In real life, frequent flyer programs reward travelers with various benefits based on their travel habits. As you accumulate miles and achieve higher status levels with a particular airline, you gain access to perks such as fast-track security, priority boarding, complimentary upgrades and exclusive lounges. These incentives not only elevate individuals’ status but also make their travel more efficient and faster. The software development industry could use something like a ‘frequent flyer status’ system — especially when it comes to ensuring a ‘security first’ mindset among developers. Without such a system, it is difficult, if not impossible, for organizations and their developer teams to assess their security proficiency and compare their competencies with peers. According to our research, such assessments are needed more than ever, as nearly two-thirds of developers report they find it challenging to write code free from vulnerabilities, and about half admit they leave vulnerabilities in their code.
To address these issues, development teams are undergoing training and earning mandated certificates to boost their security skills and practices. However, these approaches — mainly when conducted piecemeal — remain limited in terms of providing a comprehensive view of how participants’ proficiency progress aligns with organizational security objectives.
Whether teams opt for on-the-job collaborative training opportunities or interactive, agile learning sessions, they would substantially benefit from standardized developer benchmarking for success. Such benchmarking could lead to a ‘trust score’ that, much like rewards programs, would provide incentives to developers for their security achievements and offer clear pathways for improvement.
So, what criteria should organizations focus on when coming up with impactful industry benchmarking and an informative, actionable trust score? Here are six essential assessment areas of this ‘frequent flyer’ approach:
Skill proficiency: Leverage data to evaluate team members’ understanding of safe coding principles. Ask: Are they up-to-speed on the various languages and trends that affect the protection of products from vulnerabilities? Are they deploying the right tools and methodologies to support a proactive, ‘security-first’ culture?
Industry frameworks: It is essential to gauge team members’ adherence to industry-respected security frameworks. This includes the OWASP Top 10, which helps developers stay updated on critical risks; and ‘“Secure–by-Design’ principles – a necessary step toward ensuring more consistent secure software development lifecycles. This past May, over 100 hundred technology vendors signed a secure-by-design pledge, committing to implementing these principles to mitigate potential flaws in software that could arise when the software is in the hands of end users. Each week, we continue to see more vendors sign the pledge, and over time, their developers will be further empowered to verify their secure coding skills and ensure they are doing their part.
Continuous training and skills improvement: Organizations should consistently invest in learning opportunities to help teams continuously improve, along with metrics that measure members’ commitment to upskilling their capacity for protection.
Team collaboration/efficiency/performance: Benchmarking and trust scores are necessary to establish a baseline for measuring the true impact and effectiveness of learning programs and the overall security posture of developer teams. More importantly, a benchmark provides an appropriate jumping-off point for deeper conversations and collaborations between development, engineering and security teams, helping to close potential security gaps and find solutions in the software supply chain.
In-production performance measurement: To effectively gauge developers’ security capabilities, evaluations should extend beyond training and skill assessments to analyze their behavior during code production. With these benchmarks in place, consider the following questions: How many mistakes are developers still making? Are they learning from their mistakes and fixing security bugs? Are they coaching peers to develop codes securely? Do they conduct peer review pull reviews for security flaws?
Competitive analysis: This aspect will answer the overarching question, ‘How do we compare to other organizations in our industry? Are certain trust scores lagging our competitors, indicating a need for immediate attention and training?’
We understand that developer teams are under pressure to produce better code faster. As a result, they may view security as a barrier to innovation, leading them to take shortcuts or ignore vulnerabilities entirely. To evaluate the current security culture and the mentorship provided to developers, it is important to assess not only whether they are coaching their peers but also the depth and effectiveness of their guidance and how it impacts their own security practices.
By establishing a baseline to verify developers’ secure coding skills and measurement, security teams will get a clear sense of how well they are producing secure code from the beginning. They will gain a greater appreciation for how ‘security-first’ contributes to more robust products and will even save time in the long haul since they wouldn’t have to ‘work backward’ late in the process to fix issues.
In addition, they will recognize that benchmarking/trust score-driven continuous improvement makes them more capable and marketable on a professional level, leading to more intriguing job opportunities and promotions. In other words, this is a ‘win-win’ initiative for the organization, the individual developer and overall software safety.
