Developer upskilling crucial for Secure-by-Design success

Secure Code Warrior has released new findings on the impact of developer upskilling on organisations' Secure-by-Design (SBD) initiatives, drawing from over 20 million data points worldwide.

The study highlights that organisations in critical infrastructure sectors such as financial services, defense, healthcare, and IT are advancing in readying their developers for SBD efforts. These sectors exhibit a stronger security posture—evaluated using the SCW Trust Score—than others.

Chris Inglis, Senior Strategic Advisor at Paladin Capital Group and a former National Cyber Director, stated, "Now more than ever, we have a national responsibility to ensure SBD upskilling programs are in place. Risk reduction is at the core of this latest analysis, and Secure Code Warrior is leading the charge to enhance developer security learning, prevent cyberattacks, and strengthen our nation's critical infrastructure."

Secure Code Warrior's analysis involved collaboration with the Paladin Global Institute and brought attention to the importance of developer upskilling as a measure of SBD progress. The research underscores the challenge faced by Chief Information Security Officers in proving early Return on Investment (ROI) of their SBD initiatives due to the lack of a standards benchmark.

Key findings revealed that less than 4% of developers globally are engaged in SBD upskilling initiatives. However, sectors like financial services have a high SCW Trust Score, with an average of 336, indicating a relatively strong security posture compared to non-critical sectors.

Kemba Walden, President of the Paladin Global Institute and former acting National Cyber Director, commented, "At a time of unprecedented global cyber threats, these new findings demonstrate the need to enhance SBD initiatives across our digital infrastructure to reduce critical vulnerabilities. This research issues a clear call to action for upskilling personnel and creating benchmarks to meet critical cybersecurity goals."

Matias Madou, co-founder and CTO of Secure Code Warrior, stated, "Baselines and benchmarks can greatly optimise an organisation's security posture by making secure coding an essential part of its DNA. To know if a SBD initiative is making real progress, you need the quantitative evidence that developer upskilling efforts are effective, and that they absorb security best practices into their work habits. You must have complete faith that developers have truly earned their license to code."

The analysis discovered that large-scale upskilling initiatives, consisting of more than 7,000 developers in a single company, could reduce vulnerabilities by 47-53%. Both large-scale and smaller-scale initiatives can see success, but mandates are necessary to realise timely ROI, according to the research.

The global Secure-By-Design movement is growing, with more countries incorporating related guidelines into broader cybersecurity strategies. However, the development of secure defaults and a security-literate developer workforce remains a challenge without precise data to influence a developer skills benchmark. Agile upskilling programmes, built on well-established baselines and including practical sessions, resonate well with developers.

Amidst global legislative reforms requiring verified security skills among developers, organisations are addressing challenges related to scaling security programmes, particularly ongoing upskilling and assessment of personnel. Many organisations have adopted large-scale initiatives, thus making a notable impact on their security posture.