Attackers consistently discover and exploit software vulnerabilities, highlighting the increasing importance of robust software security, according to OpenSSF and the Linux Foundation. Despite this, many developers lack the essential knowledge and skills to effectively implement secure software development.
Lack of education in secure software development
Survey findings outlined in the report show nearly one-third of all professionals directly involved in development and deployment — system operations, software developers, committers, and maintainers — self-report feeling unfamiliar with secure software development practices. This is of particular concern as they are the ones at the forefront of creating and maintaining the code that runs a company’s applications and systems.
“Time and again we’ve seen the exploitation of software vulnerabilities lead to catastrophic consequences, highlighting the critical need for developers at all levels to be armed with adequate knowledge and skills to write secure code,” said David A. Wheeler, director of open source supply chain security for the Linux Foundation.
“Our research found that a key challenge is the lack of education in secure software development. Practitioners are unsure where to start and instead are learning as they go. It is clear that an industry-wide effort to bring secure development education to the forefront must be a priority,” added Wheeler.
Survey results indicate that the lack of security awareness is likely due to most current educational programs prioritizing functionality and efficiency while often neglecting essential security training. Additionally, 69% of professionals rely on on-the-job experience as a main learning resource, yet it takes at least five years of such experience to achieve a minimum level of security familiarity.
Lack of time (58%) and lack of awareness and training (50%) are the top two most common challenges in implementing secure software development practices within organizations. The top reason (44%) for not taking a course on secure software development is lack of knowledge about a good course on the topic.
Software developers with less than one year of experience report the highest lack of familiarity at 75%, with this number dropping to 72% for those with one to two years of experience. Similarly, 72% of those with less than one year of specific experience in secure software development report a lack of familiarity, while this number drops to 47% for those with one to two years of experience.
Filling educational gaps with language-agnostic courses
Many software development professionals still favor informal methods over university educational courses.
Self-directed learning methods were most prevalent, with 74% of respondents reporting using such resources as online tutorials, videos, and books as their main learning method. Emerging security concerns such as AI (57%) and supply chain (56%) are seen as critical future areas for innovation and attention.
“The first step in addressing secure software development is recognizing the existing knowledge gap and identifying priority areas for creating additional training,” said Christopher “CRob” Robinson, Intel, co-chair of the OpenSSF Education Special Interest Group (SIG) and chair of the OpenSSF Technical Advisory Council (TAC).
Organizations need a variety of language-agnostic courses to fill educational gaps and help IT staff better address secure software development.
The purpose of security education and guidance is to “provide training for employees to increase their security awareness and leverage this knowledge and other guidance in the design, development, and deployment of secure software.
Finally, secure implementation in software development involves writing source code to avoid common vulnerabilities and be more robust against attacks. This approach ensures another level of defense, ensuring that security is embedded in the code of software products from the outset.