The Benefits of Benchmarking Security Skills for Developers
With cyber threats becoming more prevalent and increasingly sophisticated, the focus of cybersecurity is centering on the importance of secure code. The White House’s National Cybersecurity Strategy and the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Secure-by-Design initiative, along with initiatives and legislation in other countries, puts the responsibility for security squarely on the shoulder of software producers. Shifting left—or more accurately, starting left—to ensure security early in the software development lifecycle (SDLC), once considered nice to have, is now essential for organizations to protect their data and systems and avoid regulatory fallout in the wake of a breach.
The key to ensuring secure coding practices is in developer training. Software engineers typically receive little or no cybersecurity education. Their job, especially in today’s accelerated DevOps environment, has been to spin out new applications, upgrades and services as quickly as possible—increasingly with the help of fast-working generative AI models—and let security teams address cybersecurity issues at some point later in the SDLC. That’s an inefficient way to address the plethora of flaws that crop up with so much code being created, often resulting in software vulnerabilities being released into the ecosystem.
Developers need to be trained to write secure code from the start and be able to catch insecure code generated by AI or when it’s present in open-source and other third-party software they use. For many development teams and organizations, this is untrodden territory. How do they know developers are getting the training they need? And is that training being applied on a regular basis?
Some companies pursuing developer education have found it beneficial to establish a baseline set of skills for developers to acquire and measure their progress against clearly defined benchmarks. To help with that effort, Secure Code Warrior has launched a benchmark designed to accurately measure developers' progress in security training. The SCW Trust Score allows organizations to measure how well training is being applied on the job and enable security, developer, and engineering teams to collaborate.
It’s a way to see proof that secure-code training is taking hold while identifying areas for improvement.
The Case for Secure Design
Software producers have every reason to bring security into the SDLC at the beginning of the process. The rising demand for applications and services and the speed that AI brings to the development process has proved useful to developers, who quickly adopted generative AI, but it also inevitably results in buggy software being released into the pipeline. The more code generated, the more flaws—and recent research has found that nearly three-quarters of applications (regardless of how they were created) contain at least one security flaw, with nearly 20% of them considered critical.
Catching up with vulnerabilities later in the SDLC is becoming prohibitively time-consuming and costly. The National Institute of Standards and Technology (NIST) has found that fixing defects during testing takes 15 times longer than securing software at the start of the SDLC, and fixing them during the deployment/maintenance stage can take 30 to 100 times longer.
All of this underscores the importance of applying security at the beginning of the development cycle, which has proved to be not only the most effective way to reduce risk, but the most cost-effective. Developers—working with security teams rather than having them function as separate entities—are in the best position to bring security into the start of the SDLC. And developers trained in security best practices have been effective at reducing vulnerabilities. The problem is that so few of them have been trained.
The Beauty of Benchmarks
The basic path for companies involves establishing a baseline of security skills, providing training, and verifying—to both the organizations and regulators—that developers have acquired the necessary skills. This has proved challenging for many organizations across all economic sectors, but it doesn’t have to be.
One of the challenges security leaders identify is the difficulty of scaling a training program across the entire enterprise. But SCW’s research shows that organizations, especially those with large cadres of developers, can successfully implement a secure-design approach. The results of smaller organizations tend to show a wide variance in how well they apply Secure-by-Design principles. Still, they, too, can benefit from an approach that includes Trust Scores, and will likely show improvements more quickly.
Trust Score uses benchmarking metrics to measure the progress of individual learners, aggregates their scores to assess the performance of the overall team and compares the organization’s progress with industry benchmarks and best practices. It not only tracks training but shows how well developers are applying their new skills on a day-to-day basis. It also highlights areas that need to be improved, enabling the organization to optimize its training/upskilling programs.
Across CISA’s critical infrastructure sectors for which data was available, most organizations are at about the same level in implementing secure design principles. Trust Scores for sectors ranging from financial services and the defense industrial base to healthcare, IT and critical manufacturing fell in the same range—a little over 300 on a 1,000-point scale. No one industry outpaces the others, despite the conventional wisdom that financial services, as the most regulated industry, would be far in front.
Critical infrastructure sectors not included in the Trust Score ranking—such as chemical, energy, and nuclear operations—generally don’t create their own software, instead relying on other sectors, particularly IT. However, the importance of maintaining secure systems within those sectors (no one wants to see a nuclear power plant get compromised) only shows how essential it is to secure the software they use in the first place.
Conclusion
The increased regulatory pressure and the realities of the cyber threat landscape have made a Secure-by-Design approach imperative for organizations that want to protect their data, systems, business operations and reputations. In large part, creating secure software is in the hands of developers, but they need assistance in the form of a thorough upskilling and training program that provides the education they need, and shows how it’s being applied.
A program that includes benchmarks, backed by a tool such as Trust Score, can provide a clear view of a development team’s critical progress. It’s a vital new approach that both developers and the companies they work for need to ensure that they are constantly improving their secure software development skills, while also meeting the new Secure-by-Design requirements.
The growing focus on secure code and Secure-by-Design principles requires developers to be trained in cybersecurity from the start of the SDLC, with tools like Secure Code Warrior’s Trust Score helping measure and improve their progress.
Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoMatias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.
Matias is a researcher and developer with more than 15 years of hands-on software security experience. He has developed solutions for companies such as Fortify Software and his own company Sensei Security. Over his career, Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec and BruCon.
Matias holds a Ph.D. in Computer Engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application.
With cyber threats becoming more prevalent and increasingly sophisticated, the focus of cybersecurity is centering on the importance of secure code. The White House’s National Cybersecurity Strategy and the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Secure-by-Design initiative, along with initiatives and legislation in other countries, puts the responsibility for security squarely on the shoulder of software producers. Shifting left—or more accurately, starting left—to ensure security early in the software development lifecycle (SDLC), once considered nice to have, is now essential for organizations to protect their data and systems and avoid regulatory fallout in the wake of a breach.
The key to ensuring secure coding practices is in developer training. Software engineers typically receive little or no cybersecurity education. Their job, especially in today’s accelerated DevOps environment, has been to spin out new applications, upgrades and services as quickly as possible—increasingly with the help of fast-working generative AI models—and let security teams address cybersecurity issues at some point later in the SDLC. That’s an inefficient way to address the plethora of flaws that crop up with so much code being created, often resulting in software vulnerabilities being released into the ecosystem.
Developers need to be trained to write secure code from the start and be able to catch insecure code generated by AI or when it’s present in open-source and other third-party software they use. For many development teams and organizations, this is untrodden territory. How do they know developers are getting the training they need? And is that training being applied on a regular basis?
Some companies pursuing developer education have found it beneficial to establish a baseline set of skills for developers to acquire and measure their progress against clearly defined benchmarks. To help with that effort, Secure Code Warrior has launched a benchmark designed to accurately measure developers' progress in security training. The SCW Trust Score allows organizations to measure how well training is being applied on the job and enable security, developer, and engineering teams to collaborate.
It’s a way to see proof that secure-code training is taking hold while identifying areas for improvement.
The Case for Secure Design
Software producers have every reason to bring security into the SDLC at the beginning of the process. The rising demand for applications and services and the speed that AI brings to the development process has proved useful to developers, who quickly adopted generative AI, but it also inevitably results in buggy software being released into the pipeline. The more code generated, the more flaws—and recent research has found that nearly three-quarters of applications (regardless of how they were created) contain at least one security flaw, with nearly 20% of them considered critical.
Catching up with vulnerabilities later in the SDLC is becoming prohibitively time-consuming and costly. The National Institute of Standards and Technology (NIST) has found that fixing defects during testing takes 15 times longer than securing software at the start of the SDLC, and fixing them during the deployment/maintenance stage can take 30 to 100 times longer.
All of this underscores the importance of applying security at the beginning of the development cycle, which has proved to be not only the most effective way to reduce risk, but the most cost-effective. Developers—working with security teams rather than having them function as separate entities—are in the best position to bring security into the start of the SDLC. And developers trained in security best practices have been effective at reducing vulnerabilities. The problem is that so few of them have been trained.
The Beauty of Benchmarks
The basic path for companies involves establishing a baseline of security skills, providing training, and verifying—to both the organizations and regulators—that developers have acquired the necessary skills. This has proved challenging for many organizations across all economic sectors, but it doesn’t have to be.
One of the challenges security leaders identify is the difficulty of scaling a training program across the entire enterprise. But SCW’s research shows that organizations, especially those with large cadres of developers, can successfully implement a secure-design approach. The results of smaller organizations tend to show a wide variance in how well they apply Secure-by-Design principles. Still, they, too, can benefit from an approach that includes Trust Scores, and will likely show improvements more quickly.
Trust Score uses benchmarking metrics to measure the progress of individual learners, aggregates their scores to assess the performance of the overall team and compares the organization’s progress with industry benchmarks and best practices. It not only tracks training but shows how well developers are applying their new skills on a day-to-day basis. It also highlights areas that need to be improved, enabling the organization to optimize its training/upskilling programs.
Across CISA’s critical infrastructure sectors for which data was available, most organizations are at about the same level in implementing secure design principles. Trust Scores for sectors ranging from financial services and the defense industrial base to healthcare, IT and critical manufacturing fell in the same range—a little over 300 on a 1,000-point scale. No one industry outpaces the others, despite the conventional wisdom that financial services, as the most regulated industry, would be far in front.
Critical infrastructure sectors not included in the Trust Score ranking—such as chemical, energy, and nuclear operations—generally don’t create their own software, instead relying on other sectors, particularly IT. However, the importance of maintaining secure systems within those sectors (no one wants to see a nuclear power plant get compromised) only shows how essential it is to secure the software they use in the first place.
Conclusion
The increased regulatory pressure and the realities of the cyber threat landscape have made a Secure-by-Design approach imperative for organizations that want to protect their data, systems, business operations and reputations. In large part, creating secure software is in the hands of developers, but they need assistance in the form of a thorough upskilling and training program that provides the education they need, and shows how it’s being applied.
A program that includes benchmarks, backed by a tool such as Trust Score, can provide a clear view of a development team’s critical progress. It’s a vital new approach that both developers and the companies they work for need to ensure that they are constantly improving their secure software development skills, while also meeting the new Secure-by-Design requirements.
With cyber threats becoming more prevalent and increasingly sophisticated, the focus of cybersecurity is centering on the importance of secure code. The White House’s National Cybersecurity Strategy and the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Secure-by-Design initiative, along with initiatives and legislation in other countries, puts the responsibility for security squarely on the shoulder of software producers. Shifting left—or more accurately, starting left—to ensure security early in the software development lifecycle (SDLC), once considered nice to have, is now essential for organizations to protect their data and systems and avoid regulatory fallout in the wake of a breach.
The key to ensuring secure coding practices is in developer training. Software engineers typically receive little or no cybersecurity education. Their job, especially in today’s accelerated DevOps environment, has been to spin out new applications, upgrades and services as quickly as possible—increasingly with the help of fast-working generative AI models—and let security teams address cybersecurity issues at some point later in the SDLC. That’s an inefficient way to address the plethora of flaws that crop up with so much code being created, often resulting in software vulnerabilities being released into the ecosystem.
Developers need to be trained to write secure code from the start and be able to catch insecure code generated by AI or when it’s present in open-source and other third-party software they use. For many development teams and organizations, this is untrodden territory. How do they know developers are getting the training they need? And is that training being applied on a regular basis?
Some companies pursuing developer education have found it beneficial to establish a baseline set of skills for developers to acquire and measure their progress against clearly defined benchmarks. To help with that effort, Secure Code Warrior has launched a benchmark designed to accurately measure developers' progress in security training. The SCW Trust Score allows organizations to measure how well training is being applied on the job and enable security, developer, and engineering teams to collaborate.
It’s a way to see proof that secure-code training is taking hold while identifying areas for improvement.
The Case for Secure Design
Software producers have every reason to bring security into the SDLC at the beginning of the process. The rising demand for applications and services and the speed that AI brings to the development process has proved useful to developers, who quickly adopted generative AI, but it also inevitably results in buggy software being released into the pipeline. The more code generated, the more flaws—and recent research has found that nearly three-quarters of applications (regardless of how they were created) contain at least one security flaw, with nearly 20% of them considered critical.
Catching up with vulnerabilities later in the SDLC is becoming prohibitively time-consuming and costly. The National Institute of Standards and Technology (NIST) has found that fixing defects during testing takes 15 times longer than securing software at the start of the SDLC, and fixing them during the deployment/maintenance stage can take 30 to 100 times longer.
All of this underscores the importance of applying security at the beginning of the development cycle, which has proved to be not only the most effective way to reduce risk, but the most cost-effective. Developers—working with security teams rather than having them function as separate entities—are in the best position to bring security into the start of the SDLC. And developers trained in security best practices have been effective at reducing vulnerabilities. The problem is that so few of them have been trained.
The Beauty of Benchmarks
The basic path for companies involves establishing a baseline of security skills, providing training, and verifying—to both the organizations and regulators—that developers have acquired the necessary skills. This has proved challenging for many organizations across all economic sectors, but it doesn’t have to be.
One of the challenges security leaders identify is the difficulty of scaling a training program across the entire enterprise. But SCW’s research shows that organizations, especially those with large cadres of developers, can successfully implement a secure-design approach. The results of smaller organizations tend to show a wide variance in how well they apply Secure-by-Design principles. Still, they, too, can benefit from an approach that includes Trust Scores, and will likely show improvements more quickly.
Trust Score uses benchmarking metrics to measure the progress of individual learners, aggregates their scores to assess the performance of the overall team and compares the organization’s progress with industry benchmarks and best practices. It not only tracks training but shows how well developers are applying their new skills on a day-to-day basis. It also highlights areas that need to be improved, enabling the organization to optimize its training/upskilling programs.
Across CISA’s critical infrastructure sectors for which data was available, most organizations are at about the same level in implementing secure design principles. Trust Scores for sectors ranging from financial services and the defense industrial base to healthcare, IT and critical manufacturing fell in the same range—a little over 300 on a 1,000-point scale. No one industry outpaces the others, despite the conventional wisdom that financial services, as the most regulated industry, would be far in front.
Critical infrastructure sectors not included in the Trust Score ranking—such as chemical, energy, and nuclear operations—generally don’t create their own software, instead relying on other sectors, particularly IT. However, the importance of maintaining secure systems within those sectors (no one wants to see a nuclear power plant get compromised) only shows how essential it is to secure the software they use in the first place.
Conclusion
The increased regulatory pressure and the realities of the cyber threat landscape have made a Secure-by-Design approach imperative for organizations that want to protect their data, systems, business operations and reputations. In large part, creating secure software is in the hands of developers, but they need assistance in the form of a thorough upskilling and training program that provides the education they need, and shows how it’s being applied.
A program that includes benchmarks, backed by a tool such as Trust Score, can provide a clear view of a development team’s critical progress. It’s a vital new approach that both developers and the companies they work for need to ensure that they are constantly improving their secure software development skills, while also meeting the new Secure-by-Design requirements.
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demoMatias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.
Matias is a researcher and developer with more than 15 years of hands-on software security experience. He has developed solutions for companies such as Fortify Software and his own company Sensei Security. Over his career, Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec and BruCon.
Matias holds a Ph.D. in Computer Engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application.
With cyber threats becoming more prevalent and increasingly sophisticated, the focus of cybersecurity is centering on the importance of secure code. The White House’s National Cybersecurity Strategy and the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Secure-by-Design initiative, along with initiatives and legislation in other countries, puts the responsibility for security squarely on the shoulder of software producers. Shifting left—or more accurately, starting left—to ensure security early in the software development lifecycle (SDLC), once considered nice to have, is now essential for organizations to protect their data and systems and avoid regulatory fallout in the wake of a breach.
The key to ensuring secure coding practices is in developer training. Software engineers typically receive little or no cybersecurity education. Their job, especially in today’s accelerated DevOps environment, has been to spin out new applications, upgrades and services as quickly as possible—increasingly with the help of fast-working generative AI models—and let security teams address cybersecurity issues at some point later in the SDLC. That’s an inefficient way to address the plethora of flaws that crop up with so much code being created, often resulting in software vulnerabilities being released into the ecosystem.
Developers need to be trained to write secure code from the start and be able to catch insecure code generated by AI or when it’s present in open-source and other third-party software they use. For many development teams and organizations, this is untrodden territory. How do they know developers are getting the training they need? And is that training being applied on a regular basis?
Some companies pursuing developer education have found it beneficial to establish a baseline set of skills for developers to acquire and measure their progress against clearly defined benchmarks. To help with that effort, Secure Code Warrior has launched a benchmark designed to accurately measure developers' progress in security training. The SCW Trust Score allows organizations to measure how well training is being applied on the job and enable security, developer, and engineering teams to collaborate.
It’s a way to see proof that secure-code training is taking hold while identifying areas for improvement.
The Case for Secure Design
Software producers have every reason to bring security into the SDLC at the beginning of the process. The rising demand for applications and services and the speed that AI brings to the development process has proved useful to developers, who quickly adopted generative AI, but it also inevitably results in buggy software being released into the pipeline. The more code generated, the more flaws—and recent research has found that nearly three-quarters of applications (regardless of how they were created) contain at least one security flaw, with nearly 20% of them considered critical.
Catching up with vulnerabilities later in the SDLC is becoming prohibitively time-consuming and costly. The National Institute of Standards and Technology (NIST) has found that fixing defects during testing takes 15 times longer than securing software at the start of the SDLC, and fixing them during the deployment/maintenance stage can take 30 to 100 times longer.
All of this underscores the importance of applying security at the beginning of the development cycle, which has proved to be not only the most effective way to reduce risk, but the most cost-effective. Developers—working with security teams rather than having them function as separate entities—are in the best position to bring security into the start of the SDLC. And developers trained in security best practices have been effective at reducing vulnerabilities. The problem is that so few of them have been trained.
The Beauty of Benchmarks
The basic path for companies involves establishing a baseline of security skills, providing training, and verifying—to both the organizations and regulators—that developers have acquired the necessary skills. This has proved challenging for many organizations across all economic sectors, but it doesn’t have to be.
One of the challenges security leaders identify is the difficulty of scaling a training program across the entire enterprise. But SCW’s research shows that organizations, especially those with large cadres of developers, can successfully implement a secure-design approach. The results of smaller organizations tend to show a wide variance in how well they apply Secure-by-Design principles. Still, they, too, can benefit from an approach that includes Trust Scores, and will likely show improvements more quickly.
Trust Score uses benchmarking metrics to measure the progress of individual learners, aggregates their scores to assess the performance of the overall team and compares the organization’s progress with industry benchmarks and best practices. It not only tracks training but shows how well developers are applying their new skills on a day-to-day basis. It also highlights areas that need to be improved, enabling the organization to optimize its training/upskilling programs.
Across CISA’s critical infrastructure sectors for which data was available, most organizations are at about the same level in implementing secure design principles. Trust Scores for sectors ranging from financial services and the defense industrial base to healthcare, IT and critical manufacturing fell in the same range—a little over 300 on a 1,000-point scale. No one industry outpaces the others, despite the conventional wisdom that financial services, as the most regulated industry, would be far in front.
Critical infrastructure sectors not included in the Trust Score ranking—such as chemical, energy, and nuclear operations—generally don’t create their own software, instead relying on other sectors, particularly IT. However, the importance of maintaining secure systems within those sectors (no one wants to see a nuclear power plant get compromised) only shows how essential it is to secure the software they use in the first place.
Conclusion
The increased regulatory pressure and the realities of the cyber threat landscape have made a Secure-by-Design approach imperative for organizations that want to protect their data, systems, business operations and reputations. In large part, creating secure software is in the hands of developers, but they need assistance in the form of a thorough upskilling and training program that provides the education they need, and shows how it’s being applied.
A program that includes benchmarks, backed by a tool such as Trust Score, can provide a clear view of a development team’s critical progress. It’s a vital new approach that both developers and the companies they work for need to ensure that they are constantly improving their secure software development skills, while also meeting the new Secure-by-Design requirements.
Table of contents
Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Resources to get you started
10 Key Predictions: Secure Code Warrior on AI & Secure-by-Design’s Influence in 2025
Organizations are facing tough decisions on AI usage to support long-term productivity, sustainability, and security ROI. It’s become clear to us over the last few years that AI will never fully replace the role of the developer. From AI + developer partnerships to the increasing pressures (and confusion) around Secure-by-Design expectations, let’s take a closer look at what we can expect over the next year.
OWASP Top 10 For LLM Applications: What’s New, Changed, and How to Stay Secure
Stay ahead in securing LLM applications with the latest OWASP Top 10 updates. Discover what's new, what’s changed, and how Secure Code Warrior equips you with up-to-date learning resources to mitigate risks in Generative AI.
Trust Score Reveals the Value of Secure-by-Design Upskilling Initiatives
Our research has shown that secure code training works. Trust Score, using an algorithm drawing on more than 20 million learning data points from work by more than 250,000 learners at over 600 organizations, reveals its effectiveness in driving down vulnerabilities and how to make the initiative even more effective.
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.