Developer security training isn’t just a ‘nice to have’.
Today, I’m looking at 10 statistics that demonstrate why rolling-out developer security training is essential to protecting your organisation from serious risks and massive costs.
1) The Average Cost of a Data Breach Is $7.2 Million
A recent survey revealed that the average cost of a data breach is a staggering $7.2 million – equating to a loss of $214 for each and every compromised customer record.
2) 88% of Organisations Have Had a Major Data Breach
As well as being costly, large-scale data breaches are growing more common. The same survey found that 88% of organisations had experienced a major data breach within the last 12 months.
3) 70 – 90% of Vulnerabilities Exist in the Application Layer
Many organisations assume that the network layer of their infrastructure is the primary source of security vulnerabilities, and focus their energy on preventing network problems.
In reality however, it’s the application layer that poses the biggest threat. Gartner has estimated that 70% of all vulnerabilities are caused by poor application security – and other researchers have estimated the figure to be as high as 90%.
4) Only 22% of Developers Have Any Role in Testing Application Security
Despite most security vulnerabilities coming from insecure applications, only 22% of software developers have an active role in testing application security.
In most organisations, security is a separate silo, making it harder to identify vulnerabilities, and causing significant friction between developers and security professionals.
5) 47% of Developers Have No Mandate to Remediate Vulnerable Code
Worse still, almost half of developers lack the power to actually fix vulnerabilities once they’re detected. In most organisations, application security simply isn’t a priority – and developers are judged on their ability to create fast, effective code, not secure code.
In order to improve application security, security needs to be prioritised from the top-down: with time set aside for security training, testing, code review and remediation.
6) Only 3.1% of Developer Conference Time is Dedicated to Security
This lack of security emphasis is reflected in the development world as a whole, as well as within individual organisations. Across two years of major development conferences, just 3.1% of total talk time was dedicated to security issues.
With many developers relatively naïve to the problems caused by insecure and vulnerable code, it’s essential for your organisation to take pro-active action to raise security awareness, and prioritise developer security training. If you don’t, no-one else will.
7) 75% of Executives Believe Their Application Security to Be Mature, vs. 11% of Devs
To worsen the situation, most organisations aren’t aware of their security problems. When surveyed, three quarters of senior executives believed their application security to be in a mature state – that is, capable of identifying and proactively dealing with potential vulnerabilities before they become a problem.
In stark contrast, just 22% of security professionals and 11% of developers believed the same. In other words, most organisations suffer from a serious disconnect between the perceived and actual states of their application security. If organisations can’t see their security problems, they can’t fix them.
8) It’s 30x More Expensive to Fix a Vulnerability During Post-Production
The sooner you can catch a vulnerability, the easier it is to fix.
Security issues identified during post-production are 30x more expensive to remediate than vulnerabilities identified earlier in the software development lifecycle (SDLC). By training devs in application security, and improving the security of their code, you’re stopping vulnerabilities at the source.
9) 71% of Devs Believe Security Is Not Addressed During the SDLC
Despite the compelling case for securing the SDLC, over two thirds of developers believe that their organisations make no efforts to address security during during the development lifecycle.
Testing and remediation are left until it’s too late, and as a result, organisations find themselves with a laundry list of vulnerabilities in need of patching; a fraction of the resources required to fix them all; and a very real security risk threatening their organisation.
10) Basic Security Training Can Stop 80% of Security Attacks
80% of the attacks that threaten your organisation are avoidable, caused by simple tactics employed by so called ‘script-kiddies’.
By investing into developer security training, you can have a very real impact on the security of your organisation – reducing both the risks of a successful attack, and the costs of remediation.
Sources
Discover how to roll-out an effective developer training program, and download our whitepaper below.
