Dive Brief:
- Almost one-third of software development professionals are not familiar with secure software development practices, a study released Tuesday by the Linux Foundation and the Open Source Security Foundation showed.
- The report found that 7 in 10 professionals rely on on-the-job training to learn how to incorporate security into their development practices. However, it usually takes five years of working experience to achieve minimal knowledge of the subject, according to the report..
- Software development professionals cited a lack of time and insufficient awareness and training as their most common challenges.
Dive Insight:
The study comes as the industry and federal officials try to root out critical security vulnerabilities from the software supply chain by incorporating secure development practices into the software development process.
“Software developed by someone who knows how to develop secure software is far more difficult for attackers to attack,” said David Wheeler, director of open source supply chain security for the Linux Foundation.
Wheeler said the vast majority of software vulnerabilities belong to a small set of well-known categories, such as buffer overflow or SQL injection vulnerabilities. Once developers learn about these common categories they can make them harder to exploit.
The report is based on a survey of 400 industry professionals, including software developers, system operators, committers and maintainers. The survey was conducted in March and April.
Federal officials in recent years have pushed the technology industry and educators to incorporate security into both the early development lifecycle and the formal training of professionals in the software industry.
In May, dozens of companies signed a voluntary pledge to incorporate secure-by-design practices into their product lifecycle. More than 160 companies have signed the Cybersecurity and Infrastructure Security Agency’s secure-by-design pledge to date.