Skip to content

Is Regulation the Consequence of Complacency in Securing Code?

Is Regulation the Consequence of Complacency in Securing Code?

Published on

In 2023, software security regulations and governance by governing bodies and industry organizations rose considerably. In 2024, we expect cybersecurity regulations to become more stringent as they remain a key focus area for industry organizations and governing bodies. 

But why is there a sudden increase in regulations, and what consequences does it have on businesses? The answer lies in the AppSec Dilemma—the challenge of balancing the need to develop applications securely with the need to deploy applications quickly. 

 

Consequences of Insecure Code 

Organizations are increasingly focusing on speed-to-market and displayed a concerning level of complacency when prioritizing secure code, leaving a gaping hole in our digital defenses—consequently, the increasing likelihood of stringent regulations from governing bodies aimed at forcing a change. 

The evidence for complacency is stark. Verizon's 2023 Data Breach Investigations Report paints a grim picture, with web applications remaining the top attack vector for the 13th consecutive year.  

The consequences of inaction are no longer limited to individual organizations. As digital ecosystems become increasingly interconnected, the domino effect of one compromised application can cripple entire industries.  

Governments worldwide are taking notice.  

With increased pressure from citizens and businesses alike, regulatory bodies are actively considering stricter legislation to enforce application security best practices. 

 

Secure Coding Training Is Key 

The Ponemon Institute, in conjunction with Security Journey, conducted a study in the Fall of 2023 to understand the state of secure coding training and provide insights into how organizations are attempting to improve software security. The study revealed some concerning statistics.  

Download: A Study on Secure Coding Training 

For instance, 68% of respondents are only doing secure code training because of a compliance need or an exploit, indicating that these organizations lack a strong security culture across teams and fail to consider security when making business decisions. These organizations approach security reactively, which ultimately leads to weakened security programs.  

When training is focused solely on meeting compliance standards, it often leads to a situation where the minimum requirements are met. Still, it does not necessarily translate into the development of expertise. Only 36% of organizations have their developers learn to write secure code, and a mere 21% educated their developers on vulnerability remediation. These statistics reveal a concerning level of complacency in how organizations approach security training for their development teams.  

 

How You Train Matters 

Less than half of the organizations surveyed by Ponemon invested any money in expertly training their organization to secure code. This statistic is concerning, as it indicates that organizations rely too heavily on security tools. Even the best security tools can help identify security issues, but they should not be relied on for securing a system.  

It's essential to have experts who can vet the outputs from these tools and take the right actions to ensure the system's security. EMA's latest study found that companies who hired secure coding training vendors, combined with code scans and code reviews, had a 100% improvement rate in code security. 

Read More: How Code Scanning Tools Are Letting You Down 

Out of those that do provide AppSec training, 57% of organizations rely on in-house secure coding training, which can contribute to weakened security programs, ill-prepared teams, and position turnover. Asking already over-extended AppSec and DevSecOps teams to be not only security experts but educators as well can be a significant challenge. 

To improve the code security of an organization, investing in secure coding training vendors, code scans, and code reviews can be the right approach. It can help ensure that the teams are well-prepared to identify and address security issues, leading to a more secure system and a better-protected organization. 

 

Be Part of the Proactive Solution 

The AppSec Dilemma is a genuine issue that organizations face when they need to strike a balance between developing and deploying applications quickly and ensuring their security.  

Organizations should not consider compliance as the sole driver for secure code training. Instead, they should focus on building a culture that prioritizes security and engages learners in the long run. Failure to do so could lead to even more stringent regulations and financial penalties. 

If you’re ready to be part of the solution and focus on building a culture that prioritizes security, you can learn more about our Application Security Education Platform or talk to our team of experts today.