Why are Organizations Struggling to Implement Secure Software Development?

Most businesses and individuals are aware of the importance of cybersecurity when it comes to protecting organizational and personal data, and that hackers seek out software vulnerabilities when making their attacks.

But did you know that according to a 2021 Verizon report, 43% of security breaches are linked back to insecure software development practices?

The Secure Software Development Education 2024 Survey, conducted through a partnership between the Open Source Security Foundation (OpenSSF) and Linux Foundation (LF) Research, examines the secure software development education needs of professionals in this field. Our results indicate that the need for security awareness and training is one of the top challenges for organizations. 

Here are some top-level insights from the report. For a deeper dive, please read our full report!

What is Secure Software Development?

Secure software development is more than simply adding a checklist item to the software development process. It involves adopting a mindset of prioritizing secure coding practices into the framework of everyday work. Some examples include regular security assessments and proactive threat modeling.

Importantly, achieving the goal of consistently following secure software development practices relies heavily on the individual day-to-day actions and practices of the software engineers and other professionals writing the code.

No matter how sophisticated developer tools become, the knowledge and mindset of the individuals designing and writing the code have the biggest impact on its overall quality, especially when it comes to developing securely.

Dave Russo, Red Hat, Co-Chair of the OpenSSF Education Special Interest Group

How are we currently doing?

Short answer: we can definitely do better! Almost one third (28%) of software development professionals reported that they are not familiar with secure software development practices.

One assumption might be that, due to the historical emphasis on teaching functionality and efficiency over security in software engineering training programs, older technology professionals missed the newer security-focused classes – but with the increased focus on cybersecurity, recent graduates have been better prepared.

Unfortunately, not! Surprisingly, the survey revealed that software developers with less than one year of experience report the highest lack of familiarity with secure software development practices – a giant 75%!

What are the primary education and resource gaps?

The primary focus of the Secure Software Development Education 2024 Survey was to identify priority areas for additional training. Key results show gaps in these areas:

• Lack of Awareness - 53% of professionals, especially those in system operations, have not taken a course on secure software development, largely due to the lack of awareness about good courses (44%). 
• Lack of Access to Training - 69% of professionals rely on on-the-job experience as a learning resource for secure software development, but it can take more than 5 years of such experience to achieve familiarity. Supplemental training can bridge that gap.
• Lack of Specific Training - Training needs vary significantly based on professional roles and experience levels.

See Chapter 2: The Need for More Training in the report for additional insights.

What do software developers have to say about this?

Highlights from the survey show some common themes in responses from software developers:

• Increase Access to Training – A clear opportunity for improvement is in access to on-the-job training, as 50% of professionals identify a lack of training as a major challenge for implementing secure software development.
• Training Delivery Method – Self-based training is the most preferred option (74% find this method useful) followed by online instructor-led training (52%).
• Priority Areas for Training - Popular language-agnostic courses include security architecture (64%), security education and guidance (64%), and secure implementation (63%). In addition, 56% of respondents see supply chain security as a crucial area needing increased focus and innovation and 57% of respondents identify AI and ML security as a critical area for future innovation and attention in secure software development.
• Programming Language - 79% of professionals consider language-agnostic courses highly important, compared with 54% who attribute the same level of importance to language-specific courses. Among language-specific options, Python is the most popular language (preferred by 71%). 

Where can organizations start bridging the gaps?

The OpenSSF, a collaborative initiative hosted by the Linux Foundation, offers training programs, educational materials, and resources to equip developers with the knowledge and skills necessary for secure coding, including a free course on the fundamentals of developing secure software.

Based on the findings of this survey, the OpenSSF selected Security Architecture as the topic of a new course.