September 16, 2020

16% of Orgs Require Developers to Self-Educate on Security

Theoretical physicist Stephen Hawking was spot on when he said, “Whether you want to uncover the secrets of the universe, or you just want to pursue a career in the 21st century, basic computer programming is an essential skill to learn.” It’s no secret that programming is a thriving career path – especially with the speed of software development picking up, not slowing down.

But one critical element of modern programming is missing from Hawking’s quote: security. Developers simply aren’t taught secure coding practices in school and so often graduate without the foundational security knowledge required to find and fix flaws before they’re a problem. And at the same time, now more than ever, you’re expected to code with security at top of mind and produce more secure applications without continuous training opportunities at your fingertips.

Secure coding conundrum: Spotty developer training

Recently, we sponsored Enterprise Strategy Group’s (ESG) survey of 378 North American developers and security professionals to gain more insight into the trends in modern application security (AppSec). The results? Developer training is spotty, and it’s often unclear who holds the responsibility of seeing it through.

“While most [organizations] provide developers with some level of security training, more than 50 percent only do so annually or less often.” The report continues, “While development managers are often responsible for this training, in many organizations, application security analysts carry the burden of performing remedial training for development teams or individual developers who have a track record of introducing too many security issues.”

There’s a clear disconnect between frequency and educational requirements when it comes to developer training, which leaves most programmers lacking opportunities to learn and grow. Breaking the data down, we see that a mere 15 percent of organizations have the majority of their developers participate in consistent, formal security training.

Even more telling about the state of developer education were the numbers that highlighted security training requirements for programmers. For example, 16 percent of organizations say developers are expected to self-educate, while 20 percent only provide training to new developers who join their teams.

If organizations aren’t putting in the effort to expand security know-how, you might (rightfully) see it as a fruitless exercise. Luckily, changing that narrative is often as simple as integrating developer training tools that are clear, engaging, and provide value.

Education that resonates: the right content in the right format

ESG lists the ten elements of the most effective application security programs and it’s no surprise that number five is all about developer participation in security training. While the need is obvious, it’s clear that many organizations still struggle with how to implement developer education – and which exercises will even resonate.

As detailed by ESG, security vendors can provide guidance through just-in-time training offerings or remediation advice, but the responsibility still falls on the plate of the developer at the end of the day. Without the right kind of content offered in the right format, it’s more difficult to retain the information you need to code more securely. “Issue mitigation is often tied to better understanding how and why certain code introduces issues, so developer security training should gradually address this issue,” ESG states. 

If you want to produce more secure code and reduce risk, it’s no longer enough to simply sit down in front of a tutorial or a multiple-choice quiz and check boxes. The solution? Hands-on secure coding education that takes learning to another level. Real-world training solutions like Veracode Security Labs operate using actual examples you’ll encounter will coding, and that means the lessons are more likely to stick with you from project to project. Veracode Security Labs is different than other training tools, bringing benefits like:

  • Quick and relevant remediation guidance in the popular programming languages
  • Real-world vulnerabilities that you’ll encounter in day-to-day development tasks
  • Enhanced security knowledge to meet compliance needs and build confidence

And while we offer an Enterprise Edition for organizations, we also recently launched Veracode Security Labs Community Edition for developers who are itching to explore the ins and outs of real code on your own time - for free - so that you can start learning secure coding practices and become an active contributor to your organization’s AppSec.

Want more info about shifting your security knowledge left so you can keep cranking out great code? Read the full ESG report here.

Meaghan McBee is a Senior Content Marketing Manager at Veracode, responsible for creating content around best practices in application security and the current state of DevSecOps.