The Lazy Developer: Testing in production is real, but…

Antonija Bilic Arar

The Lazy Developer pushes code to production without testing and doesn't follow security best practices. Why? Because processes and protocols slow them down. 

A study by SauceLabs surveyed 500 US-based full-time developers to find out how accurate the trope of the Lazy Developer is, what industry practices allow it to exist, and if the root cause of the “laziness” are developers themselves or there are some broader factors at play.

Developers were asked to anonymously voice their opinions and share their behavior on certain habits the Lazy Developer is often accused of. 

Proudly pushing to prod without testing

Per their answers, one of the findings was that developers don’t necessarily deny their Lazy Developer behavior. Some revel in it, sharing memes and anecdotes about recklessly pushing to prod. 

In their current role, over two-thirds of respondents (67%) admitted to pushing to prod without testing, while over a quarter (28%) of respondents regularly do so.

Almost the same percentage of developers surveyed, 61%, admitted to using untested code generated by ChatGPT, and more than a quarter of them (26%) do so regularly.

When split by age, the statistics showed that the more senior developers get, the less likely they are to do it. Respondents aged 58 or more said they have never or very rarely pushed to production without testing. The study leaves an open question, though, if the reason for that was that the more senior developers are wiser or just more obedient. 

Security, schmecurity

The report further reveals that 70% of survey respondents had used a coworker’s credentials in order to circumvent company restrictions for access to data and/or internal systems at their current job, and 41% of respondents do so regularly.

Even more shockingly, 75% of developers — 3 out of every 4 — admit to circumventing security protocols in their current role (such as disabling MFA or an unstable VPN) to complete a task, while 39% of developers report doing so routinely. 

Developers not only skip the security measures with the data they own, but also 60% confessed to sharing unredacted data with unauthorized individuals when troubleshooting or fixing a process. Additionally, 70% acknowledged sidestepping data encryption while transferring sensitive information to make the process faster or simpler.

Who is to blame? 

The study concludes that bad developer behavior is a systemic issue, not a broad conspiracy of individual malicious actors. Before blaming these so-called “lazy developers,” the study advises organizations to re-evaluate their testing processes and security protocols.

If developers are constantly taking shortcuts and security risks, that’s a sign that leaders need to set clearer expectations (that, or set goals more firmly planted in reality), and managers need to refine processes, tools, and provide the appropriate resources to achieve desired outcomes without sacrificing quality or safety. 

And, in the year of the mass tech layoffs, they offer one more piece of advice – don’t shift left by simply gutting your QA team and expecting developers to pick up the slack.

> subscribe shift-mag --latest

Sarcastic headline, but funny enough for engineers to sign up

Get curated content twice a month

* indicates required

Written by people, not robots - at least not yet. May or may not contain traces of sarcasm, but never spam. We value your privacy and if you subscribe, we will use your e-mail address just to send you our marketing newsletter. Check all the details in ShiftMag’s Privacy Notice