Vulnerabilities introduced from third-party components continue to create major issues for organizations: Nearly all codebases, for example, contain open-source components, and 77 percent of all code in codebases originates from open source. Yet, open source-linked vulnerabilities exist in 84 percent of risk-assessed codebases, with 74 percent of the codebases considered at high risk.

The emergence of artificial intelligence (AI) as a now-ubiquitous development assistant has only elevated the potential for compromises, with most software and security team members admitting that insecure AI suggestions are common. It doesn’t help that eight out of ten developers are bypassing security policies to use AI, according to a report from Snyk, thus taking part in what’s called “shadow AI.”

As chief information security officers (CISOs) and their teams address the issues, they increasingly recognize that a strong defense strategy begins by working with software development teams to cultivate a “security first” culture. However, to reach a perfectly balanced state of protection and productivity, benchmarks framed upon baselines of relevant skills and the efficacy of training initiatives need to be established. Such benchmarking efforts should focus on three critical areas:

• Visibility of developers’ security skills/awareness and improvement progress
• Established, meaningful goals that take into account organizational needs to ensure developer training and assessments align with business requirements
• Data measurement to compare the overall developer teams’ security success profile to that of other industry members and leaders, facilitating new training and learning methods

Benchmarking is all about taking back control – you’re measuring to gain complete awareness of your development teams’ security skills and practices – and then seeking continuous improvement. So, how should you begin to implement this program? We consider the following three steps as essential:

Identify what success looks like. Determine success standards and how to measure them in terms of skill levels, training frequency, training impact, vulnerability reduction, etc. Start by collecting information, and then find out how your team’s progress compares to the rest of the industry.

As you proceed with this approach, you should maintain both a historic and future-focused view. The historical view is centered on how the team has developed code and asks what resources/tools members have used and have they introduced vulnerabilities. How much of a role does risk assessment play throughout the entire software development lifecycle (SDLC)?

This future-focused view looks internally, asking if individuals have the appropriate skills, and how the organization can help enhance and support those skills.

Take action. Benchmarking data proves worthless if no one does anything with it. CISOs and other organizational leaders must enforce performance standards. If developers are falling behind on “security first” practices, then you can limit their access to certain repositories that are needed to code. If they meet established goals, incentivize them with greater/more appealing project and career-advancement opportunities. If they aren’t meeting expectations, don’t be afraid to say “no,” limiting their access to certain code repositories and language frameworks until they meet the established criteria and results. 

Ensure upskilling. While teams can quantify risk within an application, without benchmarking, there is little clarity if the developers who have been put on specific projects have the knowledge and skills in secure code development to reduce the risk. Assess individual knowledge to put the right people on the right projects, so their security intelligence is at a level that is risk-appropriate for their assigned work.

In pursuing continuous improvement, you should invest in agile learning programs that provide multiple paths for the education of developers. They can participate in, for instance, just-in-time “microburst” sessions so they learn, test, and apply knowledge immediately and within the context of the work itself, and gain greater awareness of the “real life” threats they face. As opposed to static sessions, agile approaches encourage constant “learning by doing” opportunities.

Finally, Once you’ve launched a comprehensive benchmarking program, you can expand its impact beyond the enterprise. We have a shared responsibility, after all, to not only improve ourselves but our collective industry. To achieve this, we need to come together and share success stories and lessons learned, to answer the questions, “What minimum bar should we set?” and “How do we establish – and encourage (if not enforce) – industry-wide standards?”

Organizations that implement a benchmarking program are setting a “guided path” for their developers, which matches training and best practices with each individual skill level and role. By identifying what success looks like and taking concrete, actionable steps toward accomplishment – combined with leveraging agile learning to raise the “security IQs” of developer teams across the board – you are best preparing your software production for AI-created complexities and any other technological advancements that threaten to introduce new vulnerabilities.

When security leaders expand these efforts from the enterprise level to our entire industry, we enrich software development as a whole. By now, such commitment goes beyond “the right thing to do”—it’s the essential thing to do.