In recent findings released by OpenSSF and the Linux Foundation, it has been highlighted that attackers are continuously exploiting software vulnerabilities, underscoring the critical need for strong software security measures. Despite this pressing concern, a significant number of developers are lacking the necessary knowledge and skills to effectively implement secure software development practices.
The report reveals that nearly one-third of professionals directly involved in development and deployment, including system operations, software developers, committers, and maintainers, admit to feeling unfamiliar with secure software development practices. This lack of awareness is particularly alarming as these individuals are responsible for creating and maintaining the code that powers a company’s applications and systems.
David A. Wheeler, the director of open source supply chain security at the Linux Foundation, emphasized the urgency of equipping developers with the requisite expertise to write secure code. He emphasized the detrimental consequences that can arise from the exploitation of software vulnerabilities and stressed the importance of prioritizing secure development education across the industry.
One of the key challenges identified in the survey is the absence of education in secure software development. Current educational programs often prioritize functionality and efficiency while neglecting essential security training. As a result, 69% of professionals rely on on-the-job experience as their primary learning resource, requiring at least five years to achieve a minimum level of security proficiency.
The survey also pinpointed lack of time and awareness, and training as the top challenges in implementing secure software development practices within organizations. Additionally, 44% of professionals cited lack of knowledge about suitable courses as the primary reason for not pursuing education in secure software development.
Notably, software developers with limited experience reported the highest level of unfamiliarity with secure software development practices, underscoring the need for comprehensive training and education initiatives. To address these educational gaps, language-agnostic courses are recommended to help IT staff enhance their capabilities in secure software development.
Many professionals in the software development field prefer self-directed learning methods, with 74% utilizing resources like online tutorials, videos, and books as their primary sources of learning. The emergence of new security concerns, such as AI and supply chain vulnerabilities, further underscores the importance of ongoing education and training in the field.
Christopher “CRob” Robinson, co-chair of the OpenSSF Education Special Interest Group (SIG) and chair of the OpenSSF Technical Advisory Council (TAC), stressed the significance of identifying priority areas for additional training to bridge the existing knowledge gap in secure software development. Organizational efforts to provide diverse educational resources will help IT staff address security challenges more effectively.
Ultimately, the goal of security education and guidance is to enhance employees’ security awareness and enable them to incorporate secure practices into the design, development, and deployment of software. By embedding security measures into the code from the outset, developers can create more resilient products and mitigate the risk of vulnerabilities and cyber attacks.