An EMA survey of 129 software development professionals found that code scanning tools were less effective than developers. For those using code scanning tools, 10% of organizations prevented a higher percentage of vulnerabilities than organizations not using code scanning tools, while continuous training greatly improved code security for over 60% of organizations that adopted it. The survey also found that 70% of organizations are missing critical security steps in their software development lifecycle (SDLC), highlighting a struggle with a shift-left approach.
Despite the fact that new vulnerabilities per year in the National Vulnerability Database have grown over 210% (from 6,487 to 20,139) between 2015 and 2021, the shift-left approach has not been well adopted. Twenty-five percent of organizations are using a shift-left security strategy, according to the study, despite the growing industry awareness of its importance. The research showed that security remains a lower priority for many organizations — almost 50% do not dedicate a step for security validation, 20% don’t plan their application security and 4% don’t have a dedicated security implementation step. Yet the benefits of making the shift are well proven: nine in 10 of those that have adopted a shift-left approach have realized reductions in vulnerabilities.
Training is often an under-utilized method for delivering more secure applications. The EMA study found that secure coding training has a high return on investment, 28.8% of respondents utilizing continuous training prevented over 90% of vulnerabilities from reaching production. The study also found the most common barriers to investment in training are perceived impacts on productivity. Yet when continuous training is delivered by third parties and implemented in tandem with code reviews and code scanning tools, 100% of organizations saw improvement in their code security.
To read all insights from the EMA Secure Coding Practices research, download the full study.