Why are Organizations Struggling to Implement Secure Software Development?
Linux Foundation Research | 02 July 2024
Most businesses and individuals are aware of the importance of cybersecurity when it comes to protecting organizational and personal data, and that hackers seek out software vulnerabilities when making their attacks.
But did you know that according to a 2021 Verizon report, 43% of security breaches are linked back to insecure software development practices?
The Secure Software Development Education 2024 Survey, conducted through a partnership between the Open Source Security Foundation (OpenSSF) and Linux Foundation (LF) Research, examines the secure software development education needs of professionals in this field. Our results indicate that the need for security awareness and training is one of the top challenges for organizations.
Here are some top-level insights from the report. For a deeper dive, please read our full report!
What is Secure Software Development?
Secure software development is more than simply adding a checklist item to the software development process. It involves adopting a mindset of prioritizing secure coding practices into the framework of everyday work. Some examples include regular security assessments and proactive threat modeling.
Importantly, achieving the goal of consistently following secure software development practices relies heavily on the individual day-to-day actions and practices of the software engineers and other professionals writing the code.
No matter how sophisticated developer tools become, the knowledge and mindset of the individuals designing and writing the code have the biggest impact on its overall quality, especially when it comes to developing securely.
Dave Russo, Red Hat, Co-Chair of the OpenSSF Education Special Interest Group
How are we currently doing?
Short answer: we can definitely do better! Almost one third (28%) of software development professionals reported that they are not familiar with secure software development practices.
One assumption might be that, due to the historical emphasis on teaching functionality and efficiency over security in software engineering training programs, older technology professionals missed the newer security-focused classes – but with the increased focus on cybersecurity, recent graduates have been better prepared.
Unfortunately, not! Surprisingly, the survey revealed that software developers with less than one year of experience report the highest lack of familiarity with secure software development practices – a giant 75%!
What are the primary education and resource gaps?
The primary focus of the Secure Software Development Education 2024 Survey was to identify priority areas for additional training. Key results show gaps in these areas:
- Lack of Awareness - 53% of professionals, especially those in system operations, have not taken a course on secure software development, largely due to the lack of awareness about good courses (44%).
- Lack of Access to Training - 69% of professionals rely on on-the-job experience as a learning resource for secure software development, but it can take more than 5 years of such experience to achieve familiarity. Supplemental training can bridge that gap.
- Lack of Specific Training - Training needs vary significantly based on professional roles and experience levels.
See Chapter 2: The Need for More Training in the report for additional insights.
What do software developers have to say about this?
Highlights from the survey show some common themes in responses from software developers:
- Increase Access to Training – A clear opportunity for improvement is in access to on-the-job training, as 50% of professionals identify a lack of training as a major challenge for implementing secure software development.
- Training Delivery Method – Self-based training is the most preferred option (74% find this method useful) followed by online instructor-led training (52%).
- Priority Areas for Training - Popular language-agnostic courses include security architecture (64%), security education and guidance (64%), and secure implementation (63%). In addition, 56% of respondents see supply chain security as a crucial area needing increased focus and innovation and 57% of respondents identify AI and ML security as a critical area for future innovation and attention in secure software development.
- Programming Language - 79% of professionals consider language-agnostic courses highly important, compared with 54% who attribute the same level of importance to language-specific courses. Among language-specific options, Python is the most popular language (preferred by 71%).
Where can organizations start bridging the gaps?
The OpenSSF, a collaborative initiative hosted by the Linux Foundation, offers training programs, educational materials, and resources to equip developers with the knowledge and skills necessary for secure coding, including a free course on the fundamentals of developing secure software.
Based on the findings of this survey, the OpenSSF selected Security Architecture as the topic of a new course.
Linux Foundation Research
About the Author
Similar Articles
Browse Categories
Cloud Computing Compliance and Security Open Source Projects 2024 Linux How-To LF Research Open Source Ecosystem and Governance Blog Diversity & Inclusion Research Newsletter Data, AI, and Analytics linux blog Training and Certification Linux Cross Technology Cloud Native Computing Foundation cybersecurity software development Announcements Decentralized Technology Legal OpenSearch Sustainability and Green Initiatives cloud native generative AI lf events Finance and Business Technology Networking and Edge cncf industries Emerging Technology Health and Public Sector Interoperability Kubernetes Topic: Security Web Application & Development amazon web services aws community tools confidential computing challenges decentralized AI decentralized computing eBPF funding japan spotlight kernel license compliance openssf ospo research survey skills development state of open source tech talent