A sure way to improve your organization’s security posture is through developer upskilling in secure coding best practices, delivered in a framework that includes baselines and benchmarks designed to give developers the specific learning pathways they need. Secure coding, however, is not a one-time fix—it must become a way of life, encoded into an organization’s DNA. Developers not only have to shift left, or start left, but they need to stay left.
Simply providing training isn’t enough. Organizations need to confirm that developers have completely absorbed their training and are following best practices at the beginning of the software development lifecycle (SDLC) as part of their everyday routines. You need to track developers’ performance and measure their progress against both internal standards and industry benchmarks, effectively measuring the ROI of investing in training.
Secure Code Warrior’s Trust Score provides visibility into the performance of individual developers and aggregates the data to provide an assessment of your organization’s overall performance. It shows the effectiveness of upskilling programs while identifying areas in need of improvement. And, it helps ensure compliance with the range of regulatory compliance requirements, whether they come from the General Data Protection Regulation (GDPR), the Payment Card Industry Data Security Standard (PCI DSS), the California Consumer Privacy Act (CCPA), or others.
Our research has shown that secure code training works. Trust Score, using an algorithm drawing on more than 20 million learning data points from work by more than 250,000 learners at over 600 organizations, reveals its effectiveness in driving down vulnerabilities and how to make the initiative even more effective.
Training Improves Security – If Developers Get It
For years, using security best practices at the start of the SDLC seemed to be mostly aspirational in the software industry—great to have someday, but not a priority for today. But the ever-increasing speed of software development, along with the accelerating pace of sophisticated and destructive cyber threats—often built on targeting software vulnerabilities—have made secure coding essential. The Cybersecurity and Infrastructure Security Agency (CISA) puts secure code front and center with its Secure-by-Design initiative, which is growing into an international movement.
Our research has proved the point—the correlation between a Secure-by-Design approach and a reduction in software vulnerabilities is clear. We analyzed vulnerability reduction data from 26% of SCW’s customer base and found that developer training resulted in reductions of software vulnerabilities ranging from 22% to 84%. That range resulted from variables such as the size of the companies involved (smaller companies with relatively few developers produced a more dramatic range of results), and whether a learning group was focused on a specific problem, in which case they eliminated a higher percentage of flaws.
The results with large companies were rather consistent. Companies with 7,000 or more developers can expect to see vulnerabilities reduced by 47% to 53% as a result of developer upskilling in security. For example, one statistically average company with more than 10,000 developers—not a top performer on the platform nor one with the highest benchmark—saw a 53% reduction in vulnerabilities.
Of course, the most effective training doesn’t take a broad, one-size-fits-all approach. It should be tailored to developers’ work environments and the types of development they do.
Companies should start by establishing the baseline skills developers must have to make writing secure code as natural to them as simply writing code. Upskilling programs should consist of hands-on, agile training in real-world scenarios that match the type of work they do and the languages they use. And it should be flexible enough to fit training sessions into their work schedules.
For developers, the skill set involves more than writing code. They need to be able to check software created by artificial intelligence assistants and third parties, such as open-source repositories. Developers have made avid use of generative AI models, and they have generally lauded its benefits in helping them create more code more quickly. However, although 76% of respondents to a Snyk survey said that AI-generated code was more secure than code produced by humans, 56.4% still said that AI introduces errors sometimes or frequently. And the same survey found that 80% of developers skip applying AI code security policies, suggesting that code issues in AI code are not being addressed.
In a Secure-by-Design approach, developers—working with security teams, rather than separately from them—will address those issues early in the SDLC, identifying and remediating flaws before code goes into production.
Trust Score Measures Individual and Enterprise Performance
It’s also critical that training is ongoing. Companies need to adopt a security-first culture that applies everywhere from the highest echelons of the company on down through the ranks. It should focus on continuous improvement and the application of best security practices throughout the SDLC. Technology and cyber criminals don’t stop evolving; neither should cybersecurity. For organizations that produce software, security-trained developers are the foundation.
That’s why demonstrating that training has effectively taken hold is just as important as the training itself. Trust Score not only delivers visibility into the performance of developers individually and the organization overall, it enables organizations to drill down through performance data to focus on specific languages, developer teams or software categories. The data from individual and aggregated performance results also helps identify areas where training needs to be improved—for example, if it isn’t having the desired effect on developers’ everyday performance.
Trust Score has empowered organizations to assess developers’ performance and confirm whether they have acquired—and are using—the necessary security skills, ensuring they have earned their license to code. It allows organizations to confidently grant qualified developers access to their most sensitive data and critical software projects, while denying that access to those on the tools who aren’t quite ready yet.
Proof of a Changing Security Culture
Cybersecurity is no longer just a security issue. It’s a business issue, affecting the integrity of the most valuable asset of many organizations — their data. A serious breach affects an organization’s operations, reputation and, potentially, its viability. Cybersecurity’s importance has not been lost on regulatory bodies, which have been implementing increasingly strict regulations and shown a willingness to pursue cases against CISOs and, potentially, other members of upper management, even to the point of filing criminal charges, as in the cases of Uber and SolarWinds.
Adopting an enterprise-wide security culture is essential in today’s environment. And because so much of a company’s value rests in its data, applications and services, secure coding is a core element of that culture. Targeted training and upskilling as part of a cultural mindset, together with proof that training has helped in changing the culture can set organizations on the path to strengthening their security postures.
There is value in developer-driven security programs. The proof is in the Trust Score.