Blog

The Benefits of Benchmarking Security Skills for Developers

Matias Madou, Ph.D.
Published Oct 22, 2024

With cyber threats becoming more prevalent and increasingly sophisticated, the focus of cybersecurity is centering on the importance of secure code. The White House’s National Cybersecurity Strategy and the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Secure-by-Design initiative, along with initiatives and legislation in other countries, puts the responsibility for security squarely on the shoulder of software producers. Shifting left—or more accurately, starting left—to ensure security early in the software development lifecycle (SDLC), once considered nice to have, is now essential for organizations to protect their data and systems and avoid regulatory fallout in the wake of a breach.

The key to ensuring secure coding practices is in developer training. Software engineers typically receive little or no cybersecurity education. Their job, especially in today’s accelerated DevOps environment, has been to spin out new applications, upgrades and services as quickly as possible—increasingly with the help of fast-working generative AI models—and let security teams address cybersecurity issues at some point later in the SDLC. That’s an inefficient way to address the plethora of flaws that crop up with so much code being created, often resulting in software vulnerabilities being released into the ecosystem.

Developers need to be trained to write secure code from the start and be able to catch insecure code generated by AI or when it’s present in open-source and other third-party software they use. For many development teams and organizations, this is untrodden territory. How do they know developers are getting the training they need? And is that training being applied on a regular basis?

Some companies pursuing developer education have found it beneficial to establish a baseline set of skills for developers to acquire and measure their progress against clearly defined benchmarks. To help with that effort, Secure Code Warrior has launched a benchmark designed to accurately measure developers' progress in security training. The SCW Trust Score allows organizations to measure how well training is being applied on the job and enable security, developer, and engineering teams to collaborate.

It’s a way to see proof that secure-code training is taking hold while identifying areas for improvement.

The Case for Secure Design

Software producers have every reason to bring security into the SDLC at the beginning of the process. The rising demand for applications and services and the speed that AI brings to the development process has proved useful to developers, who quickly adopted generative AI, but it also inevitably results in buggy software being released into the pipeline. The more code generated, the more flaws—and recent research has found that nearly three-quarters of applications (regardless of how they were created) contain at least one security flaw, with nearly 20% of them considered critical. 

Catching up with vulnerabilities later in the SDLC is becoming prohibitively time-consuming and costly. The National Institute of Standards and Technology (NIST) has found that fixing defects during testing takes 15 times longer than securing software at the start of the SDLC, and fixing them during the deployment/maintenance stage can take 30 to 100 times longer. 

All of this underscores the importance of applying security at the beginning of the development cycle, which has proved to be not only the most effective way to reduce risk, but the most cost-effective. Developers—working with security teams rather than having them function as separate entities—are in the best position to bring security into the start of the SDLC. And developers trained in security best practices have been effective at reducing vulnerabilities. The problem is that so few of them have been trained.

The Beauty of Benchmarks 

The basic path for companies involves establishing a baseline of security skills, providing training, and verifying—to both the organizations and regulators—that developers have acquired the necessary skills. This has proved challenging for many organizations across all economic sectors, but it doesn’t have to be.

One of the challenges security leaders identify is the difficulty of scaling a training program across the entire enterprise. But SCW’s research shows that organizations, especially those with large cadres of developers, can successfully implement a secure-design approach. The results of smaller organizations tend to show a wide variance in how well they apply Secure-by-Design principles. Still, they, too, can benefit from an approach that includes Trust Scores, and will likely show improvements more quickly.

Trust Score uses benchmarking metrics to measure the progress of individual learners, aggregates their scores to assess the performance of the overall team and compares the organization’s progress with industry benchmarks and best practices. It not only tracks training but shows how well developers are applying their new skills on a day-to-day basis. It also highlights areas that need to be improved, enabling the organization to optimize its training/upskilling programs. 

Across CISA’s critical infrastructure sectors for which data was available, most organizations are at about the same level in implementing secure design principles. Trust Scores for sectors ranging from financial services and the defense industrial base to healthcare, IT and critical manufacturing fell in the same range—a little over 300 on a 1,000-point scale. No one industry outpaces the others, despite the conventional wisdom that financial services, as the most regulated industry, would be far in front.

Critical infrastructure sectors not included in the Trust Score ranking—such as chemical, energy, and nuclear operations—generally don’t create their own software, instead relying on other sectors, particularly IT. However, the importance of maintaining secure systems within those sectors (no one wants to see a nuclear power plant get compromised) only shows how essential it is to secure the software they use in the first place.

Conclusion

The increased regulatory pressure and the realities of the cyber threat landscape have made a Secure-by-Design approach imperative for organizations that want to protect their data, systems, business operations and reputations. In large part, creating secure software is in the hands of developers, but they need assistance in the form of a thorough upskilling and training program that provides the education they need, and shows how it’s being applied. 

A program that includes benchmarks, backed by a tool such as Trust Score, can provide a clear view of a development team’s critical progress. It’s a vital new approach that both developers and the companies they work for need to ensure that they are constantly improving their secure software development skills, while also meeting the new Secure-by-Design requirements.

View Resource
View Resource

The growing focus on secure code and Secure-by-Design principles requires developers to be trained in cybersecurity from the start of the SDLC, with tools like Secure Code Warrior’s Trust Score helping measure and improve their progress.

Interested in more?

Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.

Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.

Book a demo
Share on:
Author
Matias Madou, Ph.D.
Published Oct 22, 2024

Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.

Matias is a researcher and developer with more than 15 years of hands-on software security experience. He has developed solutions for companies such as Fortify Software and his own company Sensei Security. Over his career, Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec and BruCon.

Matias holds a Ph.D. in Computer Engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application.

Share on:

With cyber threats becoming more prevalent and increasingly sophisticated, the focus of cybersecurity is centering on the importance of secure code. The White House’s National Cybersecurity Strategy and the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Secure-by-Design initiative, along with initiatives and legislation in other countries, puts the responsibility for security squarely on the shoulder of software producers. Shifting left—or more accurately, starting left—to ensure security early in the software development lifecycle (SDLC), once considered nice to have, is now essential for organizations to protect their data and systems and avoid regulatory fallout in the wake of a breach.

The key to ensuring secure coding practices is in developer training. Software engineers typically receive little or no cybersecurity education. Their job, especially in today’s accelerated DevOps environment, has been to spin out new applications, upgrades and services as quickly as possible—increasingly with the help of fast-working generative AI models—and let security teams address cybersecurity issues at some point later in the SDLC. That’s an inefficient way to address the plethora of flaws that crop up with so much code being created, often resulting in software vulnerabilities being released into the ecosystem.

Developers need to be trained to write secure code from the start and be able to catch insecure code generated by AI or when it’s present in open-source and other third-party software they use. For many development teams and organizations, this is untrodden territory. How do they know developers are getting the training they need? And is that training being applied on a regular basis?

Some companies pursuing developer education have found it beneficial to establish a baseline set of skills for developers to acquire and measure their progress against clearly defined benchmarks. To help with that effort, Secure Code Warrior has launched a benchmark designed to accurately measure developers' progress in security training. The SCW Trust Score allows organizations to measure how well training is being applied on the job and enable security, developer, and engineering teams to collaborate.

It’s a way to see proof that secure-code training is taking hold while identifying areas for improvement.

The Case for Secure Design

Software producers have every reason to bring security into the SDLC at the beginning of the process. The rising demand for applications and services and the speed that AI brings to the development process has proved useful to developers, who quickly adopted generative AI, but it also inevitably results in buggy software being released into the pipeline. The more code generated, the more flaws—and recent research has found that nearly three-quarters of applications (regardless of how they were created) contain at least one security flaw, with nearly 20% of them considered critical. 

Catching up with vulnerabilities later in the SDLC is becoming prohibitively time-consuming and costly. The National Institute of Standards and Technology (NIST) has found that fixing defects during testing takes 15 times longer than securing software at the start of the SDLC, and fixing them during the deployment/maintenance stage can take 30 to 100 times longer. 

All of this underscores the importance of applying security at the beginning of the development cycle, which has proved to be not only the most effective way to reduce risk, but the most cost-effective. Developers—working with security teams rather than having them function as separate entities—are in the best position to bring security into the start of the SDLC. And developers trained in security best practices have been effective at reducing vulnerabilities. The problem is that so few of them have been trained.

The Beauty of Benchmarks 

The basic path for companies involves establishing a baseline of security skills, providing training, and verifying—to both the organizations and regulators—that developers have acquired the necessary skills. This has proved challenging for many organizations across all economic sectors, but it doesn’t have to be.

One of the challenges security leaders identify is the difficulty of scaling a training program across the entire enterprise. But SCW’s research shows that organizations, especially those with large cadres of developers, can successfully implement a secure-design approach. The results of smaller organizations tend to show a wide variance in how well they apply Secure-by-Design principles. Still, they, too, can benefit from an approach that includes Trust Scores, and will likely show improvements more quickly.

Trust Score uses benchmarking metrics to measure the progress of individual learners, aggregates their scores to assess the performance of the overall team and compares the organization’s progress with industry benchmarks and best practices. It not only tracks training but shows how well developers are applying their new skills on a day-to-day basis. It also highlights areas that need to be improved, enabling the organization to optimize its training/upskilling programs. 

Across CISA’s critical infrastructure sectors for which data was available, most organizations are at about the same level in implementing secure design principles. Trust Scores for sectors ranging from financial services and the defense industrial base to healthcare, IT and critical manufacturing fell in the same range—a little over 300 on a 1,000-point scale. No one industry outpaces the others, despite the conventional wisdom that financial services, as the most regulated industry, would be far in front.

Critical infrastructure sectors not included in the Trust Score ranking—such as chemical, energy, and nuclear operations—generally don’t create their own software, instead relying on other sectors, particularly IT. However, the importance of maintaining secure systems within those sectors (no one wants to see a nuclear power plant get compromised) only shows how essential it is to secure the software they use in the first place.

Conclusion

The increased regulatory pressure and the realities of the cyber threat landscape have made a Secure-by-Design approach imperative for organizations that want to protect their data, systems, business operations and reputations. In large part, creating secure software is in the hands of developers, but they need assistance in the form of a thorough upskilling and training program that provides the education they need, and shows how it’s being applied. 

A program that includes benchmarks, backed by a tool such as Trust Score, can provide a clear view of a development team’s critical progress. It’s a vital new approach that both developers and the companies they work for need to ensure that they are constantly improving their secure software development skills, while also meeting the new Secure-by-Design requirements.

View Resource
View Resource

Fill out the form below to download the report

We would like your permission to send you information on our products and/or related secure coding topics. We’ll always treat your personal details with the utmost care and will never sell them to other companies for marketing purposes.

Submit
To submit the form, please enable 'Analytics' cookies. Feel free to disable them again once you're done.

With cyber threats becoming more prevalent and increasingly sophisticated, the focus of cybersecurity is centering on the importance of secure code. The White House’s National Cybersecurity Strategy and the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Secure-by-Design initiative, along with initiatives and legislation in other countries, puts the responsibility for security squarely on the shoulder of software producers. Shifting left—or more accurately, starting left—to ensure security early in the software development lifecycle (SDLC), once considered nice to have, is now essential for organizations to protect their data and systems and avoid regulatory fallout in the wake of a breach.

The key to ensuring secure coding practices is in developer training. Software engineers typically receive little or no cybersecurity education. Their job, especially in today’s accelerated DevOps environment, has been to spin out new applications, upgrades and services as quickly as possible—increasingly with the help of fast-working generative AI models—and let security teams address cybersecurity issues at some point later in the SDLC. That’s an inefficient way to address the plethora of flaws that crop up with so much code being created, often resulting in software vulnerabilities being released into the ecosystem.

Developers need to be trained to write secure code from the start and be able to catch insecure code generated by AI or when it’s present in open-source and other third-party software they use. For many development teams and organizations, this is untrodden territory. How do they know developers are getting the training they need? And is that training being applied on a regular basis?

Some companies pursuing developer education have found it beneficial to establish a baseline set of skills for developers to acquire and measure their progress against clearly defined benchmarks. To help with that effort, Secure Code Warrior has launched a benchmark designed to accurately measure developers' progress in security training. The SCW Trust Score allows organizations to measure how well training is being applied on the job and enable security, developer, and engineering teams to collaborate.

It’s a way to see proof that secure-code training is taking hold while identifying areas for improvement.

The Case for Secure Design

Software producers have every reason to bring security into the SDLC at the beginning of the process. The rising demand for applications and services and the speed that AI brings to the development process has proved useful to developers, who quickly adopted generative AI, but it also inevitably results in buggy software being released into the pipeline. The more code generated, the more flaws—and recent research has found that nearly three-quarters of applications (regardless of how they were created) contain at least one security flaw, with nearly 20% of them considered critical. 

Catching up with vulnerabilities later in the SDLC is becoming prohibitively time-consuming and costly. The National Institute of Standards and Technology (NIST) has found that fixing defects during testing takes 15 times longer than securing software at the start of the SDLC, and fixing them during the deployment/maintenance stage can take 30 to 100 times longer. 

All of this underscores the importance of applying security at the beginning of the development cycle, which has proved to be not only the most effective way to reduce risk, but the most cost-effective. Developers—working with security teams rather than having them function as separate entities—are in the best position to bring security into the start of the SDLC. And developers trained in security best practices have been effective at reducing vulnerabilities. The problem is that so few of them have been trained.

The Beauty of Benchmarks 

The basic path for companies involves establishing a baseline of security skills, providing training, and verifying—to both the organizations and regulators—that developers have acquired the necessary skills. This has proved challenging for many organizations across all economic sectors, but it doesn’t have to be.

One of the challenges security leaders identify is the difficulty of scaling a training program across the entire enterprise. But SCW’s research shows that organizations, especially those with large cadres of developers, can successfully implement a secure-design approach. The results of smaller organizations tend to show a wide variance in how well they apply Secure-by-Design principles. Still, they, too, can benefit from an approach that includes Trust Scores, and will likely show improvements more quickly.

Trust Score uses benchmarking metrics to measure the progress of individual learners, aggregates their scores to assess the performance of the overall team and compares the organization’s progress with industry benchmarks and best practices. It not only tracks training but shows how well developers are applying their new skills on a day-to-day basis. It also highlights areas that need to be improved, enabling the organization to optimize its training/upskilling programs. 

Across CISA’s critical infrastructure sectors for which data was available, most organizations are at about the same level in implementing secure design principles. Trust Scores for sectors ranging from financial services and the defense industrial base to healthcare, IT and critical manufacturing fell in the same range—a little over 300 on a 1,000-point scale. No one industry outpaces the others, despite the conventional wisdom that financial services, as the most regulated industry, would be far in front.

Critical infrastructure sectors not included in the Trust Score ranking—such as chemical, energy, and nuclear operations—generally don’t create their own software, instead relying on other sectors, particularly IT. However, the importance of maintaining secure systems within those sectors (no one wants to see a nuclear power plant get compromised) only shows how essential it is to secure the software they use in the first place.

Conclusion

The increased regulatory pressure and the realities of the cyber threat landscape have made a Secure-by-Design approach imperative for organizations that want to protect their data, systems, business operations and reputations. In large part, creating secure software is in the hands of developers, but they need assistance in the form of a thorough upskilling and training program that provides the education they need, and shows how it’s being applied. 

A program that includes benchmarks, backed by a tool such as Trust Score, can provide a clear view of a development team’s critical progress. It’s a vital new approach that both developers and the companies they work for need to ensure that they are constantly improving their secure software development skills, while also meeting the new Secure-by-Design requirements.

Get Started

Click on the link below and download the PDF of this resource.

Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.

View reportBook a demo
View Resource
Share on:
Interested in more?

Share on:
Author
Matias Madou, Ph.D.
Published Oct 22, 2024

Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.

Matias is a researcher and developer with more than 15 years of hands-on software security experience. He has developed solutions for companies such as Fortify Software and his own company Sensei Security. Over his career, Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec and BruCon.

Matias holds a Ph.D. in Computer Engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application.

Share on:

With cyber threats becoming more prevalent and increasingly sophisticated, the focus of cybersecurity is centering on the importance of secure code. The White House’s National Cybersecurity Strategy and the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Secure-by-Design initiative, along with initiatives and legislation in other countries, puts the responsibility for security squarely on the shoulder of software producers. Shifting left—or more accurately, starting left—to ensure security early in the software development lifecycle (SDLC), once considered nice to have, is now essential for organizations to protect their data and systems and avoid regulatory fallout in the wake of a breach.

The key to ensuring secure coding practices is in developer training. Software engineers typically receive little or no cybersecurity education. Their job, especially in today’s accelerated DevOps environment, has been to spin out new applications, upgrades and services as quickly as possible—increasingly with the help of fast-working generative AI models—and let security teams address cybersecurity issues at some point later in the SDLC. That’s an inefficient way to address the plethora of flaws that crop up with so much code being created, often resulting in software vulnerabilities being released into the ecosystem.

Developers need to be trained to write secure code from the start and be able to catch insecure code generated by AI or when it’s present in open-source and other third-party software they use. For many development teams and organizations, this is untrodden territory. How do they know developers are getting the training they need? And is that training being applied on a regular basis?

Some companies pursuing developer education have found it beneficial to establish a baseline set of skills for developers to acquire and measure their progress against clearly defined benchmarks. To help with that effort, Secure Code Warrior has launched a benchmark designed to accurately measure developers' progress in security training. The SCW Trust Score allows organizations to measure how well training is being applied on the job and enable security, developer, and engineering teams to collaborate.

It’s a way to see proof that secure-code training is taking hold while identifying areas for improvement.

The Case for Secure Design

Software producers have every reason to bring security into the SDLC at the beginning of the process. The rising demand for applications and services and the speed that AI brings to the development process has proved useful to developers, who quickly adopted generative AI, but it also inevitably results in buggy software being released into the pipeline. The more code generated, the more flaws—and recent research has found that nearly three-quarters of applications (regardless of how they were created) contain at least one security flaw, with nearly 20% of them considered critical. 

Catching up with vulnerabilities later in the SDLC is becoming prohibitively time-consuming and costly. The National Institute of Standards and Technology (NIST) has found that fixing defects during testing takes 15 times longer than securing software at the start of the SDLC, and fixing them during the deployment/maintenance stage can take 30 to 100 times longer. 

All of this underscores the importance of applying security at the beginning of the development cycle, which has proved to be not only the most effective way to reduce risk, but the most cost-effective. Developers—working with security teams rather than having them function as separate entities—are in the best position to bring security into the start of the SDLC. And developers trained in security best practices have been effective at reducing vulnerabilities. The problem is that so few of them have been trained.

The Beauty of Benchmarks 

The basic path for companies involves establishing a baseline of security skills, providing training, and verifying—to both the organizations and regulators—that developers have acquired the necessary skills. This has proved challenging for many organizations across all economic sectors, but it doesn’t have to be.

One of the challenges security leaders identify is the difficulty of scaling a training program across the entire enterprise. But SCW’s research shows that organizations, especially those with large cadres of developers, can successfully implement a secure-design approach. The results of smaller organizations tend to show a wide variance in how well they apply Secure-by-Design principles. Still, they, too, can benefit from an approach that includes Trust Scores, and will likely show improvements more quickly.

Trust Score uses benchmarking metrics to measure the progress of individual learners, aggregates their scores to assess the performance of the overall team and compares the organization’s progress with industry benchmarks and best practices. It not only tracks training but shows how well developers are applying their new skills on a day-to-day basis. It also highlights areas that need to be improved, enabling the organization to optimize its training/upskilling programs. 

Across CISA’s critical infrastructure sectors for which data was available, most organizations are at about the same level in implementing secure design principles. Trust Scores for sectors ranging from financial services and the defense industrial base to healthcare, IT and critical manufacturing fell in the same range—a little over 300 on a 1,000-point scale. No one industry outpaces the others, despite the conventional wisdom that financial services, as the most regulated industry, would be far in front.

Critical infrastructure sectors not included in the Trust Score ranking—such as chemical, energy, and nuclear operations—generally don’t create their own software, instead relying on other sectors, particularly IT. However, the importance of maintaining secure systems within those sectors (no one wants to see a nuclear power plant get compromised) only shows how essential it is to secure the software they use in the first place.

Conclusion

The increased regulatory pressure and the realities of the cyber threat landscape have made a Secure-by-Design approach imperative for organizations that want to protect their data, systems, business operations and reputations. In large part, creating secure software is in the hands of developers, but they need assistance in the form of a thorough upskilling and training program that provides the education they need, and shows how it’s being applied. 

A program that includes benchmarks, backed by a tool such as Trust Score, can provide a clear view of a development team’s critical progress. It’s a vital new approach that both developers and the companies they work for need to ensure that they are constantly improving their secure software development skills, while also meeting the new Secure-by-Design requirements.

Table of contents

Download PDF
View Resource
Interested in more?

Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.

Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.

Book a demoDownload
Share on:
Resource hub

Resources to get you started

More posts
Resource hub

Resources to get you started

More posts