Réaligner votre organisation autour du codage sécurisé : obstacles, préoccupations et solutions actives
In our hyper-connected world, almost every organization shares a common Achilles heel. A single vulnerability, just one exploitable chink in their code, can trigger the theft of customer data, reputational damage and significant financial losses. Organizational alignment around secure coding has never been more imperative – but achieving it is easier said than done. So in 2020, Secure Code Warrior engaged with Evans Data Corp. to conduct primary research* into developers' and managers’ attitudes towards secure coding, secure code practices, and security operations.
In this environment where cybersecurity is paramount, the traditional KPIs for project success are being redefined – but not quickly enough.
When we asked developers and managers about the most critical priorities in the software development process:
- 76% nominated application performance
- 62% picked features and functionality
- And a little over 50% selected secure code
Today, as we can see, security is not a critical priority.
But looking to the future, the picture changes dramatically. When asked about the most vital future priorities for measuring project success,79% of developers agree that secure coding will become more critical. In fact, developers see security as the KPI whose importance will increase the most.
But even though awareness of secure coding is increasing, there are concerns around its adoption. For developers and managers alike, dealing with vulnerabilities and being accountable for code is enough to keep them up at night. Our research* showed that both these groups share the same basic set of concerns, which point to a need for better training in secure coding practices.
Concerns and barriers around secure coding practices
The number one concern for developers is ‘including code that replicates previous vulnerabilities’. As developers are judged on the quality of their code, this is hardly surprising. No developer wants to be the source of insecure code – or code that requires rework and slows down their team.
The second most significant concern for developers is dealing with mistakes introduced by coworkers. Meeting deadlines and being accountable for code are also high on the list – as is the fact that learning about secure code is challenging, which echoes developers dissatisfaction with current training approaches.
Managers, on the other hand, take more of a top-down view. Their number one concern is being accountable for bad code or code that replicates previous vulnerabilities. After all, if their team produces lousy code, the buck stops with the manager.
The fact that the learning process is challenging comes in third – this is not the only barrier to secure coding practices.
45% identified a lack of communication between stakeholders and management as a significant roadblock. 42% lament the lack of secure coding skills among new hires. At the same time, 40% nominated inadequate training time and resources.
Current secure code training approaches are not delivering – and managers realize a new approach is needed.
Who’s responsible for secure code practices?
By its very nature, the practice of secure coding means considering security much earlier in the SDLC. It means actively building security in as software as it’s written, from the start, instead of leaving this to later. In other words, to ‘shifting left’. This ‘shift left’ is the essence of secure coding practice. And it means that, ultimately, everyone in an organization should be responsible for secure code. But right now, only 15% of developers agree.
However, while most developers still see security as someone else's problem, a small but growing cohort not only actively embraces secure coding but champions it within their organization. 29% of developers surveyed agree that such go-to people exist in their workplace. The problem is these secure code champions are still too thin on the ground.
Creating more security champions
Development managers are aware of the need to identify and create new security champions and raise the secure coding skills of developers in general.
Many managers also put a premium on secure coding skills when hiring new developers and value secure coding experience among developers who are already parts of their teams.
83% of managers surveyed say they ask developers to learn or adopt secure coding practices. Roughly three-quarters of surveyed managers say that they provide incentives for developers to engage with secure code training. These incentives range from formal recognition to greater responsibilities to higher pay.
It's clear that development managers are critical influencers of the adoption of secure coding practices at the organizational level – and instrumental to spotting security champions.
But when it comes to creating more of these champions, what motivates developers to learn about secure coding? Our research shows that they see it as means to increase their productivity and efficiency.
So why don’t developers push for more secure code training? What stands in the way of aligning themselves with a growing organizational need?
Solutions to begin to address realignment
Developers don't want to sit around listening to lecturers – they want to get their hands on stuff and try it for themselves. They want a focus on practical applications – something current training programs sorely lack. When asked to identify how company-provided training could improve, 30% of respondents revealed that they would like that training focused on practical applications, particularly authentic work scenarios.
Current training practices fail to deliver this. A new approach is called for – and as champions of change, Secure Code Warrior takes a human-led approach to help organizations realign around secure coding. Our cybersecurity Courses offer guided learning pathways that include hands-on, 'gamified' coding challenges that mimic those developers face in the real world.
This training is language:framework-specific, unlike generic training, which often goes in one ear and out the other.
When it comes to realigning culture, Tournaments can be used to measure coders’ security skills, establish a baseline for future skills development, and spot the potential security champions within your development team.
If you’d like to know more about secure code training that aligns the needs of managers, developers and the organization towards a secure coding future, book a demo now.
*Shifting from reaction to prevention: The changing face of application security. Secure Code Warrior and Evans Data Corp. 2020
.avif)
Dans notre monde hyperconnecté, presque toutes les organisations ont un talon d'Achille commun. Une seule vulnérabilité, une seule faille exploitable dans leur code, peut entraîner le vol de données clients, une atteinte à la réputation et des pertes financières importantes. L'alignement organisationnel autour du codage sécurisé n'a jamais été aussi impératif, mais y parvenir est plus facile à dire qu'à faire.
Secure Code Warrior fait du codage sécurisé une expérience positive et engageante pour les développeurs à mesure qu'ils améliorent leurs compétences. Nous guidons chaque codeur le long de son parcours d'apprentissage préféré, afin que les développeurs doués pour la sécurité deviennent les super-héros du quotidien de notre monde connecté.
Secure Code Warrior est là pour aider votre organisation à sécuriser le code tout au long du cycle de développement logiciel et à créer une culture dans laquelle la cybersécurité est une priorité. Que vous soyez responsable de la sécurité des applications, développeur, responsable de la sécurité informatique ou toute autre personne impliquée dans la sécurité, nous pouvons aider votre organisation à réduire les risques associés à un code non sécurisé.
Réservez une démo
Secure Code Warrior fait du codage sécurisé une expérience positive et engageante pour les développeurs à mesure qu'ils améliorent leurs compétences. Nous guidons chaque codeur le long de son parcours d'apprentissage préféré, afin que les développeurs doués pour la sécurité deviennent les super-héros du quotidien de notre monde connecté.
Cet article a été rédigé par l'équipe d'experts du secteur de Secure Code Warrior, qui s'est engagée à donner aux développeurs les connaissances et les compétences nécessaires pour créer des logiciels sécurisés dès le départ. S'appuyant sur une expertise approfondie en matière de pratiques de codage sécurisé, de tendances du secteur et de connaissances du monde réel.
In our hyper-connected world, almost every organization shares a common Achilles heel. A single vulnerability, just one exploitable chink in their code, can trigger the theft of customer data, reputational damage and significant financial losses. Organizational alignment around secure coding has never been more imperative – but achieving it is easier said than done. So in 2020, Secure Code Warrior engaged with Evans Data Corp. to conduct primary research* into developers' and managers’ attitudes towards secure coding, secure code practices, and security operations.
In this environment where cybersecurity is paramount, the traditional KPIs for project success are being redefined – but not quickly enough.
When we asked developers and managers about the most critical priorities in the software development process:
- 76% nominated application performance
- 62% picked features and functionality
- And a little over 50% selected secure code
Today, as we can see, security is not a critical priority.
But looking to the future, the picture changes dramatically. When asked about the most vital future priorities for measuring project success,79% of developers agree that secure coding will become more critical. In fact, developers see security as the KPI whose importance will increase the most.
But even though awareness of secure coding is increasing, there are concerns around its adoption. For developers and managers alike, dealing with vulnerabilities and being accountable for code is enough to keep them up at night. Our research* showed that both these groups share the same basic set of concerns, which point to a need for better training in secure coding practices.
Concerns and barriers around secure coding practices
The number one concern for developers is ‘including code that replicates previous vulnerabilities’. As developers are judged on the quality of their code, this is hardly surprising. No developer wants to be the source of insecure code – or code that requires rework and slows down their team.
The second most significant concern for developers is dealing with mistakes introduced by coworkers. Meeting deadlines and being accountable for code are also high on the list – as is the fact that learning about secure code is challenging, which echoes developers dissatisfaction with current training approaches.
Managers, on the other hand, take more of a top-down view. Their number one concern is being accountable for bad code or code that replicates previous vulnerabilities. After all, if their team produces lousy code, the buck stops with the manager.
The fact that the learning process is challenging comes in third – this is not the only barrier to secure coding practices.
45% identified a lack of communication between stakeholders and management as a significant roadblock. 42% lament the lack of secure coding skills among new hires. At the same time, 40% nominated inadequate training time and resources.
Current secure code training approaches are not delivering – and managers realize a new approach is needed.
Who’s responsible for secure code practices?
By its very nature, the practice of secure coding means considering security much earlier in the SDLC. It means actively building security in as software as it’s written, from the start, instead of leaving this to later. In other words, to ‘shifting left’. This ‘shift left’ is the essence of secure coding practice. And it means that, ultimately, everyone in an organization should be responsible for secure code. But right now, only 15% of developers agree.
However, while most developers still see security as someone else's problem, a small but growing cohort not only actively embraces secure coding but champions it within their organization. 29% of developers surveyed agree that such go-to people exist in their workplace. The problem is these secure code champions are still too thin on the ground.
Creating more security champions
Development managers are aware of the need to identify and create new security champions and raise the secure coding skills of developers in general.
Many managers also put a premium on secure coding skills when hiring new developers and value secure coding experience among developers who are already parts of their teams.
83% of managers surveyed say they ask developers to learn or adopt secure coding practices. Roughly three-quarters of surveyed managers say that they provide incentives for developers to engage with secure code training. These incentives range from formal recognition to greater responsibilities to higher pay.
It's clear that development managers are critical influencers of the adoption of secure coding practices at the organizational level – and instrumental to spotting security champions.
But when it comes to creating more of these champions, what motivates developers to learn about secure coding? Our research shows that they see it as means to increase their productivity and efficiency.
So why don’t developers push for more secure code training? What stands in the way of aligning themselves with a growing organizational need?
Solutions to begin to address realignment
Developers don't want to sit around listening to lecturers – they want to get their hands on stuff and try it for themselves. They want a focus on practical applications – something current training programs sorely lack. When asked to identify how company-provided training could improve, 30% of respondents revealed that they would like that training focused on practical applications, particularly authentic work scenarios.
Current training practices fail to deliver this. A new approach is called for – and as champions of change, Secure Code Warrior takes a human-led approach to help organizations realign around secure coding. Our cybersecurity Courses offer guided learning pathways that include hands-on, 'gamified' coding challenges that mimic those developers face in the real world.
This training is language:framework-specific, unlike generic training, which often goes in one ear and out the other.
When it comes to realigning culture, Tournaments can be used to measure coders’ security skills, establish a baseline for future skills development, and spot the potential security champions within your development team.
If you’d like to know more about secure code training that aligns the needs of managers, developers and the organization towards a secure coding future, book a demo now.
*Shifting from reaction to prevention: The changing face of application security. Secure Code Warrior and Evans Data Corp. 2020
In our hyper-connected world, almost every organization shares a common Achilles heel. A single vulnerability, just one exploitable chink in their code, can trigger the theft of customer data, reputational damage and significant financial losses. Organizational alignment around secure coding has never been more imperative – but achieving it is easier said than done. So in 2020, Secure Code Warrior engaged with Evans Data Corp. to conduct primary research* into developers' and managers’ attitudes towards secure coding, secure code practices, and security operations.
In this environment where cybersecurity is paramount, the traditional KPIs for project success are being redefined – but not quickly enough.
When we asked developers and managers about the most critical priorities in the software development process:
- 76% nominated application performance
- 62% picked features and functionality
- And a little over 50% selected secure code
Today, as we can see, security is not a critical priority.
But looking to the future, the picture changes dramatically. When asked about the most vital future priorities for measuring project success,79% of developers agree that secure coding will become more critical. In fact, developers see security as the KPI whose importance will increase the most.
But even though awareness of secure coding is increasing, there are concerns around its adoption. For developers and managers alike, dealing with vulnerabilities and being accountable for code is enough to keep them up at night. Our research* showed that both these groups share the same basic set of concerns, which point to a need for better training in secure coding practices.
Concerns and barriers around secure coding practices
The number one concern for developers is ‘including code that replicates previous vulnerabilities’. As developers are judged on the quality of their code, this is hardly surprising. No developer wants to be the source of insecure code – or code that requires rework and slows down their team.
The second most significant concern for developers is dealing with mistakes introduced by coworkers. Meeting deadlines and being accountable for code are also high on the list – as is the fact that learning about secure code is challenging, which echoes developers dissatisfaction with current training approaches.
Managers, on the other hand, take more of a top-down view. Their number one concern is being accountable for bad code or code that replicates previous vulnerabilities. After all, if their team produces lousy code, the buck stops with the manager.
The fact that the learning process is challenging comes in third – this is not the only barrier to secure coding practices.
45% identified a lack of communication between stakeholders and management as a significant roadblock. 42% lament the lack of secure coding skills among new hires. At the same time, 40% nominated inadequate training time and resources.
Current secure code training approaches are not delivering – and managers realize a new approach is needed.
Who’s responsible for secure code practices?
By its very nature, the practice of secure coding means considering security much earlier in the SDLC. It means actively building security in as software as it’s written, from the start, instead of leaving this to later. In other words, to ‘shifting left’. This ‘shift left’ is the essence of secure coding practice. And it means that, ultimately, everyone in an organization should be responsible for secure code. But right now, only 15% of developers agree.
However, while most developers still see security as someone else's problem, a small but growing cohort not only actively embraces secure coding but champions it within their organization. 29% of developers surveyed agree that such go-to people exist in their workplace. The problem is these secure code champions are still too thin on the ground.
Creating more security champions
Development managers are aware of the need to identify and create new security champions and raise the secure coding skills of developers in general.
Many managers also put a premium on secure coding skills when hiring new developers and value secure coding experience among developers who are already parts of their teams.
83% of managers surveyed say they ask developers to learn or adopt secure coding practices. Roughly three-quarters of surveyed managers say that they provide incentives for developers to engage with secure code training. These incentives range from formal recognition to greater responsibilities to higher pay.
It's clear that development managers are critical influencers of the adoption of secure coding practices at the organizational level – and instrumental to spotting security champions.
But when it comes to creating more of these champions, what motivates developers to learn about secure coding? Our research shows that they see it as means to increase their productivity and efficiency.
So why don’t developers push for more secure code training? What stands in the way of aligning themselves with a growing organizational need?
Solutions to begin to address realignment
Developers don't want to sit around listening to lecturers – they want to get their hands on stuff and try it for themselves. They want a focus on practical applications – something current training programs sorely lack. When asked to identify how company-provided training could improve, 30% of respondents revealed that they would like that training focused on practical applications, particularly authentic work scenarios.
Current training practices fail to deliver this. A new approach is called for – and as champions of change, Secure Code Warrior takes a human-led approach to help organizations realign around secure coding. Our cybersecurity Courses offer guided learning pathways that include hands-on, 'gamified' coding challenges that mimic those developers face in the real world.
This training is language:framework-specific, unlike generic training, which often goes in one ear and out the other.
When it comes to realigning culture, Tournaments can be used to measure coders’ security skills, establish a baseline for future skills development, and spot the potential security champions within your development team.
If you’d like to know more about secure code training that aligns the needs of managers, developers and the organization towards a secure coding future, book a demo now.
*Shifting from reaction to prevention: The changing face of application security. Secure Code Warrior and Evans Data Corp. 2020
Cliquez sur le lien ci-dessous et téléchargez le PDF de cette ressource.
Secure Code Warrior est là pour aider votre organisation à sécuriser le code tout au long du cycle de développement logiciel et à créer une culture dans laquelle la cybersécurité est une priorité. Que vous soyez responsable de la sécurité des applications, développeur, responsable de la sécurité informatique ou toute autre personne impliquée dans la sécurité, nous pouvons aider votre organisation à réduire les risques associés à un code non sécurisé.
Afficher le rapportRéservez une démo
Secure Code Warrior fait du codage sécurisé une expérience positive et engageante pour les développeurs à mesure qu'ils améliorent leurs compétences. Nous guidons chaque codeur le long de son parcours d'apprentissage préféré, afin que les développeurs doués pour la sécurité deviennent les super-héros du quotidien de notre monde connecté.
Cet article a été rédigé par l'équipe d'experts du secteur de Secure Code Warrior, qui s'est engagée à donner aux développeurs les connaissances et les compétences nécessaires pour créer des logiciels sécurisés dès le départ. S'appuyant sur une expertise approfondie en matière de pratiques de codage sécurisé, de tendances du secteur et de connaissances du monde réel.
In our hyper-connected world, almost every organization shares a common Achilles heel. A single vulnerability, just one exploitable chink in their code, can trigger the theft of customer data, reputational damage and significant financial losses. Organizational alignment around secure coding has never been more imperative – but achieving it is easier said than done. So in 2020, Secure Code Warrior engaged with Evans Data Corp. to conduct primary research* into developers' and managers’ attitudes towards secure coding, secure code practices, and security operations.
In this environment where cybersecurity is paramount, the traditional KPIs for project success are being redefined – but not quickly enough.
When we asked developers and managers about the most critical priorities in the software development process:
- 76% nominated application performance
- 62% picked features and functionality
- And a little over 50% selected secure code
Today, as we can see, security is not a critical priority.
But looking to the future, the picture changes dramatically. When asked about the most vital future priorities for measuring project success,79% of developers agree that secure coding will become more critical. In fact, developers see security as the KPI whose importance will increase the most.
But even though awareness of secure coding is increasing, there are concerns around its adoption. For developers and managers alike, dealing with vulnerabilities and being accountable for code is enough to keep them up at night. Our research* showed that both these groups share the same basic set of concerns, which point to a need for better training in secure coding practices.
Concerns and barriers around secure coding practices
The number one concern for developers is ‘including code that replicates previous vulnerabilities’. As developers are judged on the quality of their code, this is hardly surprising. No developer wants to be the source of insecure code – or code that requires rework and slows down their team.
The second most significant concern for developers is dealing with mistakes introduced by coworkers. Meeting deadlines and being accountable for code are also high on the list – as is the fact that learning about secure code is challenging, which echoes developers dissatisfaction with current training approaches.
Managers, on the other hand, take more of a top-down view. Their number one concern is being accountable for bad code or code that replicates previous vulnerabilities. After all, if their team produces lousy code, the buck stops with the manager.
The fact that the learning process is challenging comes in third – this is not the only barrier to secure coding practices.
45% identified a lack of communication between stakeholders and management as a significant roadblock. 42% lament the lack of secure coding skills among new hires. At the same time, 40% nominated inadequate training time and resources.
Current secure code training approaches are not delivering – and managers realize a new approach is needed.
Who’s responsible for secure code practices?
By its very nature, the practice of secure coding means considering security much earlier in the SDLC. It means actively building security in as software as it’s written, from the start, instead of leaving this to later. In other words, to ‘shifting left’. This ‘shift left’ is the essence of secure coding practice. And it means that, ultimately, everyone in an organization should be responsible for secure code. But right now, only 15% of developers agree.
However, while most developers still see security as someone else's problem, a small but growing cohort not only actively embraces secure coding but champions it within their organization. 29% of developers surveyed agree that such go-to people exist in their workplace. The problem is these secure code champions are still too thin on the ground.
Creating more security champions
Development managers are aware of the need to identify and create new security champions and raise the secure coding skills of developers in general.
Many managers also put a premium on secure coding skills when hiring new developers and value secure coding experience among developers who are already parts of their teams.
83% of managers surveyed say they ask developers to learn or adopt secure coding practices. Roughly three-quarters of surveyed managers say that they provide incentives for developers to engage with secure code training. These incentives range from formal recognition to greater responsibilities to higher pay.
It's clear that development managers are critical influencers of the adoption of secure coding practices at the organizational level – and instrumental to spotting security champions.
But when it comes to creating more of these champions, what motivates developers to learn about secure coding? Our research shows that they see it as means to increase their productivity and efficiency.
So why don’t developers push for more secure code training? What stands in the way of aligning themselves with a growing organizational need?
Solutions to begin to address realignment
Developers don't want to sit around listening to lecturers – they want to get their hands on stuff and try it for themselves. They want a focus on practical applications – something current training programs sorely lack. When asked to identify how company-provided training could improve, 30% of respondents revealed that they would like that training focused on practical applications, particularly authentic work scenarios.
Current training practices fail to deliver this. A new approach is called for – and as champions of change, Secure Code Warrior takes a human-led approach to help organizations realign around secure coding. Our cybersecurity Courses offer guided learning pathways that include hands-on, 'gamified' coding challenges that mimic those developers face in the real world.
This training is language:framework-specific, unlike generic training, which often goes in one ear and out the other.
When it comes to realigning culture, Tournaments can be used to measure coders’ security skills, establish a baseline for future skills development, and spot the potential security champions within your development team.
If you’d like to know more about secure code training that aligns the needs of managers, developers and the organization towards a secure coding future, book a demo now.
*Shifting from reaction to prevention: The changing face of application security. Secure Code Warrior and Evans Data Corp. 2020
Table des matières
Secure Code Warrior fait du codage sécurisé une expérience positive et engageante pour les développeurs à mesure qu'ils améliorent leurs compétences. Nous guidons chaque codeur le long de son parcours d'apprentissage préféré, afin que les développeurs doués pour la sécurité deviennent les super-héros du quotidien de notre monde connecté.
Secure Code Warrior est là pour aider votre organisation à sécuriser le code tout au long du cycle de développement logiciel et à créer une culture dans laquelle la cybersécurité est une priorité. Que vous soyez responsable de la sécurité des applications, développeur, responsable de la sécurité informatique ou toute autre personne impliquée dans la sécurité, nous pouvons aider votre organisation à réduire les risques associés à un code non sécurisé.
Réservez une démoTéléchargerRessources pour vous aider à démarrer
Sujets et contenus de formation sur le code sécurisé
Notre contenu de pointe évolue constamment pour s'adapter à l'évolution constante du paysage du développement de logiciels tout en tenant compte de votre rôle. Des sujets couvrant tout, de l'IA à l'injection XQuery, proposés pour une variété de postes, allant des architectes aux ingénieurs en passant par les chefs de produit et l'assurance qualité. Découvrez un aperçu de ce que notre catalogue de contenu a à offrir par sujet et par rôle.
%20(1).avif)
.avif)
Threat Modeling with AI: Turning Every Developer into a Threat Modeler
Walk away better equipped to help developers combine threat modeling ideas and techniques with the AI tools they're already using to strengthen security, improve collaboration, and build more resilient software from the start.
Ressources pour vous aider à démarrer
Cybermon est de retour : les missions d'IA Beat the Boss sont désormais disponibles à la demande
Cybermon 2025 Beat the Boss est désormais disponible toute l'année dans SCW. Déployez des défis de sécurité avancés liés à l'IA et au LLM pour renforcer le développement sécurisé de l'IA à grande échelle.
Explication de la loi sur la cyberrésilience : ce que cela signifie pour le développement de logiciels sécurisés dès la conception
Découvrez ce que la loi européenne sur la cyberrésilience (CRA) exige, à qui elle s'applique et comment les équipes d'ingénieurs peuvent se préparer grâce à des pratiques de sécurité dès la conception, à la prévention des vulnérabilités et au renforcement des capacités des développeurs.
Facilitateur 1 : Critères de réussite définis et mesurables
Enabler 1 donne le coup d'envoi de notre série en 10 parties intitulée Enablers of Success en montrant comment associer le codage sécurisé à des résultats commerciaux tels que la réduction des risques et la rapidité pour assurer la maturité à long terme des programmes.
