Is "Secure by Design" Failing?
February 20, 2024

John Campbell
Security Journey

In the fast-paced world of modern business, application development teams face an immense amount of pressure to code faster than ever before. 51% of developers have seen their volume of code increase 100x over the last 10 years, and almost all developers (92%) feel they must write code faster than before, according to Sourcegraph.

However, prioritizing rapid development frequently leads to the neglect of security measures, creating a trade-off that can have significant repercussions, overburdening AppSec teams towards the end of the software development lifecycle (SDLC) and almost guaranteeing software vulnerabilities and exploits. In a recent survey conducted with Ponemon, 20% of organizations expressed confidence in their ability to remediate vulnerabilities before an application is released. This paints a bleak picture for modern software security, and the complacency around secure coding education has forced regulators to take control.

Stringent Regulations Are a Must

The Cybersecurity and Infrastructure Security Agency (CISA) has long called for a culture of "Secure by Design," and this has been echoed by governance from the White House and the Securities and Exchange Commission (SEC).

The threat landscape around new Common Vulnerabilities and Exposures (CVEs) is one that every organization should take seriously. With a record-breaking 28,092 new CVEs published in 2023, bad actors are simply waiting to be handed easy footholds into their target organizations, and they don't have to wait long. Research from Qualys showed that three quarters of CVEs are exploited by attackers within just 19 days of their publication.

And yet, organizations are failing to equip their DevOps teams with the secure coding skills and knowledge they need to eliminate vulnerabilities in the first place. Despite 47% of organizations blaming skills shortages for their vulnerability remediation failures, only 36% have their developers learn to write secure code. Without building skills into the SDLC to combat these risks, organizations will continue to expose themselves, and anyone using their software, to attack.

Building the Right Skills

Over 60% of organizations consider the remediation of vulnerabilities in applications to be difficult, however this difficulty may stem from focusing their efforts in the wrong areas.

Under the current SDLC, AppSec teams are overburdened with swathes of potentially insecure code, and yet face time pressures to roll out new updates and features faster than their competition. In this environment, of course remediation is a challenge. Training more developers to write secure code from the outset helps to build a culture of security throughout the SDLC and alleviates the pressure on AppSec, but a comprehensive secure coding education program can go even further.

A great curriculum needs three core focuses:

1. Becoming part of the solution

Firstly, developers need to understand the role they play in securing overall application development. This begins with writing more secure code, but this knowledge is also essential in code reviews. As developers write faster, or even leverage generative AI and open-source code to deliver quicker applications, being able to properly review and remediate insecure code becomes crucial. Just one fifth (21%) of organizations surveyed currently educate their developers on vulnerability remediation.

2. Relevant and right-sized content

Our research revealed that, when organizations do invest in secure coding training, around half (47%) provide training only annually, bi-annually, or in response to a security incident. Since developers are incredibly time-constrained, education programs that focus on shorter but more regular lessons will improve retention over time and allow developers to incorporate their current projects into their learning. Only 39% of organizations deliver training in small training sessions.

Over two thirds of organizations (68%) fail to give immediate feedback as part of their secure coding training. With the multiple priorities that developers juggle each day, delaying or even denying feedback within a curriculum can have a big impact on overall retention.

Relevancy is essential to retention, so tailoring training to learner's needs, in terms of coding language, job role, and any industry specific regulations, will make each minute of education more effective.

3. Measuring success

Like any investment into security, organizations need to ensure that they are able to measure and demonstrate impact. Successful secure coding education programs are an effective tool for organizations looking to eliminate software security risk, but as Peter Drucker once said: if you don't measure it, you can't manage it. 50% of businesses have no form of assessment within their education programs, meaning that overall knowledge gain, and therefore ROI, is undeterminable.

The effectiveness of secure coding education as a method to mitigate or even eliminate cybersecurity threats is without controversy, and organizations are increasingly facing compliance pressures to build security into the culture and processes of their SDLC. But so far, this isn't enough. It's time to try the experts. Just 43% of organizations have invested in third-party, expert secure coding education programs, and many are yet to formalize their secure coding training at all.

Without prioritizing and properly investing in software security, organizations will only face more risk, more regulations, and more wasted spend on checking compliance boxes.

John Campbell is Director of Content Engineering at Security Journey
Share this

Industry News

April 11, 2024

Check Point® Software Technologies Ltd. announced new email security features that enhance its Check Point Harmony Email & Collaboration portfolio: Patented unified quarantine, DMARC monitoring, archiving, and Smart Banners.

April 11, 2024

Automation Anywhere announced an expanded partnership with Google Cloud to leverage the combined power of generative AI and its own specialized, generative AI automation models to give companies a powerful solution to optimize and transform their business.

April 11, 2024

Jetic announced the release of Jetlets, a low-code and no-code block template, that allows users to easily build any technically advanced integration use case, typically not covered by alternative integration platforms.

April 10, 2024

Progress announced new powerful capabilities and enhancements in the latest release of Progress® Sitefinity®.

April 10, 2024

Buildkite signed a multi-year strategic collaboration agreement (SCA) with Amazon Web Services (AWS), the world's most comprehensive and broadly adopted cloud, to accelerate delivery of cloud-native applications across multiple industries, including digital native, financial services, retail or any enterprise undergoing digital transformation.

April 10, 2024

AppViewX announced new functionality in the AppViewX CERT+ certificate lifecycle management automation product that helps organizations prepare for Google’s proposed 90-day TLS certificate validity policy.

April 09, 2024

Rocket Software is addressing the growing demand for integrated security, compliance, and automation in software development with its latest release of Rocket® DevOps, formerly known as Aldon®.

April 09, 2024

Wind River announced the latest release of Wind River Studio Developer, an edge-to-cloud DevSecOps platform that accelerates development, deployment, and operation of mission-critical systems.

April 09, 2024

appCD announced its generative infrastructure from code solution now supports Azure Kubernetes Service (AKS).

April 09, 2024

Synopsys announced the availability of Black Duck® Supply Chain Edition, a new software composition analysis (SCA) offering that enables organizations to mitigate upstream risk in their software supply chains.

April 09, 2024

DataStax announced innovative integrations with API extensions to Google Cloud’s Vertex AI Extension and Vertex AI Search, offering developers an easier time leveraging their own data.

April 08, 2024

Parasoft introduced C/C++test CT, a comprehensive solution tailored for large teams engaged in the development of safety- and security-critical C and C++ products.

April 08, 2024

Endor Labs announced a strategic partnership with GuidePoint Security.

April 08, 2024

Hasura announced the V3 of its platform, providing on-demand API composability with a new domain-centric supergraph modeling framework, a distributed supergraph execution engine and a rich and extensible ecosystem of open source connectors to address the challenges faced during integration of data and APIs.

April 04, 2024

DataStax has entered into a definitive agreement to acquire AI startup, Logspace, the creators of Langflow, an open source visual framework for building retrieval-augmented generation (RAG) applications.1