risks detected by the tool.
Arnica reduces noise by helping AppSec teams get hyper-specific with what they want to prioritize with developers and then providing developers with easy mitigation paths. For example, Arnica runs every possible upgrade path for a vulnerable open-source package identified by SCA scanning. The result is that developers can pick the most efficient – highest impact for lowest effort – mitigation path. Arnica also provides in-depth context by considering factors like the Exploit Prediction Scoring System (EPSS), Known Exploited Vulnerabilities (KEV), regular vulnerability and secret validation, and reachability analysis to granularly classify and prioritize code risk severity.
Even if you help AppSec teams get granular in their focus and prioritization, if developers don’t push the fix, it’s all mute. That is why every interaction Arnica has with a developer takes place in a tool they’re already using, based on your security policy. Critical findings can be surfaced and responded to in Slack or Teams, comments can be automatically added to PRs, review workflows can be automatically kicked off in your SCM or chat, and so much more. Arnica even automates the ticket management lifecycle by auto-opening tickets for risks detected and, even more importantly, auto-closing tickets when fixes are merged, offloading another time-consuming task.
By not requiring developers to log into or learn a new tool, developers experience far fewer disruptions and can remain focused on their work.
A lack of clear direction was a challenge for 25% of developers, according to the report. This often stems from poor communication between development teams and leadership or misaligned priorities. When developers are unsure of the end goals, they may spend time working on low-priority tasks or solving problems that don’t align with the team’s overall objectives.
Without clear direction and realistic risk prioritization, developers may feel like they are constantly firefighting by fixing immediate issues without a long-term strategy for building robust, secure software. This lack of strategic focus not only wastes time but also leads to an increase in unresolved risks, which creates a backlog, as developers are less likely to prioritize fixing underlying security issues or addressing technical debt.
Arnica’s pipelineless approach provides developers with real-time feedback relating to security risks as they arise. With clear, actionable insights, Arnica eliminates the guesswork about which risks actually pose a higher risk to the business. Developers no longer have to spend time navigating a maze of tools or unclear processes to understand where to focus their efforts.
Arnica ensures that the highest-risk issues within the most important code repositories for the business are highlighted early and continuously throughout the development cycle, aligning their day-to-day tasks with the broader security and quality goals of the organization.
This streamlining provides a clear path forward, allowing developers to confidently address high-priority security risks without distractions, thus saving time and improving productivity.
Arnica’s approach to security ensures that developers are only confronted with the most important risks that can actually be fixed, and are relevant to them. Real time scanning and alerts help developers fix security issues while their code is still malleable. To see for yourself, book a demo with the Arnica team!
