Few software developers employ secure by design training, research finds

Under 4% of software developers across the globe are implementing training initiatives focused on baking baseline cybersecurity standards into the design and development of their products, research out Monday says.

The small figure, which may help explain why basic software bugs are still frequently exploited by hackers en masse, comes from Secure Code Warrior, a firm headquartered in Australia that offers secure software manufacturing tools and services.

The findings are backed by Chris Inglis, the White House’s first national cyber director, and his successor Kemba Walden, who held the role in an acting capacity until the end of last year.

The data point originates from a mass study of enterprise firms, which found that for every 100 developers, there are just 3.87 application security specialists focused on secure coding. 

Secure Code Warrior surveyed some 600 private sector customers and over 250,000 developers and mapped the data against U.S. government-designated critical infrastructure sectors to determine each sector’s strength in meeting secure software principles.

A collection of industries — including financial services, healthcare and information technology — had similar secure code upskilling scores, though eight of the critical infrastructure sectors were completely missing from the findings. The report notes that some sectors rely on other industries for their software development and, because of that, those missing verticals did not have relevant data for analysis.

Larger firms that employ at least 7,000 software developers may be able to reduce vulnerabilities by 47% to 53% when secure-by-design principles are implemented in their work, the findings added.

“At a time of unprecedented global cyber threats, these new findings demonstrate the need to enhance SBD initiatives across our digital infrastructure to reduce critical vulnerabilities,” said Walden, now at Paladin Capital Group, a venture capital firm that invests in cybersecurity and emerging tech companies. “This research issues a clear call to action for upskilling personnel and creating benchmarks to meet critical cybersecurity goals.”

The Cybersecurity and Infrastructure Security Agency has been pushing secure product design since its inception in 2018. Multiple high-profile cyber incidents since the start of the decade have galvanized interest in the concept, which encourages companies to design their products with built-in security features that come pre-installed at point-of-sale.

CISA unveiled a voluntary secure by design pledge at the RSA Conference in May, with some 70 firms at the time pledging to manage vulnerability disclosure programs, track hackers’ attempts to breach their products and reduce default passwords used to log into devices or applications during first-time setup, among other areas. Over 200 companies are now signed on.

The Office of the National Cyber Director, through a sweeping governmentwide cybersecurity strategy released last March, is also pushing secure by design principles. The office has urged developers to adopt memory-safe programming languages with built-in guardrails to prevent memory leaks, which can lead to unauthorized access, data sabotage or system crashes enabled by hackers.

Inglis, who is now a senior strategic advisor at Paladin, echoed the urgency of the findings: “Now more than ever, we have a national responsibility to ensure SBD upskilling programs are in place.”

Proponents of secure software standards have made comparisons akin to food or automobile safety laws, arguing that legal directives for software manufacturing would benefit all of society. Many software defects have existed for years inside websites, databases or code repositories, and have not been entirely addressed, largely because there is no blanket regulatory mandate to follow.

Some legal experts argue that the software market isn’t incentivizing secure development, with major providers weaving clauses into products’ contracts that make users accept the software “as is” upon purchase and installation, which forces customers to bear the entire risk of a product in its present state, including defects that could enable cyber exploitation.