An EMA survey of 129 software development professionals uncovered that for those using code scanning tools, only 10% of organizations prevented a higher percentage of vulnerabilities than organizations not using code scanning tools, while continuous training greatly improved code security for over 60% of organizations that adopted it.
Researchers also found that as many as 70% of organizations are missing critical security steps in their software development lifecycle (SDLC), highlighting a struggle with a ‘shift-left’ approach.
Despite the fact that new vulnerabilities per year in the National Vulnerability Database (NVD) have grown over 210% (from 6,487 to 20,139) between 2015 to 2021, the ‘shift-left’ approach has not been well adopted.
Only 25% of organizations are using a shift-left security strategy, according to EMA’s study, despite the growing industry awareness of its importance.
The research showed that security remains a lower priority for many organizations – almost 50% do not dedicate a step for security validation, 20% don’t plan their application security and 4% don’t have a dedicated security implementation step.
Yet the benefits of making the shift are well proven: 9 in 10 of those that have adopted a shift-left approach have realized reductions in vulnerabilities.
“We have seen a worrying increase in new vulnerabilities over the last several years. While 99% of organizations have security awareness training programs, this approach does not go far enough for those in security-critical roles like developers,” says Amy Baker, Security Education Evangelist at Security Journey.
“Awareness is a primer for knowledge, but to truly shift the paradigm and solve the AppSec dilemma, the focus must change from ‘awareness’ of AppSec to ‘in-depth knowledge’ and training developers on secure coding practices is the next step in security awareness programs. Vulnerabilities detected earlier in development are easier to resolve and far less costly. And this requires a programmatic and continuous approach to application security education and specifically secure coding training for developers,” Baker continued.
Trained developers: Invaluable to improving code security
Training is often an under-utilized method for delivering more secure applications. The study found that secure coding training has a high return on investment, 28.8% of respondents utilizing continuous training prevented over 90% of vulnerabilities from reaching production.
The study also found the most common barriers to investment in training are perceived impacts on productivity. Yet when continuous training is delivered by third parties and implemented in tandem with code reviews and code scanning tools, 100% of organizations saw improvement in their code security.
“All too often, when it comes to cybersecurity, the human element is the most overlooked component of any system,” says Ken Buckler, Research Analyst at EMA.
“With lowest adoption rates (54%) and highest code improvement rates (100%), third-party training appears to be the critical component some organizations are failing to invest in. Code reviews without training may ultimately prove to be futile efforts, simply checking a compliance checkbox that the code was reviewed. After all, how can those reviewing the code understand if the code is secure if those reviewers haven’t been given the proper training in the first place?,” Buckler concluded.