Organizations can substantially lower vulnerabilities with secure-by-design practices, report finds
Large organizations that train developers with secure-by-design practices can reliably reduce the number of vulnerabilities introduced into software products by more than 50%, according to a new report from Secure Code Warrior.
The Australia-based secure coding platform and software firm analyzed data from 600 enterprise customers over nine years to find out what improvements, if any, can be measured based on upskilling secure-by-design practices advocated by the Cybersecurity and Infrastructure Security Agency. The firm looked at vulnerability reduction data and found that companies that employ more than 7,000 developers that were trained using secure-by-design practices can lower vulnerabilities by 47% to 53%.
Chris Inglis, the inaugural former national cyber director, said in an interview with CyberScoop that “there’s been essentially an implied assumption that we don’t need to make these systems secure by design.”
“We now have quantitative data that shows that that’s, in fact, the right conclusion: that it is important to do secure by design,” said Inglis, who contributed to the report, along with former acting National Cyber Director Kemba Walden.
CISA’s secure-by-design initiative is the Biden administration’s voluntary push to shift the cybersecurity burden from end users to vendors and manufacturers. The goal is to reduce cyberattacks from petty cybercriminals and state-funded hackers alike by removing known defects in software products. The product development framework is also a part of the national cybersecurity strategy and has seen more than 200 organizations sign up since the initiative began in 2023.
The report noted that if all case studies were combined, vulnerability reduction rates were anywhere from 20% to 80%, with higher averages for smaller organizations.
However, the report also found that without a top-down mandate, which can take the form of regulations or directives from C-suite executives, secure-by-design practices are not likely to be adopted quickly. Secure Code Warrior’s report estimates that around 4% of developers worldwide are using CISA’s secure-by-design development practices.
The National Institute of Standards and Technology said that fixing software defects during testing — as opposed to following secure-by-design principles — can take up to 15 times longer and flaws during deployment can cost 30 to 100 times more resources, the report noted.
“If you’re not prepared to make those investments, then you shouldn’t be writing code that flows into critical infrastructure. I think that’s the bottom line,” Inglis said.
The report also noted that the financial services industry seemed to be the most invested in the secure-by-design initiative. Other critical infrastructure sectors — such as the defense industrial base, health care, public health, critical manufacturing, transportation and IT infrastructure — are making progress in upskilling developers with secure-by-design initiatives as well.
The energy and communications sector, meanwhile, was not included in the study because there were fewer than 1,000 active developers in training. However, that does not mean that they are falling behind, according to Matias Madou, co-founder and chief technology officer of Secure Code Warrior.
Madou, one of the report’s authors, said that some sectors rely heavily on IT infrastructure to buy software, so they did not have much relevant data. Additionally, Madou said it made little difference whether the sector was heavily regulated or not.
