Pittsburgh, PA – January 24, 2024 – Today, best-in-class application security education company, Security Journey releases a new study on the state of secure coding training. The study, which consists of data primarily from the Ponemon Institute and includes findings from over 600 IT and IT Security Professionals, reveals that organizations are still prioritizing speed to market over security. In fact, only 20 percent of respondents were confident in their ability to detect a vulnerability before an application is released, over 60 percent struggle to remediate vulnerabilities effectively, and 50 percent fail to test the security of their applications after they have been released.
Attackers are ready and waiting for these vulnerabilities to be released into the wild, according to a study conducted by Qualys, 25 percent of vulnerabilities were exploited on the day of their publication, and 75 percent of vulnerabilities were exploited within 19 days (approximately three weeks). This indicates that securing an application later in its development lifecycle, especially post-release, is a significant risk to an organization's security posture. 47 percent of organizations are blaming these challenges of remediating vulnerabilities in production on a lack of qualified personnel.
Long-term software security is failing
The survey reveals a reactive approach when it comes to security education programs, with 68 percent of respondents only undertaking secure coding training because of a compliance need or in response to an exploit. These statistics indicate that from proper detection to effective remediation, organizations are relying heavily on tools to catch vulnerabilities and are overburdening their security workforce, rather than investing in long-term, human intervention at the development stage.
The study also uncovers a patching crisis:
- In the 12 months prior to the study, 54 percent of respondents suffered a security incident due to an unpatched vulnerability; 51 percent experienced more than 8 incidents
- Only 11 percent of organizations believe they patch vulnerabilities effectively in a timely manner and
- 55 percent blame misalignment between development, security, and compliance teams for delays in vulnerability patching
“We are seeing a perfect storm of application security risk that will likely drive regulators to become more stringent.” said Joe Ferrera, CEO of Security Journey. He continues “While organizations are turning to AppSec tools and AI to secure their outputs, these tools only act as a safety net and knowledgeable human intervention is needed to prevent and remediate insecure code from the outset. Organizations need to prioritize education programs that are expertly curated, tailored to roles, and continuously reinforced to ensure knowledge retention.”
Complacency towards training
Secure coding education is the key to unlocking more sustainable security practices within application development. And yet, the prevalence, frequency, and quality of secure coding training programs is far below where the industry needs it to be:
- 48 percent report only training annually, bi-annually or when an incident occurs, and of those organizations that undertake secure coding training, over 50 percent have programs that are not customized to users’ needs
- 50 percent of those that do provide training have no form of assessment to measure knowledge gain
- Only 36 percent of organizations have their developers learn to write secure code
- Just one fifth (21 percent) of organizations educate developers on vulnerability remediation
- Less than half (43 percent) have invested money in expertly training their organization with a third party
These statistics reveal a concerning level of complacency in how organizations are approaching security training for their development teams. Checking the box for compliance is easy but it doesn’t build a secure culture or educate teams on handling a broader landscape of threats.
Larry Ponemon, Chairman and Founder of the Ponemon Institute, commented “The current application security landscape is deeply concerning and it’s clear from this research that secure coding education is not yet up to scratch in most organizations. While it is positive to see many organizations doing training, it is worrying that this appears to be done with the intent to comply with regulations rather than develop secure code, and that the focus still remains on speed to market rather than instilling a secure culture around application development.”
The full report can be found here: https://info.securityjourney.com/study-on-secure-coding-training. To learn more about these essential learning paths and enhance your organization's security posture, please visit securityjourney.com.
About Security Journey
Security Journey helps enterprises reduce vulnerabilities with application security education for developers and all individuals involved in creating software. Development teams are empowered through practical, skill-oriented secure coding training that easily satisfies compliance needs and goes beyond that to build a security-first development culture. Over 450 companies around the world are teaching their teams how to build safer software using Security Journey.