The Linux Foundation Research and the Open Source Security Foundation (OpenSSF) have jointly released a new report titled “Secure Software Development Education 2024 Survey: Understanding Current Needs.” This report is based on a survey of nearly 400 software development professionals and delves into the current state of secure software development, emphasizing the critical need for formalized industry education and training programs.
The analysis from the survey reveals a concerning lack of essential knowledge and skills among developers when it comes to implementing secure software development practices. In fact, approximately one-third of all professionals directly involved in development and deployment processes admit to feeling unfamiliar with these practices. This lack of expertise is particularly worrisome as these individuals are responsible for creating and maintaining the code that powers company applications and systems.
David A. Wheeler, the director of open source supply chain security for the Linux Foundation, emphasized the urgency of equipping developers with the necessary knowledge and skills to write secure code. He highlighted the challenges arising from the insufficient education in secure software development and stressed the importance of prioritizing efforts to enhance education in this critical area. OpenSSF is offering a free course on developing secure software (LFD121) and urges developers to take advantage of this resource.
The survey findings also point to a deficiency in security awareness, attributing it to educational programs that focus more on functionality and efficiency rather than security training. Most professionals rely on on-the-job experience as their primary learning resource, but it typically takes at least five years of such experience to achieve a minimum level of security familiarity.
Key insights from the survey indicate that lack of time and awareness, as well as training, are the biggest challenges in implementing secure software development practices within organizations. Additionally, many professionals cite a lack of knowledge about suitable courses as the main reason for not pursuing further education in secure software development. Self-directed learning methods, such as online tutorials and books, are prevalent among respondents.
The survey also highlights emerging security concerns such as artificial intelligence and supply chain security as critical areas for future innovation and attention. Christopher “CRob” Robinson, co-chair of the OpenSSF Education Special Interest Group, announced plans to create a new course on security architecture to address the existing knowledge gap and promote a ‘security by design’ approach to software developer education.
Industry professionals are encouraged to explore the full report to gain insights into OpenSSF’s training materials and guides on secure software development. They can also sign up for the free course, Developing Secure Software (LFD121), to enhance their skills in secure software development.
The Open Source Security Foundation (OpenSSF) is a collaborative initiative by the Linux Foundation that aims to advance open source security by uniting key industry initiatives and stakeholders. For more information about the OpenSSF, visit openssf.org. The Linux Foundation, known for fostering collaboration on open source software, hardware, and standards, plays a vital role in the global open source ecosystem. To learn more about the Linux Foundation projects and initiatives, visit linuxfoundation.org.