Security News > 2023 > January > Trained developers get rid of more vulnerabilities than code scanning tools

Trained developers get rid of more vulnerabilities than code scanning tools
2023-01-23 04:00

An EMA survey of 129 software development professionals uncovered that for those using code scanning tools, only 10% of organizations prevented a higher percentage of vulnerabilities than organizations not using code scanning tools, while continuous training greatly improved code security for over 60% of organizations that adopted it.

"Awareness is a primer for knowledge, but to truly shift the paradigm and solve the AppSec dilemma, the focus must change from 'awareness' of AppSec to 'in-depth knowledge' and training developers on secure coding practices is the next step in security awareness programs. Vulnerabilities detected earlier in development are easier to resolve and far less costly. And this requires a programmatic and continuous approach to application security education and specifically secure coding training for developers," Baker continued.

Trained developers: Invaluable to improving code security.

The study found that secure coding training has a high return on investment, 28.8% of respondents utilizing continuous training prevented over 90% of vulnerabilities from reaching production.

When continuous training is delivered by third parties and implemented in tandem with code reviews and code scanning tools, 100% of organizations saw improvement in their code security.

"All too often, when it comes to cybersecurity, the human element is the most overlooked component of any system," says Ken Buckler, Research Analyst at EMA. "With lowest adoption rates and highest code improvement rates, third-party training appears to be the critical component some organizations are failing to invest in. Code reviews without training may ultimately prove to be futile efforts, simply checking a compliance checkbox that the code was reviewed. After all, how can those reviewing the code understand if the code is secure if those reviewers haven't been given the proper training in the first place?," Buckler concluded.


News URL

https://www.helpnetsecurity.com/2023/01/23/trained-developers-code-scanning-tools/