Security Journey Blog

Filling the Developer Security Knowledge Gap

Written by Security Journey/HackEDU Team | Aug 25, 2023 12:43:21 PM

Are you experiencing the impact of a lack of developer security knowledge within your team? Many organizations are currently seeking ways to bridge the gap between security and development.  

You can watch Amy Baker, Security Evangelist at Security Journey, talk about these topics in her webinar “Filling the Developer Security Knowledge Gap” on BrightTalk. 

In this article, we will talk about the developer knowledge gap, how secure coding training compares to security tools, and how you can measure the success of a secure coding training program. 

 

How Did the Developer Knowledge Gap Happen?  

The developer knowledge gap is the difference between the security knowledge and skills that developers need to do their jobs securely and the knowledge and skills that they actually have.  

There are two main contributing factors to the developer knowledge gap, and they are: 

  • Lack of Security Training for Developers 
  • Mounting Pressure on Developers to Code Quickly 

Too few people understand that there is a lack of security training for developers on an academic level. In fact, 0 of the top 50 U.S. university coding programs require secure code courses. Professors are on a crunch to keep up with evolving technologies and teach students the skills they need to be successful in a short amount of time, and secure coding training tends not to make the curriculum.  

Another interesting fact is that about 53% of developers don’t even have a technical degree from a university program; these developers learn from boot camps or online resources. These developers have not been able to prioritize secure coding in their training. 

So now, these developers are part of the workforce without secure coding training, and they are currently under pressure from their organizations to complete more projects with quicker turnaround times. 

Read The Article: Feeling Exhausted? The AppSec Dilemma Could Be to Blame 

As consumers of software, we have heavy requirements to have access to the latest features and functionalities. 51% of developers report having 100x the volume of code compared to their workload ten years ago, and 92% of developers feel pressure to release their code to market faster. 

When combined, these contributing factors create the perfect storm within organizations. We are counting on developers to create secure applications without educating them. 

 

Security Training vs. Security Tools 

Many organizations use tools such as SAST, DAST, SCA, and automated code reviews to help keep their code secure. The problem with relying on these tools alone is that you are catching the insecure code after it’s created – when the key to creating secure code is to create secure code from the start.  

Read The Article: Secure Code Training vs. Code Scanning Tools 

Creating an application security program is crucial for any organization's success, and teaching developers secure coding through training is an essential part of it. According to EMA research, over 96% improvement in software security when developers have security training. 

 

 

Results from Secure Coding Training 

Tracking results for learning and development programs can be difficult for program administrators, but there are ways to measure the success of a secure coding training program. 

 

Learning Swing 

The Security Journey Learning Swing is measured by “before and after” learner self-assessment on an individual lesson basis. The difference between the before and after ratings is the learning swing. On average, learners experience more than a 33% increase in knowledge, with some increasing their knowledge by as much as 85%. 

 

Skill Building 

A report with Security Journey and Aberdeen Strategy and Research analyzed 140,000 hands-on developer exercises. It showed that 45% of developers were successful and passed the lesson on their first attempt and could find and fix SQLi after less than 10 minutes of training. 

 

ROI of AppSec Training 

Preventing vulnerabilities from the start, rather than finding and fixing them, can save your organization money. By investing in secure coding training, you can have an ROI for preventing vulnerabilities.  

  • The total average cost to remediate vulnerabilities is $757,215 annually.  
  • The total average cost to train 100 developers on application security is $122,400 annually. 

This calculation shows that AppSec Education has a 5x ROI, assuming you can prevent the same 30% of vulnerabilities you would want to remediate each year. 

See the Full ROI Calculation: How to Measure the ROI of Application Security Training 

Across all industry verticals, software development must shift its focus away from heavily relying on code scanning tools and more on people and processes. 100% of organizations using a combination of code reviews, code-scanning tools, and third-party training saw improvement in their code security.  

With the Security Journey AppSec Education Program, you can address the developer security knowledge gap and drive a security-first culture at your organization.