A study published by Linux Foundation and Open Source Security Foundation revealed that nearly one-third of software development professionals are unfamiliar and do not holistically integrate secure software development practices at work.
The report, backed by the responses of 400 industry professionals, including software developers, system operators, committers, and maintainers, also found that 70% of respondents rely on on-the-job training to learn how to incorporate security into their development practices.
However, the study indicates that it usually takes at least five years of working experience to achieve just the minimum level of security familiarity.
The software development professionals themselves admitted that aside from lack of time (58%), another major challenge for them is insufficient awareness and training (50%).
David Wheeler, the director of open source supply chain security for the Linux Foundation, emphasized the importance of secure software development, stating that “software developed by someone who knows how to develop secure software is far more difficult for attackers to attack.”
He further explained that the vast majority of software vulnerabilities belong to a small set of well-known categories, such as buffer overflow or SQL injection vulnerabilities, and that once developers learn about these common categories, they can make software that are harder to exploit.
The report comes as industry and government officials call for addressing critical security vulnerabilities in the software supply chain, primarily by injecting secure practices in the development process.
The Linux Foundation and the Open Source Security Foundation have recognized the need for increased education and training in secure software development, and to show their commitment to addressing this challenge, both entities have announced the creation of a new course on security architecture, which will be available later this year.
