1、Secure Software Development Education 2024 SurveyUnderstanding Current NeedsMarco Gerosa,Ph.D.,Northern Arizona University David A.Wheeler,Ph.D.,The Linux Foundation Stephen Hendrick,The Linux FoundationForeword by Christopher Robinson,Intel Dave Russo,Red HatJune 2024Training needs vary significant

2、ly based on professional roles and experience levels.Python is highly favored for language-specific training,with 71%of respondents expressing a preference,although C and Java are selected more frequently when respondents rank their top choices.57%of respondents identify AI and ML security as a crit

3、ical area for future innovation and attention in secure software development.56%of respondents see supply chain security as a crucial area needing increased focus and innovation.To start mitigating the need for more secure software development education,the OpenSSF selected Security Architecture as

4、the topic of a new course.Popular language-agnostic courses include security architecture(64%),security education and guidance(64%),and secure implementation(63%).53%of professionals,especially those in system operations(72%),have not taken a course on secure software development,largely due to the

5、lack of awareness about good courses(44%).Software developers with less than one year of experience report the highest lack of familiarity(75%)28%of professionals directly involved in software development are not familiar with secure software development.79%of professionals consider language-agnosti

6、c courses highly important,compared with 54%who attribute the same level of importance to language-specific courses.69%of professionals rely on on-the-job experience as a learning resource for secure software development,but it can take more than 5 years of such experience to achieve familiarity.50%

7、of professionals identify a lack of training as a major challenge for implementing secure software development,with this issue being particularly pronounced among data science roles(73%).Copyright 2024 The Linux Foundation|June 2024.This report is licensed under the Creative Commons Attribution-NoDe

8、rivatives 4.0 International Public LicenseSecure Software Development Education 2024 Survey3SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEYC and Java are more frequently selected as top-choice courses.29Respondents report a variety of courses needed by their organization.30New areas may emerge in

9、the future.32Chapter 4:OpenSSF course selection.34Chapter 5:About the survey and its respondents.36Demographics.36Methodology and open results data.38Conclusion.40Appendix A:Cybersecurity in the organizations.41Cybersecurity is a priority for organizations.41Organizations adopt a variety of cybersec

10、urity activities.43Online courses are an important resource for organizations.43Appendix B:Segregated rankings for language-agnostic courses.47Appendix C:Segregated rankings for language-specific courses.54About the Authors.62Acknowledgments.63ContentsForeword.4Chapter 1:Introduction.5Chapter 2:The

11、need for more training.7Many professionals are not familiar with secure software development.8The need for awareness and training is a major challenge for secure software development.11A large number of respondents have not taken any courses on secure software development.13Respondents have not take

12、n a course because they are not aware of a good one.15Respondents are unaware that the OpenSSF offers free educational material.16Respondents prefer self-paced training.18Chapter 3:Priority areas for training.19Professionals consider language-agnostic training more important than training focused on

13、 a specific language.20Organizations need a great variety of language-agnostic courses,and security architecture is the most popular.22Different roles have different needs.23Respondents consider security education and guidance their top priority.25A Python-specific course is a popular demand.26The p

14、opularity of Python is confirmed across different populations.274SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEYForewordAbove all else,education is a tool that,once obtained,is always available to the developer no matter what language,IDE,or scanner they may be working in or have access to.I am pl

15、eased to have participated in this Secure Software Development Education survey and that we now can share the results of the Linux Foundations(LF)research with the community.Weve already started reacting to some of the initial findings,and now that the full report is available,I look forward to help

16、ing empower developers of all skill levels,experiences,and backgrounds based on the important feedback that the community has provided.Christopher Robinson,Intel,Co-Chair of the OpenSSF Education Special Interest Group and Chair of the OpenSSF Technical Advisory CouncilNo matter how sophisticated de

17、veloper tools become,the knowledge and mindset of the individuals designing and writing the code have the biggest impact on its overall quality,especially when it comes to developing securely.Understanding what developers need to know and effectively delivering that information to them in a digestib

18、le way is key to enabling them to keep secure practices top of mind and to be able to effectively implement them.The results of the OpenSSF Secure Software Development Education survey reinforce the need for these educational materials and the benefits they will provide.Our group will leverage this

19、information to improve and expand the overall availability and quality of this training to the open source community and encourage others to do the same.Dave Russo,Red Hat,Co-Chair of the OpenSSF Education Special Interest Group5SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEYChapter 1:Introduction

20、1https:/ software security has never been more critical.Software vulnerabilities can lead to catastrophic consequences in many areas,from financial transactions and healthcare management to national security and everyday communication.A data breach in the U.S.costs$9.44 million on average per incide

21、nt,according to an IBM Report(2023)1.A Verizon report(2021)2 shows that 43%of all breaches are linked to software vulnerabilities due to poor software development practices.The evolution of cyberthreats has shown that attackers continuously find ways to exploit software weaknesses.By prioritizing se

22、cure coding practices,regular security assessments,and proactive threat modeling,developers can build resilient systems that protect sensitive data and ensure user trust.Secure software development is not merely an additional layer in the software development process but an integral aspect of it.Des

23、pite its critical importance,many developers lack the necessary knowledge and skills to implement secure software development effectively.Many educational programs focus primarily on functionality and efficiency,often neglecting security training.The historical emphasis on functionality over securit

24、y has been a pervasive issue in software development.This focus can be traced back to the early days of computing,where the primary goal was to create functional and reliable systems to perform specific tasks.Security was often an afterthought,if it was considered at all.The first step in addressing

25、 secure software development is recognizing the existing knowledge gap and identifying priority areas to create additional training.With this goal in mind,the Open Source Security Foundation(OpenSSF)and Linux Foundation(LF)Research partnered to conduct a worldwide survey of software development prof

26、essionals to assess their secure software development education needs.This research seeks to promote a“security by design”approach to software developer education and to enhance security education programs.Despite its critical importance,many developers lack the necessary knowledge and skills to imp

27、lement secure software development effectively.Many educational programs focus primarily on functionality and efficiency,often neglecting security training.6SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEYFrom March 1 to April 29,2024,the survey received 398 valid responses from professionals invol

28、ved with software development,which are the basis for the analysis presented in this report.The survey included questions on demographics,experience,and current perspectives for secure software development,along with survey questions focusing on educational needs for secure software development.For

29、more information about the research approach and demographics,see Chapter 5.Our key findings are as follows:1.A large portion(28%)of professionals directly involved in software development and deployment,including system operations,software developers,committers,and maintainers,report not being fami

30、liar with secure software development.2.Software developers with less than one year of experience report the highest lack of familiarity(75%).3.69%of professionals rely on on-the-job experience as a main learning resource,but it takes at least five years of such experience to achieve a minimum level

31、 of familiarity.4.Lack of training is a major challenge for many professionals(50%),particularly those in data science roles(73%).5.Most professionals(53%),especially system operations professionals(72%),have not taken a course on the topic,especially because they are not aware of a good course(44%)

32、.6.Most professionals(79%)deem language-agnostic courses highly important for secure software development,overshadowing the 54%who view language-specific courses as highly important.7.Popular language-agnostic courses include security architecture,security education and guidance,and secure implement

33、ation.8.Training needs vary significantly based on professional roles and experience levels,evidencing the need for diverse educational offerings in secure software practices.9.Python is highly favored for language-specific training,with 71%of respondents expressing a preference,although when rankin

34、g their top choices,C and Java were selected more frequently,suggesting a nuanced demand for programming language education.10.Emerging security concerns such as AI and ML security and supply chain are seen as critical future areas for innovation and attention,identified by 57%and 56%of respondents,

35、respectively.11.Based on these findings,the OpenSSF has decided to create a new course on security architecture,as explained in Chapter 4.Although weve selectively highlighted several key findings here,weve made all the data openly available for you to explore.7SECURE SOFTWARE DEVELOPMENT EDUCATION

36、2024 SURVEYChapter 2:The need for more trainingThis chapter explores the need for more training.We assess the respondents familiarity with secure development practices,the challenges in implementing these practices,and which learning resources professionals utilize.This analysis establishes a founda

37、tion for understanding the need for additional training in this area.The main findings of this chapter are as follows:1.Many professionals(28%)involved with software development are not familiar with secure software development.2.Key roles in software development and deployment,such as system operat

38、ions(39%)and software developers(27%),and in open source software(OSS)in particular,such as open source program office(OSPO)members(38%),committers(29%),and maintainers(23%),have a high number of professionals not familiar with the topic.3.Even some security team members(16%)are not familiar with th

39、e topic.4.Being experienced with software development does not imply familiarity with the topic,with at least 20%not being familiar regardless of the number of years of experience.5.At least five years of practical experience in the topic are necessary for at least 90%of professionals to consider th

40、emselves familiar with it.6.Among the professionals who have not taken a course on secure software development,very few(13%)said that it was because they feel they already know enough about the topic.7.Lack of awareness and training is the second most common challenge in implementing secure software

41、 development capabilities within organizations(50%),only behind lack of time(58%).8.Lack of awareness and training is particularly challenging for 73%of data science professionals.9.Informal methods such as self-study(74%)and on-the-job experience(69%)are the primary learning resources for the topic

42、.10.The majority(60%)of security team members have taken a course on the topic,while a minority of other key roles,such as software developers(48%)and system operations professionals(28%),have taken one.11.The top reason,reported by 44%of the respondents,for not taking a course is the lack of knowle

43、dge about a good course on the topic.12.Few professionals(up to 13%)report that they do not need a course on the topic.13.Only 25%of organizations report using OpenSSF education materials,and the top reason is a lack of awareness.14.Most respondents(74%)prefer self-paced training materials.8SECURE S

44、OFTWARE DEVELOPMENT EDUCATION 2024 SURVEYMany professionals are not familiar with secure software developmentNearly one-third of all software development professionals do not feel familiar with secure software development,as observed in Figure 1.There is also a chance that even those who report fami

45、liarity with secure software development do not know how to apply it in practice.These results are corroborated by Figure 2,which shows that only 13%of the respondents see themselves as not needing training because they already know enough about the subject.Worryingly,as observed in Figure 1,profess

46、ionals in some critical roles in the development process lack familiarity with secure software development practices.For those whose primary role is software development,it is concerning that 27%report being unfamiliar with secure software development practices.This fact is particularly troubling gi

47、ven that software developers are at the forefront of creating and maintaining the code that runs a companys applications and systems.The lack of familiarity in over one-quarter of developers indicates a significant gap in essential knowledge that could lead to the introduction of security vulnerabil

48、ities during the development process.For companies,this emphasizes the urgent need to integrate comprehensive security training into the standard developer curriculum and ensure that secure coding practices are a foundational element of the software development lifecycle.If anything,the data suggest

49、s that things are even worse than they first appear,once other reports are considered.In a 2022 study by Secure Code Warrior,89%of responding developers claimed that theyd received“sufficient”training in secure 3The State of Developer-Driven Security Survey,Secure Code Warrior,2022,https:/ skills,ye

50、t when they were asked about specifics,the majority of the respondents admitted that they were not familiar with common software vulnerabilities,how to avoid them,and how they can be exploited.Indeed,86%of the developers in that study stated that they found it challenging to practice secure coding,a

51、n odd result if theyd really received sufficient training.3 A plausible explanation is that knowledge of how to develop secure software is so rare that developers overestimate their knowledge,presuming a familiarity that isnt justified.This shouldnt be surprising,as even the developers who go to uni

52、versity are unlikely to learn how to do it.A 2021 study pointed out that of U.S.Newss top 24 computer science schools,only oneUniversity of California San Diegorequires undergraduates to learn about security.4 In short,our data is likely to show the situation in a more positive light than reality,du

53、e to the widespread lack of understanding of even the basics.The data also reveals that system operations and OSPO team members report the highest levels of unfamiliarity with secure software development(39%and 38%,respectively).This fact is concerning,as these roles are critical in managing and mai

54、ntaining software infrastructure and open source initiatives,both of which are fundamental to a companys overall security posture.Security team members reported the lowest level of unfamiliarity at 16%.Even though this indicates that those specifically tasked with security are more knowledgeable abo

55、ut secure development practices,it is worrisome that not all these professionals consider themselves at least familiar with the area.For companies,these results highlight the need for cross-departmental training programs and initiatives to foster a culture of secure software development awareness.9S

56、ECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEY28%38%38%36%27%26%16%AllrespondentsSystemopsOSPOteamDatascienceSoftwaredevManagementSecurityteam29%27%24%23%8%CommitterNon-developmentcontributorOccasionalcontributorMaintainerCorecontributor75%72%32%28%22%24%20%11 to 23 to56 to 1011 to 15 16 to 2020+1

57、1 to 23 to 56 to 1011 to 15 16 to 2020+72%47%19%8%12%4%4%Segmented by professional roleSegmented by open source software roleSegmented by years of experience in software development Segmented by years of experience in secure software development FIGURE 1PERCENTAGE OF RESPONDENTS NOT FAMILIAR WITH SE

58、CURE SOFTWARE DEVELOPMENT2024 SecEd Survey,Q14 by Q5,Q8,Q15,Q16,Sample Size=396,Low familiarity represents those who answered“Not familiar at all”or“Somewhat familiar”10SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEYNarrowing the results for those who contribute to OSS,we can see that more than on

59、e-quarter of committers and maintainers do not consider themselves familiar with secure software development.This fact suggests that many developers who write and send code directly to open source repositories and review others work are not familiar with the area.Given that OSS comprises most of the

60、 scaffolding technologies that many modern systems are built upon,the lack of security knowledge can bring generalized threats,as we observe from time to time.The survey also highlights a stark difference in familiarity based on years of experience.Software developers with less than one year of expe

61、rience report the highest lack of familiarity at 75%,with this number dropping to 72%for those with one to two years of experience.Similarly,72%of those with less than one year of specific experience in secure software development report a lack of familiarity,while this number drops to 47%for those

62、with one to two years of experience.Despite these numbers declining with increased experience,20%of professionals with more than 20 years of general experience still report a lack of familiarity with the field.This indicates that even highly experienced developers may not necessarily be knowledgeabl

63、e about secure software development,and it often takes many years of specific practical experience to gain familiarity.For companies,this highlights the importance of incorporating secure software development training early in a software professionals career.It also suggests that companies should in

64、vest in onboarding programs that emphasize secure coding practices and provide continuous education opportunities to bridge this knowledge gap.Other reasons why a course in secure software development has not been taken13%87%I believe I already know enough about the subjectFIGURE 2PERCENTAGE OF RESP

65、ONDENTS WHO REPORT NOT HAVING TAKEN A COURSE ON SECURE SOFTWARE DEVELOPMENT BECAUSE THEY BELIEVE THEY ALREADY HAVE ENOUGH KNOWLEDGE ON THE TOPIC2024 SecEd Survey,Q31,Sample Size=15011SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEY58%50%44%39%36%35%34%30%23%22%4%2%Time constraintsLack of security a

66、wareness and trainingComplexity of software and infrastructureIntegration into existing processesKeeping up with emerging threatsLack of management support,advocacy,and recognitionMoney constraintsSecure deployment and operations(CI/CD integration without slowing delivery)Bad perception of security

67、workRegulatory compliance and data privacy(which creates additional complexity)Other(please specify)Dont know or not sureFIGURE 3BIGGEST CHALLENGES IN IMPLEMENTING SECURE SOFTWARE DEVELOPMENT AND DEPLOYMENT IN AN ORGANIZATION2024 SecEd Survey,Q28,Sample Size=324,Total Mentions=1,224The need for awar

68、eness and training is a major challenge for secure software developmentEffectively implementing secure software development and deployment brings many challenges.Our results indicate that the need for security awareness and training is one of the top challenges for organizations.With half of the res

69、pondents reporting this challenge,it ranks only below time constraints,as depicted in Figure 3.Since time constraints are a common problem across many organizations,to successfully address these needs,most organizations will need to address security awareness and training with systematic and structu

70、red education programs.These programs should be integrated into the organizational culture and workflows,ensuring that they are regular and mandatory.Additionally,fostering a culture of continuous learning and security-minded thinking across all departments can enhance the effectiveness of these edu

71、cational efforts.The perception of a need for more security awareness and training as a challenge for implementing secure software development and deployment varies depending on the professional role,as pointed out in Figure 4.Data science roles report the highest level of concern,with 73%of respond

72、ents 12SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEYindicating that this is a significant challenge.This high percentage likely reflects the fact that data science professionals often come from academic areas not well versed in software engineering practices,including secure coding standards and

73、 methodologies.This gap in their training is worrisome,since data scientists increasingly deploy models and algorithms directly into production environments,and the lack of security practices can lead to vulnerabilities and expose large volumes of sensitive data.This is especially the case in the us

74、e of machine learning(ML)systems,where data may be used to train models that are directly deployed in production systems.This result emphasizes the need for more robust and specific training in data protection.Security team members also feel that the need for security awareness and training is a con

75、cern for implementing secure software development,with 56%of professionals reporting this challenge.This high percentage reflects the security teams unique perspective on the organizations overall preparedness.As the primary protectors against cyberthreats,they are acutely aware of the discrepancies

76、 between ideal security 73%56%40%38%36%31%13%Data scienceSecurity teamOthersSoftware developmentManagementSystem operationsOSPO teamFIGURE 4PERCENTAGE OF RESPONDENTS WHO REPORTED LACK OF AWARENESS AND TRAINING AS A CHALLENGE FOR IMPLEMENTING SECURE SOFTWARE DEVELOPMENT AND DEPLOYMENT,SEGMENTED BY RE

77、SPONDENT ROLE2024 SecEd Survey,Q28 by Q5,Sample Size=39813SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEYprotocols and the actual practices adopted by software developers,leading to gaps in the organizations security infrastructure.This gap underscores the need for more organization-wide secure so

78、ftware development education to prevent vulnerabilities due to better security awareness across the development lifecycle.The need for more awareness and training is also shared with many professionals in other roles,including software development(38%),management(36%),and system operations(31%).A la

79、rge number of respondents have not taken any courses on secure software developmentMany software development professionals still favor informal methods over university educational courses.Figure 5 demonstrates that the prevalent method for learning secure software development is self-study,with 74%o

80、f respondents reporting utilizing resources such as online tutorials,videos,and books as their main learning method.This method is closely followed by 69%who credit accumulated on-the-job experience.These popular methods have their drawbacks.Self-study relies heavily on individual initiative and oft

81、en lacks the comprehensive curriculum and expert guidance found in educational courses,which can lead to gaps in knowledge.On-the-job learning,while practical,can also be inconsistent,depending heavily on the locally available expertise,specific projects,and security challenges encountered in the wo

82、rkplace.Moreover,errors common among those learning can inadvertently be incorporated into production code,compromising system security.A course on secure software development can equip professionals with the skills and knowledge to identify,mitigate,and prevent security vulnerabilities in software,

83、thereby enhancing product security and protecting their organizations from potential cyberthreats.However,our findings indicate that many professionals in the field have not yet taken such a course.As observed in Figure 6,47%of the respondents reported having taken a course on secure software develo

84、pment.Among specific groups,the security team leads with 60%participation,confirming their central role in cybersecurity initiatives.For most other roles,the percentages range from 44%to 50%,which means that most professionals in these roles have not had such training.The small percentage refers to

85、system operation professionals at 28%.In many modern IT environments,system operation personnel increasingly write software as part of their jobs,giving rise to the DevOps phenomenon.Neglecting security practices in these applications can introduce security vulnerabilities and compromise the whole e

86、cosystem.Training these professionals is also essential because this knowledge enables them to work more collaboratively with software development teams to ensure that security considerations are integrated throughout the lifecycle of the systems they support,enhancing overall organizational securit

87、y.Notably,fewer than one-quarter of the respondents have learned about secure software development through formal academic courses(e.g.,in colleges and universities),as depicted in Figure 5.This low percentage suggests that skill gaps originate from academic settings and need to be addressed through

88、 additional training before professionals are onboarded onto software development projects.As noted earlier,this is likely simply because its not required in most undergraduate settings.This additional training ensures that professionals are adequately prepared for the security demands of modern sof

89、tware development.14SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEY74%69%34%31%24%3%3%Self-study(e.g.,online tutorials,videos,books)Accumulated on-the-job experienceIndustry training and/or certification courses(instructor-led or self-paced)Workshops or seminarsFormal education(e.g.,college and un

90、iversity courses)Other(please specify)Dont know or not sure47%60%50%48%45%45%44%28%All RespondentsSecurity teamOSPO teamSoftware developmentData scienceOthersManagementSystem operationsFIGURE 5PRIMARY LEARNING RESOURCES FOR SECURE SOFTWARE DEVELOPMENTFIGURE 6PERCENTAGE OF RESPONDENTS WHO HAVE TAKEN

91、A COURSE IN SECURE SOFTWARE DEVELOPMENT2024 SecEd Survey,Q17,Sample Size=398,Total Mentions=9482024 SecEd Survey,Q20 by Q5,Sample Size=383,DKNS excluded from the analysis15SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEY44%44%29%13%9%7%4%7%3%Im not aware of a good course on the topicI havent been a

92、ble to find the timeWe havent budgeted funds to cover these kinds of coursesI believe I already know enough about the subjectSecure software development is not relevant to my roleSecure software development is not an important enough topicSecure software development is not relevant to my organizatio

93、nOther(please specify)Dont know or not sureFIGURE 7REASONS FOR NOT TAKING A COURSE IN SECURE SOFTWARE DEVELOPMENT2024 SecEd Survey,Q31,Sample Size=150,Total Mentions=239,question answered only by those who answered“No”in Q20 Respondents have not taken a course because they are not aware of a good on

94、eThe top reason for not taking a course in secure software development is being unaware of a good one,as depicted in Figure 7.This finding has several implications.First,budget is not the primary constraint,as only 29%of the respondents report this reason.Second,few respondents cited reasons implyin

95、g that they dont want or need such training,such as believing that they know enough about the subject(13%),the subject not being relevant to their role(9%),the subject not being important enough(7%),or the subject not being relevant to their organization(4%).In Figure 7,we also notice that time cons

96、traints appear among the top challenges very close to not being aware of a good course on the topic.This finding reflects the tight schedules that software development professionals face.Any training in the area should be flexible and objective,allowing professionals to learn without disrupting thei

97、r productivity.16SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEYRespondents are unaware that OpenSSF offers free educational materialMany organizations offer training specifically for secure software development,including the OpenSSF.OpenSSF is a collaborative initiative hosted by the Linux Founda

98、tion to improve the security of OSS.Among many initiatives,OpenSSF offers training programs,educational materials,and resources to equip developers with the knowledge and skills necessary for secure coding.OpenSSF even offers a free course on the fundamentals of developing secure software.However,as

99、 pointed out in Figure 8,only one-quarter of the respondents report that their organizations use these materials.The main reason for not using any material is not being aware that OpenSSF offers such materials,as shown in Figure 9.OpenSSF,aware of this researchs results,decided to provide more train

100、ing on secure software development and intensify its advertising efforts.41%25%34%NoYesDont knowor not sureFIGURE 8PERCENTAGE OF ORGANIZATIONS THAT USE SECURE SOFTWARE DEVELOPMENT EDUCATIONAL MATERIALS FROM OPENSSF 2024 SecEd Survey,Q21,Sample Size=398OpenSSF is a collaborative initiative hosted by

101、the Linux Foundation to improve the security of OSS.Among many initiatives,OpenSSF offers training programs,educational materials,and resources to equip developers with the knowledge and skills necessary for secure coding.17SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEY48%30%26%7%4%15%5%We didnt

102、know that the OpenSSF provides free materials on secure softwaredevelopment best practices and other secure software componentsWe are not familiar with the OpenSSFWeve heard of the OpenSSF,but thats allThe materials are not relevant to my organizationWe use little or no open source softwareOther(ple

103、ase specify)Dont know or not sureFIGURE 9REASONS FOR NOT USING EDUCATIONAL MATERIALS FROM OPENSSF2024 SecEd Survey,Q32,Sample Size=135,Total Mentions=181,question answered only by those who answered“No”in Q3218SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEY74%52%35%33%3%5%Self-paced training cours

104、es,tutorials,or webinarsOnline instructor-led training coursesMentorship programsIn-person instructor-led training coursesOther(please specify)Dont know or not sureFIGURE 10MOST USEFUL SECURITY-FOCUSED EDUCATION PROGRAMS OR RESOURCES2024 SecEd Survey,Q30,Sample Size=324,Total Mentions=658Respondents

105、 prefer self-paced training The preferred training option by the organizations is a self-paced approach,with 74%of respondents indicating its usefulness,as noted in Figure 10.This preference reflects the need for flexible learning opportunities that fit busy schedules.Online instructor-led training

106、courses are also highly valued,with 52%of respondents finding them useful,suggesting a demand for more interactive and structured learning experiences.Mentorship programs are preferred by 35%of respondents,indicating the importance of personalized guidance and support in mastering security skills.Ad

107、ditionally,33%of respondents see in-person instructor-led training courses as beneficial,emphasizing the value of face-to-face learning environments.These insights underline the diverse preferences for security education formats and the necessity for organizations to offer a variety of training opti

108、ons to meet different learning needs.19SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEYChapter 3:Priority areas for trainingAs described in the previous chapter,there is a generalized need for more training in secure software development.Given the broad scope of this field,it is essential to unders

109、tand how to prioritize training efforts and the development of new courses.This chapter explores this perspective by analyzing whether participants prefer language-agnostic or language-specific training and identifying the most needed topics for a course.The main findings of this chapter are as foll

110、ows:1.79%of respondents consider language-agnostic courses highly important,compared with 54%who attribute a similar level of importance to language-specific courses.2.The higher level of importance attributed to language-agnostic courses is consistent across various roles,involvement with OSS,regio

111、ns,types of companies,and organization sizes.3.Organizations require a diverse range of language-agnostic courses to enhance their IT staffs capabilities in secure software development,with security architecture(64%)emerging as the most popular choice among respondents,closely followed by security e

112、ducation and guidance(64%)and secure implementation(63%).4.There is a large variation in training needs according to the professional role,OSS involvement,and years of experience,and the most popular choice can be security architecture(software developers and system operations),secure implementation

113、(management and data science),threat assessment(security team),or policy and compliance(OSPO team).5.Overall,respondents ranked security education and guidance as their top priority(but see below for caveats on this ranking).6.A Python-specific course is in high demand among respondents,with 71%favo

114、ring it,while JavaScript(client side),the second place,is favored by 49%when relative ranking among languages was not considered.7.Python emerges as the most requested course across all subpopulations,except for OSS committers.This group reports a higher need for C courses,though Python remains a cl

115、ose second in their preferences.8.Despite Pythons overall popularity,when participants were asked to rank their choices,C(22%)and Java(18%)were selected as the top choice more frequently than Python(17%).9.Respondents also report a variety of courses needed by their organizations,emphasizing the imp

116、ortance of specialized training in certifications,testing,secure coding practices,and supply chain security.10.Looking forward,AI and ML security is the primary area needing increased attention and innovation,identified by 57%of respondents,with supply chain security closely following,selected by 56

117、%of participants.20SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEYProfessionals consider language-agnostic training more important than training focused on a specific languageAs depicted in Figure 11,79%of respondents consider programming languageagnostic secure software development training extre

118、mely or very important,compared with 54%who view programming languagespecific training with this level of importance.Programming languageagnostic courses on secure software development offer several advantages over their language-specific counterparts.Firstly,they provide a broad understanding of se

119、curity principles that apply across various programming languages and platforms,enabling learners to apply these concepts across different ecosystems.Language-agnostic courses emphasize foundational security practices such as threat modeling,secure design principles,and risk assessment,which are cri

120、tical skills irrespective of the specific programming language used.This universality not only makes the knowledge more versatile and applicable in diverse work settings but also prepares developers for future technologies and languages that may emerge.41%25%38%29%17%29%3%15%1%3%Secure software deve

121、lopment coursesLanguage-specificecosystem coursesExtremely importantVery importantImportantSlightly importantNot important at all79%54%FIGURE 11IMPORTANCE OF LANGUAGE-AGNOSTIC SECURE SOFTWARE DEVELOPMENT COURSES AND LANGUAGE-SPECIFIC ECOSYSTEM COURSES2024 SecEd Survey,Q27,Sample Size=316,DNKS exclud

122、ed21SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEYFigure 12 indicates that the preference for language-agnostic courses is consistent across roles,with the strongest preference coming from security team members,who often need to address systems developed in multiple languages.Additionally,we anal

123、yzed differences segmented by contributions to OSS,OSS roles,regions,types of companies,and organization sizes.In all these segments,respondents consistently rated language-agnostic courses as more important than language-specific ones.78%74%80%88%86%71%68%45%35%51%53%38%43%43%Software developmentSy

124、stem operationsManagementSecurity teamData scienceOSPO teamOthersLanguage-agnostic coursesPercentage of respondents who consider each type of course to be extremely or very importantLanguage-specific coursesFIGURE 12COMPARISON OF THE LEVEL OF IMPORTANCE OF EACH TYPE OF COURSE,SEGMENTED BY EACH ROLE2

125、024 SecEd Survey,Q27 by Q5,Sample Size=316 for language-agnostic and 318 for language-specific,DNKS excluded22SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEY64%64%63%60%55%51%51%49%49%41%40%30%30%3%5%Security architectureSecurity education and guidanceSecure implementationSecurity testingThreat as

126、sessmentSecure deploymentSecurity requirementsSecure buildArchitecture security assessmentStrategy and metricsPolicy and complianceDefect managementRequirements-driven testingOtherDont know or not sureFIGURE 13LANGUAGE-AGNOSTIC COURSES COULD FILL SIGNIFICANT KNOWLEDGE GAPS FOR ORGANIZATIONS IT STAFF

127、 TO BETTER ADDRESS SECURE SOFTWARE DEVELOPMENT2024 SecEd Survey,Q25,Sample Size=342,Total Mentions=2,244Organizations need a great variety of language-agnostic courses,and security architecture is the most popularOrganizations need a variety of language-agnostic courses to fill educational gaps and

128、help IT staff better address secure software development.As observed in Figure 13,nine courses were selected by at least 49%of the respondents:secure architecture,security education and guidance,secure implementation,security testing,threat assessment,secure deployment,security requirements,secure b

129、uild,and architecture security assessment.The most popular choice for our respondents was security architecture(64.3%),closely followed by security education and guidance(64.0%)and secure implementation(62.6%).Security architecture provides a structured framework that defines the processes,tools,and

130、 protocols required to create and maintain secure software systems.A security architecture 23SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEYenables the consistent application of security standards across all projects,serving as a blueprint for implementing security measures that align with organiz

131、ational goals and compliance requirements.Such a course would cover how to address security concerns associated with components and technology during the architectural design,development,and deployment stages of software to meet security requirements.The purpose of security education and guidance is

132、 to“provide training for employees to increase their security awareness and leverage this knowledge and other guidance in the design,development,and deployment of secure software.”In retrospect,this option should have been more clearly defined,as this had more than one interpretation.One interpretat

133、ion is that its purpose was to help organizations determine how to devise training sequences for employees that would be most relevant.We believe many respondents did not interpret the question in this way,as increasing experience lowered the likelihood of this choice(the opposite of what one might

134、expect).An alternative interpretation would be that this was asking for“fundamentals”focusing on general knowledge about security education and guidance.We believe,given the other data,that this was the interpretation most respondents intended.Its worth noting that the OpenSSF already has a course o

135、n the fundamentals of developing secure software,but as also noted earlier,many respondents were unaware of it.Finally,secure implementation in software development involves writing source code to avoid common vulnerabilities and be more robust against attacks.This approach ensures another level of

136、defense,ensuring that security is embedded in the code of software products from the outset.During secure implementation,developers apply secure coding practices to prevent vulnerabilities such as SQL injection,cross-site scripting,and buffer overflows.The objective is to mitigate risks early in the

137、 development cycle,reducing the cost and complexity of fixing security issues after deployment.Note that while the fundamentals of secure implementation can be taught without being specific to a programming language,more advanced topics generally do require focusing on specific languages.Different r

138、oles have different needsAs Figure 14 shows,there is considerable variation in the training needs reported by each role.Security architecture emerges as the most popular course among software developers and operations personnel,who are directly involved in software development and deployment.However

139、,it ranks lower for managers(sixth),security teams(third),data science professionals(third),and OSPO teams(fifth).Secure implementation is the preferred course for managers and is especially popular with data science professionals.For security teams,threat assessment ranks as the most relevant cours

140、e,while for OSPO team members,policy and compliance is the top priority.We also segmented this analysis from multiple perspectives,detailed in Appendix B with complete rankings.For levels of contribution to OSS(Figure 27),region(Figure 29),type of organization(Figure 30),organization size(Figure 31)

141、,and familiarity(Figure 32),there is some variation in the top positions,usually held by secure architecture or security education and guidance.However,the percentage of respondents does not vary considerably in these cases.Conversely,the OSS role(Figure 28)appears to influence preferences for educa

142、tional courses,similar to professional roles(Figure 14).Additionally,years of experience also seem to affect course selection,with security testing highly ranked among those with less than five years of experience,security architecture for those with five to 20 years,and secure implementation for th

143、ose with over 20 years.24SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEYSoftware developerSystem operationsManagementSecurity teamData scienceOSPO team69%SecurityArchitecture65%SecureImplementation64%SecurityEducation62%SecurityTesting55%ThreatAssessment52%SecurityRequirements47%Architecture Secur

144、ity Assess47%SecureBuild44%SecureDeployment40%Policy&Compliance40%StrategyAnd Metrics31%DefectManagement27%Req-driven Testing69%SecurityArchitecture65%SecureImplementation65%SecurityEducation62%SecureDeployment58%Architecture Security Assess54%SecurityRequirements54%SecurityTesting54%ThreatAssessmen

145、t50%SecureBuild35%StrategyAnd Metrics31%DefectManagement31%Policy&Compliance31%Req-driven Testing63%SecureImplementation63%SecurityTesting60%SecurityEducation58%SecureDeployment55%SecureBuild55%SecurityArchitecture53%SecurityRequirements53%StrategyAnd Metrics50%Architecture Security Assess50%ThreatA

146、ssessment48%Policy&Compliance38%Req-driven Testing33%DefectManagement68%ThreatAssessment64%SecurityEducation63%SecurityArchitecture58%SecurityTesting56%SecureDeployment56%SecureImplementation54%Architecture Security Assess53%SecureBuild47%SecurityRequirements34%Policy&Compliance34%StrategyAnd Metric

147、s32%Req-driven Testing27%DefectManagement88%SecureImplementation75%SecureDeployment75%SecurityArchitecture63%SecurityEducation63%StrategyAnd Metrics50%Architecture Security Assess50%Policy&Compliance50%SecureBuild50%SecurityRequirements50%ThreatAssessment38%Req-driven Testing38%SecurityTesting25%Def

148、ectManagement71%Policy&Compliance71%SecurityEducation57%SecurityTesting43%SecureImplementation43%SecurityArchitecture29%Architecture Security Assess29%SecurityRequirements29%StrategyAnd Metrics14%SecureBuild14%SecureDeployment14%ThreatAssessmentWhich of the following courses could fill significant g

149、aps for the organization you work for to help IT staff better address secure software development?(select all that apply)FIGURE 14RANKINGS OF POPULARITY FOR THE LANGUAGE-AGNOSTIC COURSES,SEGMENTED BY ROLE2024 SecEd Survey,Q25 by Q5,Sample Size=312,Total Mentions=2,035,the number in front of the name

150、 represents the percentage of respondents,each column is sorted by this number25SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEYRespondents consider security education and guidance their top priorityWe also asked respondents to rank their choices for the courses shown in Figure 15 based on their im

151、portance.Figure 15 reveals that security education and guidance is most frequently chosen as the most important course.It maintains its lead in the rankings across the top five choices.Additionally,even when considering the average rankings,displayed on the right-hand side of Figure 15,this course c

152、ontinues to outrank others.Notably,sorting by average ranking(shown on the right-hand side of Figure 15)does not considerably alter the order of the figure,which is sorted by the percentage of first-place rankings.22%15%12%9%9%7%5%4%4%2%2%1%1%13%8%12%11%10%10%10%3%4%5%13%5%10%5%9%10%5%5%5%10%2%5%2%5

153、%5%9%3%8%13%8%6%5%6%2%4%5%3%2%7%2%7%5%11%5%5%7%3%9%1%6%6%14%8%20%8%11%26%25%30%20%29%20%Security education and guidanceStrategy and metricsSecurity architecturePolicy and complianceSecure implementationThreat assessmentSecurity requirementsSecure buildArchitecture security assessmentSecurity testing

154、Defect managementSecure deploymentRequirements-driven testing123456+Average2.83.03.63.64.23.74.25.76.56.27.46.47.8FIGURE 15IMPORTANCE ORDER ATTRIBUTED BY THE RESPONDENTS FOR EACH OF THE SELECTED LANGUAGE-AGNOSTIC COURSES2024 SecEd Survey,Q26,Sample Size=308,sorted by the percentage of first-place ra

155、nkings26SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEYFigure 15 evidences strategy and metrics in the second position for both top choices and average rankings,despite its lower 10th place in terms of popularity,as shown in Figure 13.This disparity suggests that while strategy and metrics may not

156、 attract widespread attention,those who prioritize it find considerable value in its content,implying that the course is highly valued by those with specific needs that require deeper strategic and metrics-driven insights.Such insights could help educational providers to tailor and market this cours

157、e more effectively to its most appreciative audience.Our data suggests that those who rank strategy and metrics as a top choice are predominantly from larger organizations(20,000+employees)and possess a high degree of familiarity with secure software development.This trend suggests that individuals

158、in more complex organizational environments,who have moved beyond basic security concepts,tools,and processes,require specific strategies and metrics to effectively develop and assess secure software.A Python-specific course is a popular demandAmong the language-specific courses,there is a demand fo

159、r Python-focused education,with 71%of respondents indicating this preference when ignoring rankings,as shown in Figure 16.This demand significantly exceeds that for the next most popular course,JavaScript(client side),which 49%of respondents favor.Even when combining the figures for those who select

160、ed JavaScript for both client side and server side,the JavaScript total only marginally increases to 53%,still considerably lower than Python.This is primarily due to a large overlap among those who use JavaScript on the client and those who use it on the server.5https:/github.blog/2023-03-02-why-py

161、thon-keeps-growing-explained/Pythons popularity could stem from several factors.It is known for being accessible to beginners.It has become a go-to language for many professionals,whether they are shifting from other languages or have been introduced to it during their educational journey.Notably,Py

162、thon is the second most popular language on GitHub5,trailing only behind JavaScript,and its use has surged by over 22%year over year.The language is also prominent in rapidly growing fields such as AI and ML.The shift of developers toward Python,combined with a relative scarcity of educational mater

163、ials focused on secure software development for Python,likely contributes to the high demand for such courses.Some common vulnerabilities that plague Python code are injection and arbitrary command execution,insecure file handling,outdated dependencies,directory traversal,and improper package manage

164、ment.Nevertheless,JavaScript,the second choice,remains an important part of software development,recognized by GitHub as the most common language in its repositories.Client-side JavaScript is exposed to vulnerabilities such as cross-site scripting and sensitive data exposure.Python is the second mos

165、t popular language on GitHub,trailing only behind JavaScript,and its use has surged by over 22%year over year.The language is also prominent in rapidly growing fields such as AI and ML.27SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEYThe popularity of Python is confirmed across different populatio

166、nsAs illustrated in Figure 17,a Python-specific security course emerges as the most popular language-specific demand across all respondent roles when ignoring rankings.Figure 17 also confirms Pythons popularity in data science,with participants in these roles universally recognizing the relevance of

167、 Python-specific courses to their needs.As observed in Appendix C,which segregates rankings for language-specific courses,Python emerges as the most requested course across all subpopulations except for OSS committers.This group reports a higher need for C courses,though Python remains a close secon

168、d in their preferences.This highlights the specific demands of OSS committers,who may deal more frequently with lower-level programming challenges.In contrast,the broader popularity of Python highlights its widespread utility and appeal in various fields.71%49%48%41%40%39%38%35%22%18%9%3%PythonJavaS

169、cript(client side)JavaGoCC+JavaScript(server side)RustC#PHPOther(please specify)None of the above or not applicable to our organizationFIGURE 16LANGUAGE-SPECIFIC ECOSYSTEM COURSES THAT ORGANIZATIONS SHOULD MAKE AVAILABLE TO THEIR DEVELOPERS2024 SecEd Survey,Q23,Sample Size=352,Total Mentions=1,45428

170、SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEYSoftware developerSystem operationsManagementSecurity teamData scienceOSPO team66%Python47%JS(client side)45%Java42%C40%C+35%Go34%JS(server side)31%Rust18%C#16%Php77%Python58%Java54%Go50%JS(client side)38%JS(server side)27%Php23%C+19%C#19%Rust15%C78%P

171、ython56%JS(client side)56%JS(server side)49%Java39%C39%Go39%Rust34%C#29%C+20%Php80%Python60%Go60%Java53%JS(client side)52%Rust48%C+45%C40%JS(server side)23%C#17%Php100%Python38%Go25%C25%C+25%Java25%JS(client side)25%JS(server side)13%C#13%Rust57%Python29%C29%C+29%C#29%Go29%Java29%JS(client side)29%J

172、S(server side)29%RustWhich language-specific ecosystem course(s)on secure software development should the organization you work for make available to its developers?(select all that apply)FIGURE 17RANKINGS OF POPULARITY FOR THE LANGUAGE-SPECIFIC COURSES,SEGMENTED BY ROLE2024 SecEd Survey,Q23 by Q5,S

173、ample Size=321,Total Mentions=1,320,the number in front of the name represents the percentage of respondents,each column is sorted by this number29SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEYC and Java are more frequently selected as top-choice coursesIn contrast to its overall popularity,when

174、participants were asked to rank their choices,C and Java were often selected as the top choices more frequently than Python,as shown in Figure 18.However,Python leads when considering the top two or three choices.A possible explanation is that Python is often chosen together with other languages,ind

175、icating its role in a bigger ecosystem of programming languages,whereas C and Java are more commonly selected on their own.123456+22%18%17%8%7%6%6%5%4%3%6%6%16%8%15%4%18%5%8%2%5%11%14%9%6%6%12%3%8%4%3%7%14%7%3%5%6%3%6%2%2%3%5%5%4%5%5%3%6%1%4%4%7%5%5%10%4%4%8%6%CJavaPythonGoC+RustJavaScript(client-si

176、de)C#JavaScript(server-side)PHPAverage2.42.83.13.43.14.53.13.64.14.9FIGURE 18IMPORTANCE ORDER ATTRIBUTED BY THE RESPONDENTS FOR EACH OF THE SELECTED LANGUAGE-SPECIFIC COURSES2024 SecEd Survey,Q24,Sample Size=331,sorted by the percentage of first-place rankings 30SECURE SOFTWARE DEVELOPMENT EDUCATION

177、 2024 SURVEYC is used to build critical infrastructure,and there is certainly much to explore in secure software development courses focused on this language.C is susceptible to vulnerabilities such as buffer overflows,uninitialized variables,null pointer dereferencing,improper type conversions,use

178、after free,and double frees.Java,another versatile programming language,is widely used across various types of systems and applications.Despite a slight decrease in popularity,as measured by TIOBE6,it remains pivotal in creating a variety of new systems,and there are many production systems in the m

179、arket using Java,given the decades of the languages existence.Respondents report a variety of courses needed by their organizationRespondents could also freely report courses they need in open-ended questions.Table 1 presents the classification of their answers.While many of the options are already

180、explicitly covered in the options above,some interesting recurrent topics emerged.The table highlights the value of certifications,which authenticate the expertise of professionals in specific topics and establish a standardized knowledge base among professionals.For organizations,certifications ens

181、ure that individuals handling software security are well versed in best practices and the latest methodologies.Certifications such as Certified Secure Software Lifecycle Professional(CSSLP)and Certified Ethical Hacker(CEH)validate an individuals expertise and commitment to the field and are often re

182、quired by employers.Moreover,certifications help maintain a continual 6https:/ https:/ culture,as they often require ongoing education and renewals,encouraging professionals to keep abreast of evolving threats and technologies.Verification was also a recurring theme among the responses.Regular and c

183、omprehensive verification not only helps avoid bugs that can potentially be exploited by attackers but also can exercise specific security aspects.Static application security testing(SAST)examines source code to find vulnerabilities without executing it.Unit testing provides specific inputs to parts

184、 of programs(“units”)and then determines if the result is the expected one or not.Fuzzing“randomly”generates inputs and then executes software to detect undesired behavior(such as crashing).Web application scanners simulate an attackers browser,crawling through a web applications web pages and exami

185、ning it for security vulnerabilities.The term“dynamic application security testing”(DAST)has various meanings:It is sometimes used as a synonym for web application scanners7,8 while others use it to include web application scanners and fuzzers.9,10 Together,such techniques catch a broad range of vul

186、nerabilities at various stages of the software development lifecycle.Importantly,some respondents reported the need for courses emphasizing security testing automation and its integration into the continuous integration/continuous deployment(CI/CD)pipeline.31SECURE SOFTWARE DEVELOPMENT EDUCATION 202

187、4 SURVEYThe necessity of integrating security directly into the implementation process is emphasized,highlighting the importance of educational programs that focus on best implementation practices and defensive programming.Such courses teach developers to incorporate security measures right from the

188、 initial stages of software development,making code more robust against potential threats.Courses related to supply chain security were also recurrently requested.Modern software does not exist in isolation but is connected to a vast network of interdependencies with external packages.The complexity

189、 and interconnectedness of modern software supply chains mean that vulnerabilities in any component can compromise the entire system,as evidenced by some recent major cybersecurity issues.Therefore,its essential for developers to implement strict security practices throughout the supply chain.This i

190、ncludes vetting third-party vendors,using verified and secure open source libraries,and continuously monitoring for vulnerabilities in third-party components.Additionally,maintaining an accurate and up-to-date software bill of materials(SBOM)is crucial,as it provides transparency about all component

191、s used in the software,enabling better management of potential risks.In sum,Table 1 categorizes recurrent secure software development education areas,emphasizing the need for specialized training tailored to the multifaceted challenges of IT security.TABLE 1RESPONDENT-RECOMMENDED COURSES IDENTIFIED

192、IN AN OPEN-ENDED SURVEY QUESTION2024 SecEd Survey,Q22,Sample Size=558,each participant provided two responses,table sorted by recurrence,only the top topics are shownTopicExamplesCertificationCEH,CASE,CSSLP,CISA,CISSP,CSSE,CSSLP,OSPTestingAutomated security testing,modern testing to legacy code,code

193、 security testing,DAST,SAST,fuzzing,penetration testing,unit testingCoding practicesBest coding practices,coding rules,defensive programming,error handling,how to build security into code,coding based on OWASP top 10Supply chainSupply chain security,SBOM,dependency management,screening packages befo

194、re use,Sigstore,supply chain attacks,toolingThreat modelingAgile threat modeling,threat analysis,threat intelligence,threat modeling with effective definition of trust boundaries,vulnerability analysisSecure architectureSecure by design,secure API development,secure design patterns,designing secure

195、software with emphasis on testingCloud securityCloud-native security best practices,cloud configurations,public clouds,AWS,AZ-500Secure software development(general)Secure software development for engineers early in their career,secure software development fundamentals,holistic security perspectiveI

196、dentity and access managementAccess control,access management,authentication,IAM32SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEYNew areas may emerge in the futureSecuring software development is a dynamic challenge due to its many components and the fields constant evolution.We surveyed our parti

197、cipants about the areas within secure software development that will require more attention and innovation in the future,as depicted in Figure 19.AI and ML security has surfaced as a prominent concern,with 57%of survey respondents identifying it as an area needing heightened attention and innovation

198、 from the secure software development perspective.As these technologies become integral to various industries,their security implications grow more critical.The complexity of AI and ML systems,combined with their data-intensive operations,exposes them to unique vulnerabilities,such as data poisoning

199、,model theft,and adversarial attacks.At this time,developing secure ML systems(“adversarial machine learning”)involves many unsolved research problems,and currently known mitigations are typically weak against adversaries.11 As these technologies continue to evolve and scale,robust AI and ML securit

200、y practices will be increasingly critical.11https:/csrc.nist.gov/pubs/ai/100/2/e2023/finalFollowing closely behind AI and ML security,supply chain security was identified by 56%of respondents as a critical area,which is also in line with the results from the open-ended question discussed in the prev

201、ious section.Securing supply chains will become increasingly important in the future due to the escalating complexity,interconnectivity,and globalization of software development ecosystems.As businesses integrate a multitude of third-party components and servicesfrom libraries and frameworks to deve

202、lopment toolsthe attack surface for potential vulnerabilities expands significantly.Furthermore,as regulatory demands for software security and data protection grow stricter worldwide,compliance becomes more challenging.Securing supply chains will become increasingly important in the future due to t

203、he escalating complexity,interconnectivity,and globalization of software development ecosystems.33SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEY57%56%50%48%40%37%31%28%25%3%3%AI and ML securitySupply chain securityAutomated security testing and integrationSecurity risk due to human factorsCloud n

204、ative and serverless securityPrivacy-enhancing technologies(incorporating privacy by design)IoT and embedded computing securityQuantum-resistant cryptographyEdge securityOther(please specify)Dont know or not sureFIGURE 19AREAS OF SECURE SOFTWARE DEVELOPMENT THAT WILL NEED MORE ATTENTION AND INNOVATI

205、ON2024 SecEd Survey,Q29,Sample Size=324,Total Mentions=1,227The survey also highlighted several other areas of concern.Automated testing and integration were noted by 50%of respondents,emphasizing the need for robust mechanisms to continuously identify and address vulnerabilities in an automated man

206、ner.Nearly half(48%)mentioned security risks due to human factors,confirming the critical role of human error in cybersecurity breaches.Cloud native and serverless security concerns were raised by 40%of participants,reflecting the shift toward these modern computing paradigms and their unique securi

207、ty demands.Privacy-enhancing technologies were a priority for 37%,evidencing the growing importance of protecting personal data amidst increasing privacy regulations.Other areas of concern were Internet of Things(IoT and embedded computing security(31%),quantum-resistant cryptography(28%),and edge c

208、omputing(25%).34SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEYChapter 4:OpenSSF course selectionOne key reason for having this OpenSSF Security Education survey was to identify what course the OpenSSF should develop next.While the OpenSSF could guess or ask just a few people,it wanted to make dec

209、isions based on quantitative data from a widespread survey.Given this survey data,the OpenSSF selected security architecture,as explained below.Before conducting this survey,the OpenSSF suspected that respondents would generally prefer a language-specific course in a language such as C,Java,or Pytho

210、n.Its true that 54%did indicate language-specific courses as“very important”or“important,”indicating that many are interested in such material.However,an even larger 79%indicated that courses not specific to a language were“very important”or“important.”This suggests that the OpenSSF should currently

211、 focus on creating courses that are not specific to a programming ecosystem.Exactly which area is much more complex because different areas were identified as a“top”choice by different measures:In popularity,security architecture and security education and guidance were the most popular,followed by

212、secure implementation,security testing,and threat assessment.Considering only first choices,security education and guidance was the most popular choice,followed by strategy and metrics and security architecture.In the average ranking when considering popularity,security education and guidance is on

213、top,followed by security architecture and secure implementation.This variation makes decision-making more complicated.An analysis by roles helps explain why there is such variation.In short,different roles tend to emphasize different areas.Security architecture is the top choice for software develop

214、ers and system operators and the third top spot for seecurity teams.However,management,data science,and OSPO roles have different priorities.Thus,it shouldnt be surprising that there are multiple“top”answers.Splitting things up by region revealed an interesting variation:Security architecture was th

215、e top choice everywhere except the U.S.and Canada.In the U.S.and Canada,security education and guidance and secure implementation were the top two spots.This suggests that there was a larger mixture of different respondent roles in the U.S.and Canada,leading to more variation.Years of experience did

216、 have a considerable impact.Those with less than five years of experience emphasized security testing as their top pick,while those with five to 20 years of experience emphasized security architecture as their top pick.Those with more than 20 years of experience had security implementation as their

217、top pick with security architecture as their second choice.We have a hypothesis:Less-experienced developers expect that security testing will find all or most of the defects.As developers gain experience,they learn that while such approaches are important,these techniques false positives and false n

218、egatives mean that security architecture has an outsized impact on security,and they want to learn more about that.By the time they have 20 years of experience,they have learned security architecture,and while they are still very interested,keeping up their knowledge in security implementation takes

219、 precedence.35SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEYWhile the OpenSSF would love to create all of these courses,it has limited resources and must pick where to start.Some areas seem promising at first but are less so on further consideration:1.Security education and guidance is ranked hig

220、hly,but its something of a meta-category.Its definition focused on creating educational systems,yet novices ranked it highly(Figure 33),suggesting that many respondents were not looking at the provided definition but were responding to the notion of wanting more education and guidance in general.2.S

221、ecure implementation is also ranked highly,but the existing OpenSSF fundamentals course already covers secure implementation in a language-independent way.The OpenSSF could go into more depth in secure implementation,but this would essentially require language-specific courses.The other answers indi

222、cated that programming language-specific material is important to many but not the most important.Had programming language-specific material ranked much more highly,focusing on this topic would have been appropriate,but with the other answers,it seems less important.3.Security testing is ranked high

223、ly in unstructured feedback and among novices.This is tempting as a decision.Security testing might be a great course after the next one the OpenSSF does.However,its much less highly ranked among those with experience,and while it ranks highly in some areas,it ranks much lower in others.The OpenSSF

224、should definitely consider creating this course afterward,but it seems less promising as the next course to create.Those with management roles had different priorities than those with other roles.However,the OpenSSF is already working on a course focused on management.The OpenSSF thinks that a cours

225、e focused on management would best address their priorities,so for its“201 course,”it can focus on others priorities instead.At this time,the OpenSSF is planning to focus on security architecture.Its the top area in overall popularity as well as the top choice by software developers and system opera

226、tors for gap-filling.It also often scores quite highly even in the areas where it isnt the top spot.Many indicated that threat assessment was important,and the OpenSSF could consider including that in a security architecture course.No one topic is the top choice for everyone,but given the trade-offs

227、,this appears to be a good choice.There are some courses in security architecture but not many,and most only discuss a short list of principles.The OpenSSFs current fundamentals course does discuss security architecture,but like other courses,it mostly discusses a short list of principles.As a resul

228、t,a security architecture course could be a clear follow-on course that easily extends the existing material.Thus,the OpenSSF believes that addressing security architecture next would best meet respondents needs.36SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEYChapter 5:About the survey and its re

229、spondentsThis study is based on a web survey conducted by the Linux Foundation and its partners from March 1 through April 19,2024.We received 398 valid responses,318 of which completed the whole survey.Moreover,some questions were not intended for all respondents,as noted in Table 2,which describes

230、 the structure of the survey.Therefore,the sample size for the different analyses can vary,as noted in the captions of the figures throughout this report.In the following,we present the demographics of the respondents and the study methodology.The full survey instrument is available at http:/www.dat

231、a.world/thelinuxfoundation.DemographicsFigure 20 presents the demographics of the respondent organizations.In terms of organization size based on the number of employees,we classified respondents into small(1249),medium(250999),and large(20,000+)organizations.A similar number of respondents from eac

232、h organization size participated in the survey;31%were small,35%were medium,and 33%were large.In terms of type of company,there is a balance between organizations that consume IT products and services but operate in other areas(47%)and organizations whose revenue stream comes primarily from IT produ

233、cts and services(41%).There are also other types TABLE 2STRUCTURE OF THE SURVEYPagesQuestionsQuestion categoriesWho answers the questionsP1IntroductionAll respondentsP2P3Q1Q6Tell us about yourselfAll respondents(N=398)P4Q7Q8Involvement in open sourceOpen source contributors(N=270)P5Q9Q13Tell us abou

234、t the organization that you work forOnly employed professionals(N=362)P6Q14Q21Perspectives on secure software developmentAll respondents(N=398)P7P9Q22Q30Educational needs for secure software developmentAll respondents(N=322352)P9Q31Q32Reasons for non-use of education materialsRespondents who have no

235、t taken courses(N=135150)P10Q33LFR Panel and reward informationAll respondents37SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEYof organizations(12%),such as government entities,non-profits,foundations,and academic institutions,represented in the survey.The panel on the right provides a window into

236、 the organizations primary industry.Overall,information technology(IT vendor,service provider,or manufacturer)accounts for 48%and other industries for 52%of the sample.The strong showing of IT is not surprising,given the surveys focus.Other named industries,totaling 22%,were retail,education,utiliti

237、es,transportation,and others(totaling less than 3%in the sample).Figure 21 shows some demographics of the respondents.Software developers comprise half of the sample(50%),followed by security team(16%),management(12%),system operations(9%),and others.Most respondents are employed full time(82%)and r

238、epresent multiple perspectives,with some being able to speak for themselves(37%),the department(28%),the company(20%),or the industry(16%).Most participants are involved in OSS to some extent,with 17%contributing less than one hour per week and 51%contributing more.The most common role is occasional

239、 contributor(39%),followed by maintainer(28%),31%35%33%1 to 249250 to 19,99920,000+Organization sizePlease estimate how many total employees are in the company or entity you work for.Type of company47%41%12%Our primary revenuestream comes fromproviding industry-specific productsor servicesOur primar

240、y revenuestream comes fromproviding IT productsor servicesOther type of entity(e.g.,governmententity,non-profit,foundation,academic institution)Which type of company or entity do you work for?Industry48%6%6%5%4%4%4%22%InformationtechnologyFinancial servicesGovernmentHealthcareTelecommunicationsAutom

241、otiveMediaOther namedindustriesWhich of the following best describes your companys or entitys primary industry?FIGURE 20ORGANIZATIONAL DEMOGRAPHICS2024 SecEd Survey,Q12,Sample Size=356,DKNS excluded,result of the regrouping of other answers2024 SecEd Survey,Q10,Sample Size=3622024 SecEd Survey,Q11,S

242、ample Size=36238SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEYnon-development contributor(14%),core contributor(9%),and committer(8%).Regarding geographic region,the majority of respondents are located in Europe(41%)or the U.S.or Canada(36%),while 13%come from the Asia-Pacific region.The remainin

243、g 9%are from other parts of the world.The survey data reveals a diverse range of experience levels,with 20%having less than five years,53%having five to 20 years,and the remaining 27%having more than 20 years of experience in software development.However,when focusing on secure software development,

244、30%have less than two years,48%have three to 10 years,and 22%have more than 10 years of experience.Finally,in terms of familiarity,nearly half of the respondents(47%)consider themselves very or extremely familiar with secure software development,28%report being not familiar or slightly familiar,and

245、25%report being just familiar.Methodology and open results dataThe study data was collected via an online survey promoted via social media,the Linux Foundation and L websites,and the Linux Foundation Newsletter and with the support of the OpenSSF.We received 786 responses,but 388 were discarded for

246、not meeting the screening criteria or passing the quality checks.The screening criteria for participants included being involved in software application development,confirming their human status in a question designed to filter out bots,and being able to speak about the topic.The quality check invol

247、ved ensuring sufficient data for analysis,which was measured by the number of questions answered and the frequency of“Dont know or not sure”(DKNS)responses.Additionally,the quality check encompassed a thorough manual review of open-ended responses,the time spent on the survey,and patterns in the ans

248、wers provided.The final sample size analyzed for the survey was 398.To access the survey dataset,see http:/www.data.world/thelinuxfoundation.It is worth noting that participation in the survey was voluntary,which may introduce self-selection bias.This type of bias occurs when participants choose to

249、be part of a study or survey based on characteristics that also influence the outcome of interest,potentially skewing the results.How missing data is handled.Although respondents are required to answer nearly all questions in the survey(the only exceptions are some open-ended questions),there are ti

250、mes when a respondent is unable to answer a question because it is outside the scope of their role or experience.For this reason,we frequently add a DKNS response to the list of responses for a question.However,this creates a conundrum regarding what to do with DKNS responses.One approach is to trea

251、t it just like any other response.In this way,report readers can see the percentage of respondents that answered DKNS.The advantage of this approach is that it reports back the exact distribution of the data collected.The challenge with this approach is that it distorts the distribution of valid res

252、ponsesthose responses where respondents could answer the question.Some of the analyses in this report excluded the DKNS.This can be done because the data missing can be classified as either missing at random or missing completely at random.Excluding DKNS data from a question does not change the dist

253、ribution of data(counts)for the other responses,but it does change the size of the denominator used to calculate the percent of responses across the remaining responses.This has the effect of proportionally increasing the percent values of the remaining responses relative to the number of DKNS respo

254、nses.The number of valid cases is adjusted accordingly.Where we have elected to exclude DKNS data,a careful examination of the footnote for the figure will enable the reader to determine the number of DKNS responses based on the difference between the sample size(DKNS included)and valid cases(DKNS e

255、xcluded).Finally,percentage values in this report may not add up to exactly 100%due to rounding.39SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEYSample Size=398,simpler names for the categories and merging IT development Director or Vice President,IT operations Director or Vice President,Product o

256、r project management,and C-level under the Management categories.All the others under OtherRoleEmploymentPerspectiveContribution to OSSOSS roleRegionExperience in software developmentExperience in secure software developmentFamiliarity50%16%12%9%3%2%9%Software developmentSecurity teamManagementSyste

257、m operationsData scienceOSPO teamOther2024 SecEd Survey,Q3,Sample Size=3982024 SecEd Survey,Q4,Sample Size=3982024 SecEd Survey,Q9,Sample Size=362,Asia-Pacific=China,India,Japan,Oceania,Asia Pacific(except).Rest of World=Mexico,Central America,the Caribbean,or South America,Middle East,Other(please

258、specify)41%2024 SecEd Survey,Q8,Sample Size=2702024 SecEd Survey,Combined Q6&Q7,Sample Size=391,DNKS excluded2024 SecEd Survey,Q14,Sample Size=396,DKNS excluded.Low familiarity=Not familiar at all+Somewhat familiarVery or extremely familiarity=Very familiar+Extremely familiar28%25%47%2024 SecEd Surv

259、ey,Q16,Sample Size=369,DKNS excluded,regrouping of more specific answers2024 SecEd Survey,Q15,Sample Size=395,DKNS excluded,regrouping of more specific answers82%8%3%3%1%Employed,full timeSelf-employed,full time or part timeStudent,full time or part timeUnemployed but looking for workEmployed,part t

260、imeUnemployed and looking for first roleUnemployed and not looking for workRetired37%28%20%16%0%I can speak only for myselfI can only speak for the department or group that I work withI can speak for the entire company or enterprise that I work forI work for multiple entities and can speak for what

261、I see in the industryDont know or not sure33%17%51%More than 1h/weekNon contributorLess than 1h/week39%28%14%9%8%3%Occasional contributorMaintainerNon-development contributorCore contributorCommitterOther(please specify)36%13%9%United States or CanadaEuropeAsia-PacficRest of world20%27%53%Less than

262、5 years5 to 20 yearsMore than 20 years30%22%48%Less than 2 years3 to 10 yearsMore than 10 yearsLow familiarityFamiliarVery or extremely familiarProfessionally,which role or field do you most closely identify with?What is your current employment status?What perspective will you speak for in this surv

263、ey?How many hours do you contribute to open source projects per week on average?What role occupies most of your time in the open source projects you are involved with?In what country or region are you based?How many years of experience do you have in software development?How many years of experience

264、 do you specifically have in secure software development?How familiar are you with secure software development?FIGURE 21RESPONDENT DEMOGRAPHICS40SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEYConclusionIn conclusion,our survey has revealed significant gaps in the current state of secure software d

265、evelopment knowledge and training among professionals.A substantial portion of developers,including those with extensive experience,lack familiarity with secure development practices.Most professionals rely on on-the-job experience as a main learning resource,but it takes many years of such experien

266、ce to achieve a minimum level of familiarity.New coursework materials can accelerate this process and remove the major challenge for implementing secure software development,as pointed out by the survey respondents.The findings from our survey highlight the importance of language-agnostic courses,pa

267、rticularly in areas such as security architecture,security education and guidance,and secure implementation.Furthermore,there is a clear demand for Python-specific training,reflecting the languages widespread use and critical role in the software ecosystem.However,training needs vary significantly b

268、ased on professional roles and experience levels,evidencing the need for diverse educational offerings in secure software practices.The OpenSSFs decision to introduce a new course on security architecture is a step in the right direction,addressing one of the most popular and critical areas identifi

269、ed in the survey.The OpenSSF is also taking steps to increase awareness of the current OpenSSF educational materials,e.g.,by including references to them in other Linux Foundation newsletters and materials.By making all the survey data openly available,we encourage further exploration and use of the

270、se insights to foster a culture of“security by design”in software development education.Ensuring that developers are equipped with the necessary skills and knowledge to implement secure software development effectively will be instrumental in building resilient systems that protect sensitive data an

271、d maintain user trust.41SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEYAppendix A:Cybersecurity in the organizationsIn addition to the analysis specific to the need for training in secure software development and the priority areas,we explored topics related to cybersecurity in the organizations i

272、n the survey.This appendix discusses the technical headcount in this area,the activities adopted by organizations,and the resources to stay up to date on the latest security vulnerabilities or threats.Cybersecurity is a priority for organizationsCybersecurity is a priority for most organizations,wit

273、h 64%of them staffing this area with technical headcount,making it the third most common area,as shown in Figure 22.Figure 23 shows that cybersecurity is also a priority for IT end-user organizations,with 64%reporting staff in this area compared with 65%in IT providers.Even among smaller organizatio

274、ns,cybersecurity remains crucial;51%of those with fewer than 250 employees 74%73%64%64%59%59%57%51%47%44%41%37%32%31%25%21%12%11%10%2%6%DevOps,CI/CD,&site reliability(SRE)Cloud,containers,&virtualizationCybersecurityWeb&application developmentAI,ML,data&analyticsSystem administrationSystem engineeri

275、ngPrivacy&securityNetworking&edgeSoftware supply chain securityCross-technology integrationOpen source&compliance best practicesLinux kernelIoT&embeddedSafety-critical systemsOpen Source Program Offices(OSPO)BlockchainVisual effectsOpen hardwareOther(please specify)Dont know or not sureFIGURE 22TECH

276、NOLOGICAL AREAS STAFFED BY TECHNICAL HEADCOUNT IN RESPONDENT ORGANIZATIONS2024 SecEd Survey,Q13,Sample Size=362,Total Mentions=2,97842SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEYhave dedicated staff in this area.The emphasis on cybersecurity escalates with organizational size:sixty-three percen

277、t of organizations with 250 to 19,999 employees report headcount in cybersecurity,rising to 80%among organizations with over 20,000 employees.This high level of investment in cybersecurity personnel reflects the growing awareness and urgency to protect digital assets against an ever-evolving landsca

278、pe of cyberthreats.Today,attackers from around the world can threaten organizations through cyberattacks.The necessity for cybersecurity experts is also driven by regulatory requirements and compliance standards,which in some cases mandate strict data protection protocols.Ensuring compliance with th

279、ese standards not only safeguards sensitive information but also contributes to the organizations reputation and trustworthiness.However,while staffing cybersecurity professionals is crucial,it is not sufficient on its own;cybersecurity needs to be deeply integrated into the software development pro

280、cess.Security should be considered throughout software development,including design,implementation,verification,and deployment.By embedding security practices and principles into the development lifecycle,organizations can proactively identify and address vulnerabilities,reduce the risk of breaches,

281、and create more resilient software.For an effective integration of security aspects in the software development lifecycle processes,software professionals must be familiar with the techniques and technologies of secure software development.FIGURE 23PERCENTAGE OF RESPONDENTS THAT REPORT STAFF HEADCOU

282、NT IN CYBERSECURITY2024 SecEd Survey,Q13 vs.Q10,Q13 vs.Q12,Sample Size=36265%64%51%63%80%IT-providerorganizationsIT end-userorganizations1 to 249employees250 to 19,999employees20,000+employees43SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEYOrganizations adopt a variety of cybersecurity activities

283、Figure 24 depicts the cybersecurity activities incorporated into organizations software development and deployment processes.CI or CI/CD,when considered as a combined option,is the most widely adopted practice,with 75%of respondents including it in their workflows.This high adoption rate highlights

284、the opportunity to integrate secure software development tools and practices not only for building this infrastructure but also for checking code before it goes into production.Logging(68%),secret management(67%),and monitoring&alerting(66%)are also prominently featured,highlighting the emphasis on

285、tracking and responding to security incidents in real time.Most organizations implement unit testing(66%),indicating a strong focus on validating code integrity.Most organizations also implement identity and access management(65%),showing a widespread desire to manage user permissions.Configuration

286、management,security patching,and secure design&implementation of software are other critical activities,each cited by more than 60%of respondents.On the other hand,activities such as fuzz testing(26%)and cyberthreat intelligence(28%)are less commonly included,suggesting potential areas for further i

287、mprovement and investment.Online courses are an important resource for organizationsStaying up to date with the latest security vulnerabilities and threats is important for organizations to safeguard their digital assets and maintain operational integrity.Proactively updating 12https:/ the 2023 entr

288、ies in https:/ patching systems can prevent potential breaches that could lead to substantial financial losses and damage to reputation.Cybercrime was estimated to cost organizations$8.15 trillion(USD)in 2023,and that number is expected to rise.12 Moreover,in some fields,regulatory compliance requir

289、es strict adherence to security practices,making continuous vigilance a necessity rather than an option.Its true that most vulnerabilities are of the same kinds of vulnerabilities as in decades past.For example,in 2023,75%of exploited zero-days in important,widely used software were memory safety vu

290、lnerabilities,13,14 a problem originally identified and discussed in the 1970s.However,new vulnerabilities in specific products are regularly and need to be promptly addressed,even though they are often the same types of vulnerabilities.In addition,new types of vulnerabilities(or ways to more easily

291、 exploit them)are occasionally discovered,such as Cybercrime was estimated to cost organizations$8.15 trillion(USD)in 2023,and that number is expected to rise.Moreover,in some fields,regulatory compliance requires strict adherence to security practices,making continuous vigilance a necessity rather

292、than an option.44SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEY75%68%67%66%66%65%64%64%62%59%59%57%49%48%47%46%44%44%35%28%26%4%CI or CI/CDLoggingSecret managementMonitoring&alertingUnit testingIdentity and access managementConfiguration managementSecurity patchingSecure design&implementation of

293、softwareVulnerability managementNetwork security controlsData protectionIncident responseEndpoint security controlsSAST(Static Application Security Testing)Penetration testingThreat modelingChange managementWeb application scannersCyberthreat intelligenceFuzz testingDont know or not sureFIGURE 24CYB

294、ERSECURITY ACTIVITIES ADOPTED BY ORGANIZATIONS AS PART OF THEIR SOFTWARE DEVELOPMENT AND DEPLOYMENT PROCESSES2024 SecEd Survey,Q18,Sample Size=398,Total Mentions=4,538the discovery of dependency confusion attacks in 2021,leading to changes in how to best counter them.15 Thus,organizations should sta

295、y informed and responsive to new security challenges.Even though security websites,databases,blogs,and mailing lists are unsurprisingly the top resources used for receiving the latest information,continuous learning and certification are quite popular among respondents.As observed in Figure 25,40%of

296、 the 15https:/ leverage this resource to stay tuned about the latest developments in the area.By encouraging employees to engage in ongoing education and achieve professional certifications,organizations can help their teams keep their cybersecurity knowledge and skills up to date.This proactive app

297、roach enables personnel to reduce their organizations risks as well as identify and respond to new vulnerabilities more effectively.As a result,continuous learning and certification not only enhance an 45SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEYorganizations security posture but also foster

298、a culture of security awareness and preparedness,which is crucial for mitigating risks in this evolving landscape.The relevance of continuous learning and certification changes across different organizational sectors,as observed in Figure 26:The OSPO team shows the highest engagement,with 63%of resp

299、ondents acknowledging the importance of these educational resources.Following closely are the security team(56%)and management(55%),indicating a strong recognition of continuous learnings value in these critical areas.Other roles,however,report less reliance on such resources,with system operations

300、at 36%and software development at 31%.Figure 26 also reveals that larger organizations are more likely to adopt these educational resources.Specifically,57%of organizations with 20,000 or more employees report using continuous learning and certification as key resources.This figure drops to 40%for o

301、rganizations with employee counts ranging from 250 to 19,999 and further decreases to 25%for smaller entities with 1 to 249 employees.This trend highlights a correlation between the size of an organization and its commitment to maintaining up-to-date security measures through ongoing education.59%53

302、%45%41%40%39%38%37%37%31%26%6%6%10%Security advisory websites and databasesSecurity news websites and blogsVulnerability testing and researchMailing lists and newslettersContinuous learning and certificationIndustry reports and white papersWe use a vulnerability management automated solutionProfessi

303、onal organizations and conferencesOnline forums and social mediaOnline courses and webinarsSecurity podcastsNo specific actions are being taken to stay up to dateOther(please specify)Dont know or not sureFIGURE 25RESOURCES FOR STAYING UP TO DATE ON THE LATEST SECURITY VULNERABILITIES OR THREATS RELA

304、TED TO TECHNOLOGIES IN USE2024 SecEd Survey,Q19,Sample Size=398,Total Mentions=1,86146SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEYSegmented by role63%56%55%43%36%31%27%OSPO teamSecurity teamManagementOthersSystemoperationsSoftwaredevelopmentDatascienceSegmented by number of employees in the org

305、anization25%40%57%1 to 249250 to 19,99920,000+FIGURE 26PERCENTAGE OF RESPONDENTS THAT REPORT CONTINUOUS LEARNING AND CERTIFICATION AS A RESOURCE FOR STAYING UP TO DATE ON THE LATEST SECURITY VULNERABILITIES OR THREATS2024 SecEd Survey,Q19 by Q5,Sample Size=398,percentage of those who report“Continuo

306、us learning and certification”for the question“How does your organization stay up to date on the latest security vulnerabilities or threats related to the technologies that you use?2024 SecEd Survey,Q19 by Q12,Sample Size=356,percentage of those who report“Continuous learning and certification”for t

307、he question“How does your organization stay up to date on the latest security vulnerabilities or threats related to the technologies that you use?47SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEYAppendix B:Segregated rankings for language-agnostic coursesThe following figures show the rankings of

308、language-agnostic courses segregated by various criteria.Unsurprisingly,the relative importance of different courses varies depending on a variety of factors.Which of the following courses could fill significant gaps for the organization you work for to help IT staff better address secure software d

309、evelopment?(select all that apply)Non contributorLess than 1h/week1h+/week69%Security Architecture62%Security Education and Guidance61%Threat Assessment60%Secure Implementation59%Security Testing51%Architecture Security Assessment50%Security Requirements49%Secure Deployment47%Policy and Compliance43

310、%Secure Build41%Strategy and Metrics33%Defect Management26%Requirements-Driven Testing68%Security Architecture68%Security Education and Guidance67%Secure Implementation65%Security Testing61%Threat Assessment60%Secure Build56%Security Requirements54%Secure Deployment44%Architecture Security Assessmen

311、t44%Strategy and Metrics42%Policy and Compliance39%Requirements-Driven Testing28%Defect Management65%Security Education and Guidance63%Secure Implementation61%Security Architecture61%Security Testing54%Secure Deployment52%Secure Build50%Threat Assessment48%Architecture Security Assessment48%Security

312、 Requirements40%Strategy and Metrics34%Policy and Compliance30%Requirements-Driven Testing29%Defect ManagementFIGURE 27LANGUAGE-AGNOSTIC COURSES BY CONTRIBUTION TO OSS2024 SecEd Survey,Q25 by Q7,Sample Size=319,Total Mentions=2,105,the number in front of the name represents the percentage of respond

313、ents,each column is sorted by this number48SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEYWhich of the following courses could fill significant gaps for the organization you work for to help IT staff better address secure software development?(select all that apply)MaintainerCommitterCore contribu

314、torOccasional contributorNon-development contributor57%SecureImplementation56%SecurityEducation54%SecurityArchitecture54%ThreatAssessment52%SecurityTesting51%ArchitectureSec.Assessment48%SecurityRequirements48%Strategy andMetrics46%Secure Build41%SecureDeployment36%Policy andCompliance30%Req-driven

315、test25%DefectManagement56%SecurityArchitecture56%SecurityEducation50%SecureDeployment50%SecurityTesting44%SecurityRequirements39%ThreatAssessment33%ArchitectureSec.Assessment33%DefectManagement33%Policy andCompliance33%Secure Build33%SecureImplementation33%Strategy andMetrics22%Req-driven test71%Sec

316、ureImplementation65%SecurityEducation65%SecurityTesting53%ArchitectureSec.Assessment53%Secure Build53%SecureDeployment53%SecurityArchitecture29%Strategy andMetrics29%ThreatAssessment24%DefectManagement24%Req-driven test24%SecurityRequirements18%Policy andCompliance70%SecurityArchitecture70%SecurityE

317、ducation67%SecureImplementation62%SecurityTesting54%SecurityRequirements53%ThreatAssessment52%Secure Build51%SecureDeployment41%ArchitectureSec.Assessment40%Policy andCompliance38%Strategy andMetrics32%DefectManagement28%Req-driven test75%Secure Build75%SecureDeployment72%SecureImplementation69%Secu

318、rityArchitecture69%SecurityEducation67%ArchitectureSec.Assessment67%SecurityTesting61%ThreatAssessment58%SecurityRequirements56%Req-driven test50%Strategy andMetrics42%Policy andCompliance31%DefectManagementFIGURE 28LANGUAGE-AGNOSTIC COURSES BY OSS ROLE2024 SecEd Survey,Q25 by Q8,Sample Size=231,Tot

319、al Mentions=1,512,the number in front of the name represents the percentage of respondents,each column is sorted by this number49SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEYWhich of the following courses could fill significant gaps for the organization you work for to help IT staff better addre

320、ss secure software development?(select all that apply)United States or CanadaEuropeAsia-PacficRest of world63%Security Education And Guidance62%Secure Implementation57%Security Architecture57%Security Testing54%Secure Deployment53%Security Requirements51%Secure Build50%Threat Assessment43%Architectu

321、re Security Assessment43%Strategy and Metrics39%Policy and Compliance33%Requirements-Driven Testing32%Defect Management63%Security Architecture61%Secure Implementation61%Security Education And Guidance57%Security Testing53%Threat Assessment44%Architecture Security Assessment44%Secure Build44%Securit

322、y Requirements43%Secure Deployment37%Policy and Compliance35%Strategy and Metrics25%Defect Management22%Requirements-Driven Testing73%Security Architecture73%Security Testing68%Security Education And Guidance68%Security Requirements65%Threat Assessment63%Architecture Security Assessment60%Secure Dep

323、loyment60%Secure Implementation55%Policy and Compliance55%Secure Build53%Strategy and Metrics38%Requirements-Driven Testing35%Defect Management77%Security Architecture74%Secure Deployment68%Security Education And Guidance65%Secure Implementation65%Security Testing58%Secure Build58%Threat Assessment5

324、5%Architecture Security Assessment52%Strategy and Metrics45%Security Requirements42%Policy and Compliance35%Defect Management32%Requirements-Driven TestingFIGURE 29LANGUAGE-AGNOSTIC COURSES BY REGION2024 SecEd Survey,Q25 by Q9,Sample Size=312,Total Mentions=2,028,the number in front of the name repr

325、esents the percentage of respondents,each column is sorted by this number50SECURE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEYWhich of the following courses could fill significant gaps for the organization you work for to help IT staff better address secure software development?(select all that apply)

326、IT consumersIT vendorsOthers65%Security Architecture64%Secure Implementation61%Security Education and Guidance59%Security Testing59%Threat Assessment50%Secure Deployment50%Security Requirements49%Secure Build46%Architecture Security Assessment44%Policy and Compliance40%Strategy and Metrics33%Require

327、ments-Driven Testing32%Defect Management62%Security Education and Guidance61%Security Architecture59%Security Testing58%Secure Implementation50%Security Requirements49%Threat Assessment48%Architecture Security Assessment48%Secure Deployment46%Secure Build38%Strategy and Metrics33%Policy and Complian

328、ce24%Defect Management21%Requirements-Driven Testing79%Security Education and Guidance74%Secure Deployment66%Security Architecture66%Security Testing63%Secure Build63%Secure Implementation61%Strategy and Metrics55%Security Requirements53%Policy and Compliance53%Threat Assessment50%Architecture Secur

329、ity Assessment42%Requirements-Driven Testing39%Defect ManagementFIGURE 30LANGUAGE-AGNOSTIC COURSES BY ORGANIZATION TYPE2024 SecEd Survey,Q25 by Q10,Sample Size=312,Total Mentions=2,028,the number in front of the name represents the percentage of respondents,each column is sorted by this number51SECU

330、RE SOFTWARE DEVELOPMENT EDUCATION 2024 SURVEYWhich of the following courses could fill significant gaps for the organization you work for to help IT staff better address secure software development?(select all that apply)1 to 249250 to 19,99920,000+67%Secure Implementation65%Security Architecture65%

331、Security Education and Guidance59%Security Testing56%Secure Deployment51%Security Requirements49%Secure Build49%Strategy and Metrics48%Architecture Security Assessment48%Threat Assessment35%Policy and Compliance29%Defect Management28%Requirements-Driven Testing66%Security Architecture65%Security Edu

332、cation and Guidance61%Security Testing58%Threat Assessment57%Secure Implementation55%Security Requirements52%Secure Deployment48%Architecture Security Assessment47%Secure Build43%Policy and Compliance35%Strategy and Metrics33%Defect Management32%Requirements-Driven Testing60%Security Education and G

333、uidance59%Secure Implementation58%Security Architecture58%Security Testing55%Threat Assessment50%Secure Build49%Secure Deployment44%Architecture Security Assessment43%Security Requirements41%Policy and Compliance40%Strategy and Metrics28%Requirements-Driven Testing27%Defect ManagementFIGURE 31LANGUAGE-AGNOSTIC COURSES BY ORGANIZATION SIZE2024 SecEd Survey,Q25 by Q12,Sample Size=307,Total Mentions=