Pieter Danhieux is the Co-founder and Chairman/CEO of Secure Code Warrior.
In cybersecurity, change is the only constant, and the legislative landscape is heating up worldwide. This is forcing many organizations to assess and rethink their internal security programs, aligning them with evolving regulatory requirements. With burnout continuing to rise among AppSec specialists and software developers alike, the continually shifting goalposts of compliance can leave some teams feeling perpetually behind and ill-equipped to shoulder the burden of increased scrutiny and litigation in the event of digital disaster.
The introduction of emerging technologies like AI coding assistants and security scanners has expedited the need to ensure every role across the enterprise follows security best practices to the letter. When it comes to code-level vulnerabilities, however, no team is better placed to mitigate that risk than software developers. The unfortunate reality is that most development teams are not equipped with the precision skills and tools required to successfully navigate the growing threat environment.
Some enterprises are rising above the status quo and have made great strides not just in security enablement for developers but also in making them the cornerstone of their security programs. Developer-driven security is a potent and cost-effective way of reducing vulnerabilities in software, but establishing a baseline of skills and verifying security training outcomes against an industry-wide benchmark has traditionally proved elusive.
Recent evolutions in developer security education have enhanced the ability for enterprises to benchmark their cohorts’ security abilities, ultimately designing programs to ensure they operate with security as second nature. This can result in meaningful risk mitigation and favorable comparisons against others in their industry as a whole.
Benchmarking Developer Security Skills: Defining Ideal Outcomes
Increased regulatory pressure is a potent motivator for enterprises to tighten their security programs overall. However, many recognize that components like developer security training are non-negotiable, especially with the advent of AI coding assistants that can exacerbate security issues if used with high trust and low scrutiny from security-skilled personnel. Still, these upskilling programs vary, and most are incredibly difficult to measure in terms of their success.
This lack of assessment structure and benchmarking has led to difficulties for many CISOs in justifying on-the-job security training for developers and, ultimately, proving its effectiveness in targeting and eliminating relevant vulnerabilities in an organization’s codebase.
There is a clearly defined need for a benchmark that identifies the standing of the development cohort’s skill level in navigating security best practices as well as providing insight into an organization’s overall health in executing the developer-centric elements of its security programs.
The Core Benchmark Attributes
Teams can meet expectations and security training goals internally, but how can they be sure they’re hitting a baseline or general industry benchmark? To build a strong, agile developer upskilling program, the best teams focus on three key areas.
• Visibility. Assess your program’s effectiveness and empower developer teams toward improvement. For example, provide robust reports of individual developer security skills tracking and achievements to increase accountability and highlight areas of improvement.
• Data-driven measurement. Compare success across the industry to facilitate new training and learning methods. Organizations should be able to understand how they compare to key competitors and leaders within their industry through in-depth analysis.
• Flexibility. Identify and optimize your organization’s security posture with actionable insights. Set meaningful internal goals based on your organization’s needs and your development team’s pace, ensuring the training and assessments are aligned with both business needs and the developer tech stack.
This data is invaluable for understanding the wider security picture among the development cohort and prioritizing relevant education gaps that can deliver an overall improvement in the effectiveness of the security program. This is especially important in targeting key vulnerabilities for reduction and enabling developers to safely take on more sensitive projects once their skills are assessed as meeting or exceeding the intended baseline.
Commitment To A Fresh, Superior Standard Of Code Quality
As software continues to eat the world at a pace that leaves most experts reeling, it is no longer viable to pour effort into developer upskilling programs that don’t work, can’t be measured in terms of their impact on enterprise risk mitigation and give very little vision to the developer themselves on how they are tracking in terms of their security prowess. Without these critical insights, poor coding patterns are perpetuated, and the prevalence of security deprioritization and shortcuts is bound to continue unabated.
Most developers want continued growth, yet they continue to be let down by lackluster security programs that don’t make them central to the reduction of code-level security issues nor incentivize this growth with rewards and access to more prestigious projects. Raising the standard of code quality will take a significant shift in how developers view and learn security best practices, and the time to implement lasting change is now.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?