Is 'Secure by Design' Failing?

This article was originally written by John Campbell for DevOps Digest.

In the fast-paced world of modern business, application development teams face an immense amount of pressure to code faster than ever before. 51% of developers have seen their volume of code increase 100x over the last 10 years, and almost all developers (92%) feel they must write code faster than before, according to Sourcegraph.

However, prioritizing rapid development frequently leads to the neglect of security measures, creating a trade-off that can have significant repercussions, overburdening AppSec teams towards the end of the software development lifecycle (SDLC) and almost guaranteeing software vulnerabilities and exploits. In a recent survey conducted with Ponemon, 20% of organizations expressed confidence in their ability to remediate vulnerabilities before an application is released. This paints a bleak picture for modern software security, and the complacency around secure coding education has forced regulators to take control.

Stringent Regulations Are a Must

The Cybersecurity and Infrastructure Security Agency (CISA) has long called for a culture of "Secure by Design," and this has been echoed by governance from the White House(link is external) and the Securities and Exchange Commission(link is external) (SEC).

The threat landscape around new Common Vulnerabilities and Exposures (CVEs) is one that every organization should take seriously. With a record-breaking 28,092 new CVEs published in 2023, bad actors are simply waiting to be handed easy footholds into their target organizations, and they don't have to wait long. Research from Qualys showed that three quarters of CVEs are exploited by attackers within just 19 days of their publication.

And yet, organizations are failing to equip their DevOps teams with the secure coding skills and knowledge they need to eliminate vulnerabilities in the first place. Despite 47% of organizations blaming skills shortages for their vulnerability remediation failures, only 36% have their developers learn to write secure code. Without building skills into the SDLC to combat these risks, organizations will continue to expose themselves, and anyone using their software, to attack.

Building the Right Skills

Over 60% of organizations consider the remediation of vulnerabilities in applications to be difficult, however this difficulty may stem from focusing their efforts in the wrong areas.

Under the current SDLC, AppSec teams are overburdened with swathes of potentially insecure code, and yet face time pressures to roll out new updates and features faster than their competition. In this environment, of course remediation is a challenge. Training more developers to write secure code from the outset helps to build a culture of security throughout the SDLC and alleviates the pressure on AppSec, but a comprehensive secure coding education program can go even further.

A great curriculum needs three core focuses:

1. Becoming part of the solution

Firstly, developers need to understand the role they play in securing overall application development. This begins with writing more secure code, but this knowledge is also essential in code reviews. As developers write faster, or even leverage generative AI and open-source code to deliver quicker applications, being able to properly review and remediate insecure code becomes crucial. Just one fifth (21%) of organizations surveyed currently educate their developers on vulnerability remediation.

2. Relevant and right-sized content

Our research revealed that, when organizations do invest in secure coding training, around half (47%) provide training only annually, bi-annually, or in response to a security incident. Since developers are incredibly time-constrained, education programs that focus on shorter but more regular lessons will improve retention over time and allow developers to incorporate their current projects into their learning. Only 39% of organizations deliver training in small training sessions.

Over two thirds of organizations (68%) fail to give immediate feedback as part of their secure coding training. With the multiple priorities that developers juggle each day, delaying or even denying feedback within a curriculum can have a big impact on overall retention.

Relevancy is essential to retention, so tailoring training to learner's needs, in terms of coding language, job role, and any industry specific regulations, will make each minute of education more effective.

3. Measuring success

Like any investment into security, organizations need to ensure that they are able to measure and demonstrate impact. Successful secure coding education programs are an effective tool for organizations looking to eliminate software security risk, but as Peter Drucker once said: if you don't measure it, you can't manage it. 50% of businesses have no form of assessment within their education programs, meaning that overall knowledge gain, and therefore ROI, is undeterminable.

The effectiveness of secure coding education as a method to mitigate or even eliminate cybersecurity threats is without controversy, and organizations are increasingly facing compliance pressures to build security into the culture and processes of their SDLC. But so far, this isn't enough. It's time to try the experts. Just 43% of organizations have invested in third-party, expert secure coding education programs, and many are yet to formalize their secure coding training at all.

Without prioritizing and properly investing in software security, organizations will only face more risk, more regulations, and more wasted spend on checking compliance boxes.