The Linux Foundation and OpenSSF Release Report on the State of Education in Secure Software Development
July 16 2024 - 8:00AM
Linux Foundation Research and the Open Source Security Foundation
(OpenSSF) are pleased to release a new report titled “Secure
Software Development Education 2024 Survey: Understanding Current
Needs.” Based on a survey of nearly 400 software development
professionals, the analysis explores the current state of secure
software development and underscores the urgent need for formalized
industry education and training programs.
Attackers consistently discover and exploit software
vulnerabilities, highlighting the increasing importance of robust
software security. Despite this, many developers lack the essential
knowledge and skills to effectively implement secure software
development. Survey findings outlined in the report show nearly
one-third of all professionals directly involved in development and
deployment — system operations, software developers, committers,
and maintainers — self-report feeling unfamiliar with secure
software development practices. This is of particular concern as
they are the ones at the forefront of creating and maintaining the
code that runs a company’s applications and systems.
“Time and again we’ve seen the exploitation of software
vulnerabilities lead to catastrophic consequences, highlighting the
critical need for developers at all levels to be armed with
adequate knowledge and skills to write secure code,” said David A.
Wheeler, director of open source supply chain security for the
Linux Foundation. “Our research found that a key challenge is the
lack of education in secure software development. Practitioners are
unsure where to start and instead are learning as they go. It is
clear that an industry-wide effort to bring secure development
education to the forefront must be a priority.” OpenSSF offers a
free course on developing secure software (LFD121) and encourages
developers to start with this course.
Survey results indicate that the lack of security awareness is
likely due to most current educational programs prioritizing
functionality and efficiency while often neglecting essential
security training. Additionally, most professionals (69%) rely on
on-the-job experience as a main learning resource, yet it takes at
least five years of such experience to achieve a minimum level of
security familiarity.
Other key findings of the survey include the following:
- Lack of time (58%) and lack of
awareness and training (50%) are the top two most common challenges
in implementing secure software development practices within
organizations.
- The top reason (44%) for not taking a course on secure software
development is lack of knowledge about a good course on the
topic.
- Self-directed learning methods were most prevalent, with 74% of
respondents reporting using such resources as online tutorials,
videos, and books as their main learning method.
- Emerging security concerns such as
AI (57%) and supply chain (56%) are seen as critical future areas
for innovation and attention.
“The first step in addressing secure software development is
recognizing the existing knowledge gap and identifying priority
areas for creating additional training,” said Christopher “CRob”
Robinson, Intel, co-chair of the OpenSSF Education Special Interest
Group (SIG) and chair of the OpenSSF Technical Advisory Council
(TAC). “Based on these findings, OpenSSF will create a new course
on security architecture which will be available later this year
which will help promote a ’security by design’ approach to software
developer education.”
View the full report to learn more about OpenSSF’s training
materials and guides on secure software development. Industry
professionals are encouraged to sign up for the OpenSSF’s free
course Developing Secure Software (LFD121).
About the OpenSSF
The Open Source Security Foundation (OpenSSF) is a
cross-industry initiative by the Linux Foundation that brings
together the industry’s most important open source security
initiatives and the individuals and companies that support them.
The OpenSSF is committed to collaborating and working upstream and
with existing communities to advance open source security. For more
information, please visit us at openssf.org.
About the Linux Foundation
The Linux Foundation is the world’s leading home for
collaboration on open source software, hardware, standards, and
data. Linux Foundation projects are critical to the world’s
infrastructure, including Linux, Kubernetes, Node.js, ONAP,
OpenChain, OpenSSF, PyTorch, RISC-V, SPDX, and more. The Linux
Foundation focuses on leveraging best practices and addressing the
needs of contributors, users, and solution providers to create
sustainable models for open collaboration. For more information,
please visit us at linuxfoundation.org.
Media Contact:Jennifer TannerLook Left
Marketingopenssf@lookleftmarketing.com