When it comes to travel, individuals often have their preferred airline of choice due to positive experiences from one destination to the next. They’ve developed true brand trust and loyalty. Oftentimes, they participate in frequent flyer programs, which reward travellers with various benefits based on their travel habits and brand reliance. As you accumulate miles and achieve higher status levels with a specific airline, you gain access to perks: such as priority security lines, early boarding, complimentary upgrades and exclusive lounges. These incentives not only elevate the individuals’ status, but also make their travel more enjoyable, efficient and faster.
The software development industry could use something like a “frequent flyer status” system – especially when it comes to fostering a “security-first” mindset among developers. Without any incentive program, it’s nearly impossible for organisations and their developer teams to evaluate their security proficiency and compare their competencies alongside peers. According to our research, we’ve found these assessments are needed more than ever, as nearly two-thirds of developers say they find it challenging to write code free from vulnerabilities. Even more troubling – about one-half admit they willingly leave vulnerabilities in their code. Why does this security oversight continue to remain so prevalent year after year?
To help address this, development teams participate in meaningful security upskilling, as well as required certification and compliance programmes to boost their security skills and establish best practices. On average, in the UK, an organisation will invest around £3,000 for each employee for training and development purposes. However, training approaches—mainly when conducted gradually—remain limited in providing a comprehensive view of how participants’ skillsets and progress align with organisational security objectives.
Whether they opt for on-the-job collaborative training opportunities or interactive, hands-on lab sessions – regardless of the education approach they pursue, teams would benefit from a standard to measure success. Such developer benchmarking could lead to a “trust score,” which – like loyalty programs – would incentivise developers to reach their security goals, offering clear pathways for improvement. This also supports developer engagement, excitement and interest toward skill enhancement.
That said, what criteria should organisations prioritise, when developing impactful industry benchmarking and an informative, actionable trust score? Here are six essential assessment areas of this “frequent flyer” approach:
Proficiency level. Use data to evaluate team members’ understanding of safe coding principles. Ask: Are they up-to-date on various languages and trends that proactively affect product protection from vulnerabilities? Are they utilising the right tools and methodologies to support a proactive, “security-first” culture – versus a reactive approach?
Industry standards. It’s essential to keep a pulse on team members’ motivation to follow industry-respected security frameworks. These should include the OWASP Top 10, which helps developers keep up with the latest in critical risks; regional guidelines; and “Secure-by-Design” principles, which is a necessary step in the right direction to ensure consistent, secure software development lifecycles. In May of 2024, over one hundred technology vendors signed a Secure-by-Design pledge, committing to mitigate potential flaws in software. Each week, we continue to see more vendors sign the pledge. Over time, the goal is for their developers to feel empowered to ensure accountability by verifying their secure coding skills.
Continuous learning and skill development. While organisations should always invest in learning opportunities to help teams continuously improve, it’s critical to have metrics that measure members’ commitment to consistently upskilling their capacity for protection. This helps identify areas where developers are falling short, allowing teams to rethink their development and mitigation program focus. Ultimately, these programs should be highly targeted, data-driven, and working to nurture the development cohort in a deliberate effort to manage developer risk.
Teamwork and productivity. Benchmarking and trust scores are necessary to create a baseline for analysing the true impact and effectiveness of learning programs and a developer team’s overall security posture. More importantly, a benchmark provides an appropriate starting point for deeper conversations and collaborations between development, engineering and security teams to close potential security gaps and propose solutions within the software supply chain.
Real-time performance tracking. To truly gauge developers’ security capabilities, any evaluation should extend beyond mere training and skill assessments to analyse their behaviour during code production. With these benchmarks in place, how many mistakes are developers still making? Are they learning from their errors and fixing security bugs? Are CISOs implementing a strict remediation and review process? Do peer review groups provide internal reviews to identify security flaws?
Market analysis. This will answer the overarching question, “How do we compare to other organisations in our industry? Are certain skills or areas falling behind our competitors, requiring immediate attention and training?”
We all understand that developer teams are short-staffed, yet under more pressure than ever to produce safer code at a rapid pace. Because of this, they may view security as a barrier to innovation, leading them to find shortcuts for processes, or ignore vulnerabilities entirely. To evaluate the current security culture and mentorship pathways provided to developers, individuals must assess whether they are coaching their peers, the depth and effectiveness of their guidance, and how it impacts their own security practices.
By establishing a measurement for verifying and cross-checking developers’ secure coding skills, security teams will get a clear sense of how they’re performing. They’ll gain a greater appreciation for how “security-first” contributes to more robust products overall, and will ultimately save them time in the long run, since they won’t have to “work backwards” late in the process to fix issues.
In addition, they’ll recognise that benchmarking/trust score-driven continuous improvement will make them more capable and marketable on a professional level, leading to job opportunities and promotions. In other words, this is a “win-win” initiative for the organisation, the individual developer, and for safer software at-large.
Ad