From 2015 to 2021, the number of new vulnerabilities per year in the National Vulnerability Database grew from 6,487 to 20,139. This increase in vulnerabilities may be due to a significant skills gap when it comes to secure software development.
Software developers are not being taught secure coding practices at colleges and universities, and with a significant number of organizations failing to invest in any secure coding training whatsoever, even some of the most seasoned developers in the industry may have little to no awareness of secure coding concepts.
Enterprise Management Associates, Inc. (EMA) surveyed 129 professionals across multiple industry verticals, seeking to understand how organizations are tackling the difficult challenge of developing secure software applications.
In this article, we will look at the effectiveness of code scanning tools versus secure coding training and dive into EMA’s report: Secure Coding Practices – Growing Success or Zero-Day Epidemic?
The survey of 129 software development professionals uncovered that for those using code scanning tools, only 10% of organizations prevented a higher percentage of vulnerabilities than organizations not using code scanning tools, while continuous training greatly improved code security for over 60% of organizations that adopted it.
EMA also found that as many as 70% of organizations are missing critical security steps in their software development lifecycle (SDLC), highlighting a struggle with a ‘shift-left’ approach.
“We have seen a worrying increase in new vulnerabilities over the last several years. While 99% of organizations have security awareness training programs, this approach does not go far enough for those in security-critical roles like developers,” says Amy Baker, Security Education Evangelist at Security Journey. “Awareness is a primer for knowledge, but to truly shift the paradigm and solve the AppSec dilemma, the focus must change from ‘awareness’ of AppSec to ‘in-depth knowledge’, and training developers on secure coding practices is the next step in security awareness programs. Vulnerabilities detected earlier in development are easier to resolve, far less costly, and reduce organizational risk.”
Code scanning tools have their place, but they simply don’t have the discernment to catch everything. It’s much better for developers to write secure code initially than hope that a code scanning tool will catch the vulnerability before it makes it to production – especially when only 10% of organizations utilizing code scanning tools prevented more vulnerabilities than those that don’t.
Code scanning tools should only supplement secure coding efforts and not be the critical wheel in the system, especially when almost 70% of organizations are struggling with even basic security SDLCs. Tools simply cannot fix broken security practices.
Training is often an under-utilized method for delivering more secure applications. The EMA study found that secure coding training has a high return on investment, 28.8% of respondents utilizing continuous training prevented over 90% of vulnerabilities from reaching production.
The study also found the most common barriers to investment in training are perceived impacts on productivity. Yet when continuous training is delivered by third parties and implemented in tandem with code reviews and code scanning tools, 100% of organizations saw improvement in their code security.
“All too often, when it comes to cybersecurity, the human element is the most overlooked component of any system,” says Ken Buckler, Research Director at EMA. “With the lowest adoption rates (54%) and highest code improvement rates (100%), third-party training appears to be the critical component some organizations are failing to invest in. Code reviews without training may ultimately prove to be futile efforts, simply checking a compliance checkbox that the code was reviewed. After all, how can those reviewing the code understand if the code is secure if those reviewers haven’t been given the proper training in the first place?”
After reviewing the data, EMA believes the best approach to secure software development is a combination of code reviews, code scanning tools, and a stronger emphasis on continuous, third-party training. Significantly important is adopting a full security SDLC including planning, implementation, and validation.
The research is clear, now how will you reduce application vulnerabilities at your organization? Contact our team today to learn about Security Journey’s continuous, programmatic approach to AppSec training.