Despite stringent regulations and calls for ‘security by design’, organizations are still failing to equip teams with the knowledge to secure code, according to Security Journey.
In fact, only 20% of respondents were confident in their ability to detect a vulnerability before an application is released, over 60% struggle to remediate vulnerabilities effectively, and 50% fail to test the security of their applications after they have been released.
Attackers are ready and waiting for these vulnerabilities to be released into the wild, according to a study conducted by Qualys, 25% of vulnerabilities were exploited on the day of their publication, and 75% of vulnerabilities were exploited within 19 days (approximately three weeks).
The vulnerability patching crisis
This indicates that securing an application later in its development lifecycle, especially post-release, is a significant risk to an organization’s security posture. 47% of organizations are blaming these challenges of remediating vulnerabilities in production on a lack of qualified personnel.
The survey reveals a reactive approach when it comes to security education programs, with 68% of respondents only undertaking secure coding training because of a compliance need or in response to an exploit. These statistics indicate that from proper detection to effective remediation, organizations are relying heavily on tools to catch vulnerabilities and are overburdening their security workforce, rather than investing in long-term, human intervention at the development stage.
In the 12 months prior to the study, 54% of respondents suffered a security incident due to an unpatched vulnerability, and 51% experienced more than 8 incidents.
Only 11% of organizations believe they patch vulnerabilities effectively in a timely manner, and 55% blame misalignment between development, security, and compliance teams for delays in vulnerability patching.
“We are seeing a perfect storm of application security risk that will likely drive regulators to become more stringent,” said Joe Ferrara, CEO of Security Journey.
“While organizations are turning to AppSec tools and AI to secure their outputs, these tools only act as a safety net and knowledgeable human intervention is needed to prevent and remediate insecure code from the outset. Organizations need to prioritize education programs that are expertly curated, tailored to roles, and continuously reinforced to ensure knowledge retention,” added Ferrara.
The crucial role of secure coding education
Secure coding education is the key to unlocking more sustainable security practices within application development. And yet, the prevalence, frequency, and quality of secure coding training programs is far below where the industry needs it to be.
48% report only training annually, bi-annually or when an incident occurs, and of those organizations that undertake secure coding training, over 50% have programs that are not customized to users’ needs.
50% of those that do provide training have no form of assessment to measure knowledge gain, and only 36% of organizations have their developers learn to write secure code. 21% of organizations educate developers on vulnerability remediation, and 43% have invested money in expertly training their organization with a third party.
These statistics reveal a concerning level of complacency in how organizations are approaching security training for their development teams. Checking the box for compliance is easy but it doesn’t build a secure culture or educate teams on handling a broader landscape of threats.
“The current application security landscape is deeply concerning and it’s clear from this research that secure coding education is not yet up to scratch in most organizations. While it is positive to see many organizations doing training, it is worrying that this appears to be done with the intent to comply with regulations rather than develop secure code, and that the focus still remains on speed to market rather than instilling a secure culture around application development,” said Larry Ponemon, Chairman and Founder of the Ponemon Institute.