IT Pros Report Lack of Familiarity with Secure Software Development
A new report from OpenSSF and the Linux Foundation indicates that many IT professionals are not familiar with secure software development concepts and practices.
According to the Secure Software Development Education 2024 Survey, professionals in the following key roles reported being unfamiliar with secure software development:
- System operations (39%)
- Open source program office (OSPO) members (38%)
- Software developers (27%)
- Open source maintainers (23%)
- Security team members (16%)
The lack of familiarity in system operations and OSPO members is concerning, the report says, “as these roles are critical in managing and maintaining software infrastructure and open source initiatives, both of which are fundamental to a company’s overall security posture.”
Other findings from the report provide insight as to the importance of secure software development training and how tech professionals can acquire it. For example:
- 50% of professionals identify a lack of training as a major challenge for implementing secure software development, increasing to 73% among data science roles.
- 69% rely on on-the-job experience as a learning resource for secure software development, but it can take more than 5 years of such experience to achieve familiarity.
- 53% of professionals, especially those in system operations (72%), have not taken a course on secure software development, often due to the lack of awareness about good courses (44%).
The OpenSSF itself offers training courses — including Secure Software Development Fundamentals – and part of the motivation behind this survey was to identify topics for future courses. As a result of these findings, the OpenSSF says they will focus on developing a new security architecture course.
Read the complete report at the Linux Foundation.
Related content
-
Tech News
In the news: Open Source AGPL Added as License Option for Elasticsearch; Sovereign Tech Fund Invests in FreeBSD Development; Red Hat's OpenStack Services on OpenShift Now Generally Available; Juniper Networks Offers New AI-Native Courses and Services; Delphix Report Cites Growing Concerns Over Data Protection; Endor Labs Launches Magic Patches and Upgrade Analysis Tool; Rackspace to Offer TuxCare's Extended Linux System Support; Announcing eLxr: Enterprise-Grade Linux for Edge-to-Cloud Deployments; NSA Issues Zero Trust Guidance on Automation and Orchestration; and IT Pros Report Lack of Familiarity with Secure Software Development.
-
News for Admins
In the news: DHS Releases New Guidelines for Securing Critical Infrastructure; Datadog Report Examines DevSecOps Best Practices; Upskilling Key to Tech Staffing Challenges, Says LF Survey; 2024 Open Source Pros Job Survey Report Released; OpenSSF Issues Guidance to Help Prevent Social Engineering Attacks; Black Duck Supply Chain Edition Released by Synopsys; Spectra Logic Announces New Tape Libraries and Management Software; LPI Launches Open Source Essentials Program; Apache Software Foundation Celebrates 25 Years; SUSE Announces Rancher Prime 3.0; NSA Issues Zero Trust Guidelines for Network Security; and NIST Releases Major New Version of Cybersecurity Framework.
-
News for Admins
In the news: MySQL 9.0 Released; NordVPN Launches File Checker Tool; Critical OpenSSH Vulnerability Affects Linux Systems; IT Pros See Shrinking Job-Related Benefits Despite Salary Increases; Top Trends Driving Observability Adoption; Containers Dominate in Both Development and Production, According to Docker Report; Ubuntu Core 24 Released for Edge and IoT; Yocto Project Releases 5.0 LTS Version; OpenSSF Introduces Siren Security Platform; Raspberry Pi Announces Intent to Go Public; and Red Hat Introduces Image Mode for RHEL.
-
Build a secure development and production pipeline
We investigate best practices to secure CI/CD pipelines with DevSecOps. - Open Source Development Improves Software Security, Says LF Report