Over one-third of software developers lack knowledge about secure coding practices
In a recent report, it was found that approximately one-third of software development professionals are unfamiliar with secure software development practices [1]. This highlights the need for the technology industry and education system to focus on continuous, role-specific, and practical training programs integrated into development workflows.
The report also found that it typically takes five years of working experience for professionals to achieve minimal knowledge of secure software development practices [2]. However, it did not specify how many years of experience are required for professionals to make software development more secure after learning about common vulnerability categories.
The survey for the report was conducted in March and April and included responses from 400 industry professionals, including software developers, system operators, committers, and maintainers [3]. The most common challenges cited by these professionals were a lack of time and insufficient awareness and training [4].
In an effort to address these challenges, dozens of companies have signed a voluntary pledge to incorporate secure-by-design practices into their product lifecycle [5]. This pledge, initiated by the Cybersecurity and Infrastructure Security Agency, has been signed by over 160 companies as of now [6].
David Wheeler, the director of open source supply chain security for the Linux Foundation, stated that software vulnerabilities often belong to a small set of well-known categories, such as buffer overflow or SQL injection vulnerabilities [7]. He also emphasized that software developed by someone who knows how to develop secure software is more difficult for attackers to attack [8]. Once developers learn about these common categories, they can make them harder to exploit.
To improve their skills in identifying and fixing vulnerabilities, professionals can engage with various learning resources. Course-based eLearning platforms like Veracode eLearning offer online, self-paced courses and competency testing directly integrated into security platforms [1]. Hands-on, practical training platforms such as SafeStack and AppSecEngineer provide bite-sized lessons, real-world labs, and code-level vulnerability walkthroughs that fit into developers' workflows without heavy disruption [3][5].
Continuous learning and upskilling are essential. Professionals should engage with webinars, podcasts, certifications (e.g., CompTIA, (ISC)²), industry forums, and conferences to keep updated on emerging threats and security technologies [2]. Digital skill-building strategies from corporate leadership are also important, aligning security training with business goals to ensure inclusivity and effective governance of learning programs across tech and non-tech employees [4].
Tracking progress and fostering community within teams encourages sustained improvement through knowledge sharing, question answering, and visibility of learning outcomes, enhancing motivation and security culture [3]. Federal officials have been urging the technology industry and educators to incorporate security into the early development lifecycle and the formal training of software professionals [9].
In conclusion, secure software development improves by embedding continuous, contextual security training into developers' daily routines supported by accessible, hands-on learning resources, recognized certifications, community engagement, and organizational leadership commitment to upskilling [1][2][3][4][5]. The industry and federal officials are working together to address critical security vulnerabilities in the software supply chain by incorporating secure development practices into the software development process.
- Given the findings in the report, it's evident that the technology industry and education system need to prioritize cybersecurity education to bridge the gap in secure software development practices among professionals, as continuous, role-specific, and practical training programs are crucial for their development workflows.
- To build a robust defense against software vulnerabilities, professionals can benefit from various learning resources, such as course-based eLearning platforms, hands-on practical training platforms, webinars, podcasts, certifications, and digital skill-building strategies, all of which play a vital role in enhancing their understanding and skill in identifying and fixing vulnerabilities.
