SlideShare a Scribd company logo

Secure Coding Practices – Growing Success or Zero-Day Epidemic

Enterprise Management Associates
Enterprise Management Associates

This document discusses secure coding practices and software development lifecycles. It summarizes a survey conducted by Enterprise Management Associates (EMA) on secure coding. The survey found that 69% of organizations have software development lifecycles (SDLCs) that miss critical security steps, and only 87.6% train employees on secure coding practices. EMA believes the best approach is using code reviews, code scanning tools, and continuous third-party training. While a "shift left" security approach is effective, adopting any security model is better than the incomplete SDLCs used by many organizations.

Technology
1 of 35
Download to read offline
| @ema_research Secure Coding Practices – Growing Success or Zero- Day Epidemic? Ken Buckler, CASP, Research Analyst Information Security, Risk, and Compliance Management Enterprise Management Associates KBuckler@enterprisemanagement.com Sponsored by
| @ema_research | @ema_research Featured Speaker Ken has over 15 years of industry experience as a noted information and cyber security practitioner, software developer, author, and presenter, focusing on endpoint security and Federal Information Security Management Act (FISMA) and NIST 800-53 compliance. Focusing on strict federal security standards, Ken has consulted with numerous federal organizations, including Defense Information Systems Agency (DISA), Department of Veterans Affairs, and the Census Bureau. He was previously board chair of The Mars Generation’s Student Space Ambassador Leadership Program, an advisory board made up of students and professional mentors focused on STEAM learning and advocacy. His technical career started in the defense sector as a quality assurance and information assurance engineer contracted with the DISA Defense Message System (DMS), eventually designing the top-level architecture of the Host-Based Security System (HBSS) integration for the DMS global messaging backbone. Ken has presented at industry conferences with his research on early warning of cyber-attacks based on open-source intelligence (OSINT). © 2022 Enterprise Management Associates, Inc. 2 Ken Buckler Research Director Information Security, Risk and Compliance Management Enterprise Management Associates | @ema_research
| @ema_research | @ema_research Sponsor © 2023 Enterprise Management Associates, Inc. 3
| @ema_research Introduction
| @ema_research | @ema_research Introduction © 2023 Enterprise Management Associates, Inc. 5 *CVSS Severity Distribution Over Time, https://nvd.nist.gov/general/visualizations/vulnerability-visualizations/cvss-severity-distribution-over-time **Cable, Jack. “Security requirements for computer science degrees.” Aug 22, 2019. https://gist.github.com/cablej/f272747f2d545342aec7f34a1bfae4ef
| @ema_research Introduction © 2023 Enterprise Management Associates, Inc. 6 Software developers are not being taught secure coding practices at colleges and universities.
| @ema_research Introduction © 2023 Enterprise Management Associates, Inc. 7 A significant number of organizations are failing to invest in any secure coding training whatsoever.
| @ema_research Introduction © 2023 Enterprise Management Associates, Inc. 8 The growth in new vulnerabilities year after year shows a clear skills gap when it comes to secure coding.
| @ema_research | @ema_research Demographics – Primary Industry © 2023 Enterprise Management Associates, Inc. 9
| @ema_research Voices of the Survey – Respondent Quotes and Feedback
| @ema_research | @ema_research Select Open-Ended Responses Explain your organization’s approach to securing custom-developed applications: what has worked, what hasn’t worked, and where you believe your organization, or the industry, needs to improve © 2023 Enterprise Management Associates, Inc. 11 “Including good security practices early in the software development process can avoid costly refactoring or potentially catastrophic security breaches later in the application's lifecycle.” Executive IT Leader Computer/Tech Software Industry
| @ema_research | @ema_research Select Open-Ended Responses Explain your organization’s approach to securing custom-developed applications: what has worked, what hasn’t worked, and where you believe your organization, or the industry, needs to improve © 2023 Enterprise Management Associates, Inc. 12 “It all comes down to good coders on your team. If you can get the right people in there, then you should be ahead of any intrusions. I think the industry just needs more development and learning at the base.” IT Director Computer/Tech Services Industry
| @ema_research | @ema_research Select Open-Ended Responses Explain your organization’s approach to securing custom-developed applications: what has worked, what hasn’t worked, and where you believe your organization, or the industry, needs to improve © 2023 Enterprise Management Associates, Inc. 13 “[Our approach is] rethinking security and integrating it into the development process. The most common mistake in security is to treat it as a single step in the process, when security should be comprehensive and systematic.” Development Director Computer/Tech Services Industry
| @ema_research Some interesting trends in responses… of organizations have SDLCs that miss critical security steps 69% © 2023 Enterprise Management Associates, Inc. 14
| @ema_research Some interesting trends in responses… of organizations have adopted a “shift left” security SDLC model, and 5% are using a “legacy” security SDLC model 25% © 2023 Enterprise Management Associates, Inc. 15
| @ema_research Some interesting trends in responses… © 2023 Enterprise Management Associates, Inc. 16 of organizations utilize code reviews for secure coding, but only 87.6% train their employees on secure coding practices 95%
| @ema_research Some interesting trends in responses… © 2023 Enterprise Management Associates, Inc. 17 of organizations using a combination of code reviews, code-scanning tools, and third-party training saw improvement in their code security 100%
| @ema_research Software Development Lifecycles
| @ema_research | @ema_research Software Development Lifecycles © 2023 Enterprise Management Associates, Inc. 19
| @ema_research Secure Coding Practices
| @ema_research | @ema_research Secure Coding Practices © 2023 Enterprise Management Associates, Inc. 21
| @ema_research | @ema_research Secure Coding Practices © 2023 Enterprise Management Associates, Inc. 22
| @ema_research | @ema_research Secure Coding Practices © 2023 Enterprise Management Associates, Inc. 23
| @ema_research Measuring Results
| @ema_research | @ema_research Measuring Results – SDLC © 2023 Enterprise Management Associates, Inc. 25
| @ema_research | @ema_research Measuring Results – Secure Coding © 2023 Enterprise Management Associates, Inc. 26
| @ema_research | @ema_research Measuring Results – Secure Coding © 2023 Enterprise Management Associates, Inc. 27
| @ema_research | @ema_research Measuring Results – Training © 2023 Enterprise Management Associates, Inc. 28
| @ema_research | @ema_research Measuring Results – Training © 2023 Enterprise Management Associates, Inc. 29
| @ema_research Closing Thoughts
| @ema_research Closing Thoughts © 2023 Enterprise Management Associates, Inc. 31 EMA believes the best approach to secure software development is a combination of code reviews, code-scanning tools, and a stronger emphasis on continuous third-party training.
| @ema_research Closing Thoughts © 2023 Enterprise Management Associates, Inc. 32 While a “shift left” approach does appear to be more effective, even adopting a legacy security model would be preferable to the incomplete security SDLCs used by almost 70% of organizations today.
| @ema_research Closing Thoughts © 2023 Enterprise Management Associates, Inc. 33 Third-party training appears to be the critical component in which some organizations are failing to invest.
| @ema_research Closing Thoughts © 2023 Enterprise Management Associates, Inc. 34 Across all industry verticals, software development must shift its focus away from heavily relying on code-scanning tools and more on people and processes.
| @ema_research | @ema_research Questions? Contact Ken or Chris Contact us: Chris Steffen, CISSP, CISA - linkedin.com/in/chrissteffen Ken Buckler, CASP - linkedin.com/in/ken-buckler Download the report: https://www.enterprisemanagement.com/research/asset.php/4241/ Secure-Coding-Practices-%96-Growing-Success-or-Zero-Day- Epidemic Be sure to visit: https://www.securityjourney.com/ to learn about Security Journey’s ability to help developers and the entire SDLC team recognize and understand vulnerabilities and threats and proactively mitigate risks © 2023 Enterprise Management Associates, Inc. 35

Recommended

Cyber Threat Intelligence: Transforming Data into Relevant Intelligence
Cyber Threat Intelligence: Transforming Data into Relevant IntelligenceCyber Threat Intelligence: Transforming Data into Relevant Intelligence
Cyber Threat Intelligence: Transforming Data into Relevant IntelligenceEnterprise Management Associates
 
The Rise of Active Directory Exploits
The Rise of Active Directory ExploitsThe Rise of Active Directory Exploits
The Rise of Active Directory ExploitsEnterprise Management Associates
 
Business value of Enterprise Security Architecture
Business value of Enterprise Security Architecture Business value of Enterprise Security Architecture
Business value of Enterprise Security Architecture Ajay Kumar Uppal
 
Cyber security framework
Cyber security frameworkCyber security framework
Cyber security frameworkYann Lecourt
 
From checkboxes to frameworks
From checkboxes to frameworksFrom checkboxes to frameworks
From checkboxes to frameworksVincent Bellamy
 
Why Should Organizations Consider Extended Detection and Response (XDR)?
Why Should Organizations Consider Extended Detection and Response (XDR)?Why Should Organizations Consider Extended Detection and Response (XDR)?
Why Should Organizations Consider Extended Detection and Response (XDR)?Enterprise Management Associates
 
Responding to the Pandemic: Information Security and Technology Trends
Responding to the Pandemic: Information Security and Technology Trends Responding to the Pandemic: Information Security and Technology Trends
Responding to the Pandemic: Information Security and Technology Trends Enterprise Management Associates
 
NetSecOps: Examining How Network and Security Teams Collaborate for a Better ...
NetSecOps: Examining How Network and Security Teams Collaborate for a Better ...NetSecOps: Examining How Network and Security Teams Collaborate for a Better ...
NetSecOps: Examining How Network and Security Teams Collaborate for a Better ...Enterprise Management Associates
 

Recommended

Cyber Threat Intelligence: Transforming Data into Relevant Intelligence
Cyber Threat Intelligence: Transforming Data into Relevant IntelligenceCyber Threat Intelligence: Transforming Data into Relevant Intelligence
Cyber Threat Intelligence: Transforming Data into Relevant IntelligenceEnterprise Management Associates
 
The Rise of Active Directory Exploits
The Rise of Active Directory ExploitsThe Rise of Active Directory Exploits
The Rise of Active Directory ExploitsEnterprise Management Associates
 
Business value of Enterprise Security Architecture
Business value of Enterprise Security Architecture Business value of Enterprise Security Architecture
Business value of Enterprise Security Architecture Ajay Kumar Uppal
 
Cyber security framework
Cyber security frameworkCyber security framework
Cyber security frameworkYann Lecourt
 
From checkboxes to frameworks
From checkboxes to frameworksFrom checkboxes to frameworks
From checkboxes to frameworksVincent Bellamy
 
Why Should Organizations Consider Extended Detection and Response (XDR)?
Why Should Organizations Consider Extended Detection and Response (XDR)?Why Should Organizations Consider Extended Detection and Response (XDR)?
Why Should Organizations Consider Extended Detection and Response (XDR)?Enterprise Management Associates
 
Responding to the Pandemic: Information Security and Technology Trends
Responding to the Pandemic: Information Security and Technology Trends Responding to the Pandemic: Information Security and Technology Trends
Responding to the Pandemic: Information Security and Technology Trends Enterprise Management Associates
 
NetSecOps: Examining How Network and Security Teams Collaborate for a Better ...
NetSecOps: Examining How Network and Security Teams Collaborate for a Better ...NetSecOps: Examining How Network and Security Teams Collaborate for a Better ...
NetSecOps: Examining How Network and Security Teams Collaborate for a Better ...Enterprise Management Associates
 
Selecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideSelecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideHCLSoftware
 
Procuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerProcuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerHCLSoftware
 
Unveiling Strategic Trends in Global Finance, Banking, and Insurance - IT Ex...
Unveiling Strategic Trends in Global Finance, Banking, and Insurance - IT Ex...Unveiling Strategic Trends in Global Finance, Banking, and Insurance - IT Ex...
Unveiling Strategic Trends in Global Finance, Banking, and Insurance - IT Ex...Enterprise Management Associates
 
Enterprise Architecture - Information Security
Enterprise Architecture - Information SecurityEnterprise Architecture - Information Security
Enterprise Architecture - Information SecurityAjay Kumar Uppal
 
Building a Foundation for NetSecOps Partnerships with Network Automation
Building a Foundation for NetSecOps Partnerships with Network AutomationBuilding a Foundation for NetSecOps Partnerships with Network Automation
Building a Foundation for NetSecOps Partnerships with Network AutomationEnterprise Management Associates
 
EMA Megatrends in Cyber-Security
EMA Megatrends in Cyber-SecurityEMA Megatrends in Cyber-Security
EMA Megatrends in Cyber-SecurityEnterprise Management Associates
 
IT Guide for Mobility: Making the case for Security leaders
IT Guide for Mobility: Making the case for Security leadersIT Guide for Mobility: Making the case for Security leaders
IT Guide for Mobility: Making the case for Security leadersCisco Mobility
 
Debunking the Myths Around API Security Research Slides
Debunking the Myths Around API Security Research SlidesDebunking the Myths Around API Security Research Slides
Debunking the Myths Around API Security Research SlidesEnterprise Management Associates
 
Challenges and Best Practices for Securing Modern Operational Technology Netw...
Challenges and Best Practices for Securing Modern Operational Technology Netw...Challenges and Best Practices for Securing Modern Operational Technology Netw...
Challenges and Best Practices for Securing Modern Operational Technology Netw...Enterprise Management Associates
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldnooralmousa
 
NetSecOps: Aligning Networking and Security Teams to Ensure Digital Transform...
NetSecOps: Aligning Networking and Security Teams to Ensure Digital Transform...NetSecOps: Aligning Networking and Security Teams to Ensure Digital Transform...
NetSecOps: Aligning Networking and Security Teams to Ensure Digital Transform...Enterprise Management Associates
 
Responsible Consumer Identity and Access Management (CIAM): Architecting High...
Responsible Consumer Identity and Access Management (CIAM): Architecting High...Responsible Consumer Identity and Access Management (CIAM): Architecting High...
Responsible Consumer Identity and Access Management (CIAM): Architecting High...Enterprise Management Associates
 
BizCarta-2
BizCarta-2BizCarta-2
BizCarta-2Pradeep Kumar
 
The 10 most promising enterprise security solution providers 2019
The 10 most promising enterprise security solution providers 2019The 10 most promising enterprise security solution providers 2019
The 10 most promising enterprise security solution providers 2019Insights success media and technology pvt ltd
 
Team 20 Threat Attack AI Cyber Security Company Decision makin.docx
Team 20 Threat Attack AI Cyber Security Company Decision makin.docxTeam 20 Threat Attack AI Cyber Security Company Decision makin.docx
Team 20 Threat Attack AI Cyber Security Company Decision makin.docxerlindaw
 
ultimate-guide-to-getting-started-with-appsec-veracode
ultimate-guide-to-getting-started-with-appsec-veracodeultimate-guide-to-getting-started-with-appsec-veracode
ultimate-guide-to-getting-started-with-appsec-veracodeSean Varga
 
Ensuring Compliance with Industry Standards Through Application Security Test...
Ensuring Compliance with Industry Standards Through Application Security Test...Ensuring Compliance with Industry Standards Through Application Security Test...
Ensuring Compliance with Industry Standards Through Application Security Test...Anju21552
 
2023-it-roadmap-for-cybersecurity-techcnical
2023-it-roadmap-for-cybersecurity-techcnical2023-it-roadmap-for-cybersecurity-techcnical
2023-it-roadmap-for-cybersecurity-techcnicalJack585826
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?rbrockway
 
Ultimate_Guide_to_getting_started_with_AppSec
Ultimate_Guide_to_getting_started_with_AppSecUltimate_Guide_to_getting_started_with_AppSec
Ultimate_Guide_to_getting_started_with_AppSecJessica Lavery Pozerski
 
Real-world incident response, management, and prevention
Real-world incident response, management, and preventionReal-world incident response, management, and prevention
Real-world incident response, management, and preventionEnterprise Management Associates
 
Observability: Challenges, Priorities, Solutions, and the Role of OpenTelemetry
Observability: Challenges, Priorities, Solutions, and the Role of OpenTelemetryObservability: Challenges, Priorities, Solutions, and the Role of OpenTelemetry
Observability: Challenges, Priorities, Solutions, and the Role of OpenTelemetryEnterprise Management Associates
 

More Related Content

Similar to Secure Coding Practices – Growing Success or Zero-Day Epidemic

Selecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideSelecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideHCLSoftware
 
Procuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerProcuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerHCLSoftware
 
Unveiling Strategic Trends in Global Finance, Banking, and Insurance - IT Ex...
Unveiling Strategic Trends in Global Finance, Banking, and Insurance - IT Ex...Unveiling Strategic Trends in Global Finance, Banking, and Insurance - IT Ex...
Unveiling Strategic Trends in Global Finance, Banking, and Insurance - IT Ex...Enterprise Management Associates
 
Enterprise Architecture - Information Security
Enterprise Architecture - Information SecurityEnterprise Architecture - Information Security
Enterprise Architecture - Information SecurityAjay Kumar Uppal
 
Building a Foundation for NetSecOps Partnerships with Network Automation
Building a Foundation for NetSecOps Partnerships with Network AutomationBuilding a Foundation for NetSecOps Partnerships with Network Automation
Building a Foundation for NetSecOps Partnerships with Network AutomationEnterprise Management Associates
 
IT Guide for Mobility: Making the case for Security leaders
IT Guide for Mobility: Making the case for Security leadersIT Guide for Mobility: Making the case for Security leaders
IT Guide for Mobility: Making the case for Security leadersCisco Mobility
 
Challenges and Best Practices for Securing Modern Operational Technology Netw...
Challenges and Best Practices for Securing Modern Operational Technology Netw...Challenges and Best Practices for Securing Modern Operational Technology Netw...
Challenges and Best Practices for Securing Modern Operational Technology Netw...Enterprise Management Associates
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldnooralmousa
 
NetSecOps: Aligning Networking and Security Teams to Ensure Digital Transform...
NetSecOps: Aligning Networking and Security Teams to Ensure Digital Transform...NetSecOps: Aligning Networking and Security Teams to Ensure Digital Transform...
NetSecOps: Aligning Networking and Security Teams to Ensure Digital Transform...Enterprise Management Associates
 
Responsible Consumer Identity and Access Management (CIAM): Architecting High...
Responsible Consumer Identity and Access Management (CIAM): Architecting High...Responsible Consumer Identity and Access Management (CIAM): Architecting High...
Responsible Consumer Identity and Access Management (CIAM): Architecting High...Enterprise Management Associates
 
Team 20 Threat Attack AI Cyber Security Company Decision makin.docx
Team 20 Threat Attack AI Cyber Security Company Decision makin.docxTeam 20 Threat Attack AI Cyber Security Company Decision makin.docx
Team 20 Threat Attack AI Cyber Security Company Decision makin.docxerlindaw
 
ultimate-guide-to-getting-started-with-appsec-veracode
ultimate-guide-to-getting-started-with-appsec-veracodeultimate-guide-to-getting-started-with-appsec-veracode
ultimate-guide-to-getting-started-with-appsec-veracodeSean Varga
 
Ensuring Compliance with Industry Standards Through Application Security Test...
Ensuring Compliance with Industry Standards Through Application Security Test...Ensuring Compliance with Industry Standards Through Application Security Test...
Ensuring Compliance with Industry Standards Through Application Security Test...Anju21552
 
2023-it-roadmap-for-cybersecurity-techcnical
2023-it-roadmap-for-cybersecurity-techcnical2023-it-roadmap-for-cybersecurity-techcnical
2023-it-roadmap-for-cybersecurity-techcnicalJack585826
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?rbrockway
 
Ultimate_Guide_to_getting_started_with_AppSec
Ultimate_Guide_to_getting_started_with_AppSecUltimate_Guide_to_getting_started_with_AppSec
Ultimate_Guide_to_getting_started_with_AppSecJessica Lavery Pozerski
 

Similar to Secure Coding Practices – Growing Success or Zero-Day Epidemic (20)

Selecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideSelecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuide
 
Procuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerProcuring an Application Security Testing Partner
Procuring an Application Security Testing Partner
 
Unveiling Strategic Trends in Global Finance, Banking, and Insurance - IT Ex...
Unveiling Strategic Trends in Global Finance, Banking, and Insurance - IT Ex...Unveiling Strategic Trends in Global Finance, Banking, and Insurance - IT Ex...
Unveiling Strategic Trends in Global Finance, Banking, and Insurance - IT Ex...
 
Enterprise Architecture - Information Security
Enterprise Architecture - Information SecurityEnterprise Architecture - Information Security
Enterprise Architecture - Information Security
 
Building a Foundation for NetSecOps Partnerships with Network Automation
Building a Foundation for NetSecOps Partnerships with Network AutomationBuilding a Foundation for NetSecOps Partnerships with Network Automation
Building a Foundation for NetSecOps Partnerships with Network Automation
 
EMA Megatrends in Cyber-Security
EMA Megatrends in Cyber-SecurityEMA Megatrends in Cyber-Security
EMA Megatrends in Cyber-Security
 
IT Guide for Mobility: Making the case for Security leaders
IT Guide for Mobility: Making the case for Security leadersIT Guide for Mobility: Making the case for Security leaders
IT Guide for Mobility: Making the case for Security leaders
 
Debunking the Myths Around API Security Research Slides
Debunking the Myths Around API Security Research SlidesDebunking the Myths Around API Security Research Slides
Debunking the Myths Around API Security Research Slides
 
Challenges and Best Practices for Securing Modern Operational Technology Netw...
Challenges and Best Practices for Securing Modern Operational Technology Netw...Challenges and Best Practices for Securing Modern Operational Technology Netw...
Challenges and Best Practices for Securing Modern Operational Technology Netw...
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless world
 
NetSecOps: Aligning Networking and Security Teams to Ensure Digital Transform...
NetSecOps: Aligning Networking and Security Teams to Ensure Digital Transform...NetSecOps: Aligning Networking and Security Teams to Ensure Digital Transform...
NetSecOps: Aligning Networking and Security Teams to Ensure Digital Transform...
 
Responsible Consumer Identity and Access Management (CIAM): Architecting High...
Responsible Consumer Identity and Access Management (CIAM): Architecting High...Responsible Consumer Identity and Access Management (CIAM): Architecting High...
Responsible Consumer Identity and Access Management (CIAM): Architecting High...
 
BizCarta-2
BizCarta-2BizCarta-2
BizCarta-2
 
The 10 most promising enterprise security solution providers 2019
The 10 most promising enterprise security solution providers 2019The 10 most promising enterprise security solution providers 2019
The 10 most promising enterprise security solution providers 2019
 
Team 20 Threat Attack AI Cyber Security Company Decision makin.docx
Team 20 Threat Attack AI Cyber Security Company Decision makin.docxTeam 20 Threat Attack AI Cyber Security Company Decision makin.docx
Team 20 Threat Attack AI Cyber Security Company Decision makin.docx
 
ultimate-guide-to-getting-started-with-appsec-veracode
ultimate-guide-to-getting-started-with-appsec-veracodeultimate-guide-to-getting-started-with-appsec-veracode
ultimate-guide-to-getting-started-with-appsec-veracode
 
Ensuring Compliance with Industry Standards Through Application Security Test...
Ensuring Compliance with Industry Standards Through Application Security Test...Ensuring Compliance with Industry Standards Through Application Security Test...
Ensuring Compliance with Industry Standards Through Application Security Test...
 
2023-it-roadmap-for-cybersecurity-techcnical
2023-it-roadmap-for-cybersecurity-techcnical2023-it-roadmap-for-cybersecurity-techcnical
2023-it-roadmap-for-cybersecurity-techcnical
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?
 
Ultimate_Guide_to_getting_started_with_AppSec
Ultimate_Guide_to_getting_started_with_AppSecUltimate_Guide_to_getting_started_with_AppSec
Ultimate_Guide_to_getting_started_with_AppSec
 

More from Enterprise Management Associates

Observability: Challenges, Priorities, Solutions, and the Role of OpenTelemetry
Observability: Challenges, Priorities, Solutions, and the Role of OpenTelemetryObservability: Challenges, Priorities, Solutions, and the Role of OpenTelemetry
Observability: Challenges, Priorities, Solutions, and the Role of OpenTelemetryEnterprise Management Associates
 
Modern ITSM—the untapped game-changer for midsize organizations
Modern ITSM—the untapped game-changer for midsize organizationsModern ITSM—the untapped game-changer for midsize organizations
Modern ITSM—the untapped game-changer for midsize organizationsEnterprise Management Associates
 
Unlocking Master Data Management (MDM) Success: Real-World Insights and Strat...
Unlocking Master Data Management (MDM) Success: Real-World Insights and Strat...Unlocking Master Data Management (MDM) Success: Real-World Insights and Strat...
Unlocking Master Data Management (MDM) Success: Real-World Insights and Strat...Enterprise Management Associates
 
Navigating the Complexity of Distributed Microservices across AWS, Azure, and...
Navigating the Complexity of Distributed Microservices across AWS, Azure, and...Navigating the Complexity of Distributed Microservices across AWS, Azure, and...
Navigating the Complexity of Distributed Microservices across AWS, Azure, and...Enterprise Management Associates
 
Navigating Today’s Threat Landscape: Discussing Hype vs. Reality
Navigating Today’s Threat Landscape: Discussing Hype vs. RealityNavigating Today’s Threat Landscape: Discussing Hype vs. Reality
Navigating Today’s Threat Landscape: Discussing Hype vs. RealityEnterprise Management Associates
 
Kubernetes Unveiled: Trends, Challenges, and Opportunities
Kubernetes Unveiled: Trends, Challenges, and OpportunitiesKubernetes Unveiled: Trends, Challenges, and Opportunities
Kubernetes Unveiled: Trends, Challenges, and OpportunitiesEnterprise Management Associates
 
DDI Directions: DNS, DHCP and IP Address Management Strategies for the Multi-...
DDI Directions: DNS, DHCP and IP Address Management Strategies for the Multi-...DDI Directions: DNS, DHCP and IP Address Management Strategies for the Multi-...
DDI Directions: DNS, DHCP and IP Address Management Strategies for the Multi-...Enterprise Management Associates
 
Modernizing Network Engineering and Operations in the Era of Hybrid and Remot...
Modernizing Network Engineering and Operations in the Era of Hybrid and Remot...Modernizing Network Engineering and Operations in the Era of Hybrid and Remot...
Modernizing Network Engineering and Operations in the Era of Hybrid and Remot...Enterprise Management Associates
 
Moving Beyond Remote Access: Discover the Power of Zero Trust Network Access
Moving Beyond Remote Access: Discover the Power of Zero Trust Network AccessMoving Beyond Remote Access: Discover the Power of Zero Trust Network Access
Moving Beyond Remote Access: Discover the Power of Zero Trust Network AccessEnterprise Management Associates
 
[Analyst Research Slides] Build vs. Buy: Finding the Best Path to Network Aut...
[Analyst Research Slides] Build vs. Buy: Finding the Best Path to Network Aut...[Analyst Research Slides] Build vs. Buy: Finding the Best Path to Network Aut...
[Analyst Research Slides] Build vs. Buy: Finding the Best Path to Network Aut...Enterprise Management Associates
 
The Critical Role of Workload Automation in Achieving Successful Digital Tran...
The Critical Role of Workload Automation in Achieving Successful Digital Tran...The Critical Role of Workload Automation in Achieving Successful Digital Tran...
The Critical Role of Workload Automation in Achieving Successful Digital Tran...Enterprise Management Associates
 
WAN Transformation with SD-WAN: Establishing a Mature Foundation for SASE Suc...
WAN Transformation with SD-WAN: Establishing a Mature Foundation for SASE Suc...WAN Transformation with SD-WAN: Establishing a Mature Foundation for SASE Suc...
WAN Transformation with SD-WAN: Establishing a Mature Foundation for SASE Suc...Enterprise Management Associates
 

More from Enterprise Management Associates (20)

Real-world incident response, management, and prevention
Real-world incident response, management, and preventionReal-world incident response, management, and prevention
Real-world incident response, management, and prevention
 
Observability: Challenges, Priorities, Solutions, and the Role of OpenTelemetry
Observability: Challenges, Priorities, Solutions, and the Role of OpenTelemetryObservability: Challenges, Priorities, Solutions, and the Role of OpenTelemetry
Observability: Challenges, Priorities, Solutions, and the Role of OpenTelemetry
 
Modern ITSM—the untapped game-changer for midsize organizations
Modern ITSM—the untapped game-changer for midsize organizationsModern ITSM—the untapped game-changer for midsize organizations
Modern ITSM—the untapped game-changer for midsize organizations
 
Unlocking Master Data Management (MDM) Success: Real-World Insights and Strat...
Unlocking Master Data Management (MDM) Success: Real-World Insights and Strat...Unlocking Master Data Management (MDM) Success: Real-World Insights and Strat...
Unlocking Master Data Management (MDM) Success: Real-World Insights and Strat...
 
Transcending Passwords: Emerging Trends in Authentication
Transcending Passwords: Emerging Trends in AuthenticationTranscending Passwords: Emerging Trends in Authentication
Transcending Passwords: Emerging Trends in Authentication
 
Modernize NetOps with Business-Aware Network Monitoring
Modernize NetOps with Business-Aware Network MonitoringModernize NetOps with Business-Aware Network Monitoring
Modernize NetOps with Business-Aware Network Monitoring
 
Navigating the Complexity of Distributed Microservices across AWS, Azure, and...
Navigating the Complexity of Distributed Microservices across AWS, Azure, and...Navigating the Complexity of Distributed Microservices across AWS, Azure, and...
Navigating the Complexity of Distributed Microservices across AWS, Azure, and...
 
Navigating Today’s Threat Landscape: Discussing Hype vs. Reality
Navigating Today’s Threat Landscape: Discussing Hype vs. RealityNavigating Today’s Threat Landscape: Discussing Hype vs. Reality
Navigating Today’s Threat Landscape: Discussing Hype vs. Reality
 
Kubernetes Unveiled: Trends, Challenges, and Opportunities
Kubernetes Unveiled: Trends, Challenges, and OpportunitiesKubernetes Unveiled: Trends, Challenges, and Opportunities
Kubernetes Unveiled: Trends, Challenges, and Opportunities
 
DDI Directions: DNS, DHCP and IP Address Management Strategies for the Multi-...
DDI Directions: DNS, DHCP and IP Address Management Strategies for the Multi-...DDI Directions: DNS, DHCP and IP Address Management Strategies for the Multi-...
DDI Directions: DNS, DHCP and IP Address Management Strategies for the Multi-...
 
CMDB in Cloud Times: Myths, Mistakes, and Mastery
CMDB in Cloud Times: Myths, Mistakes, and Mastery CMDB in Cloud Times: Myths, Mistakes, and Mastery
CMDB in Cloud Times: Myths, Mistakes, and Mastery
 
Modernizing Network Engineering and Operations in the Era of Hybrid and Remot...
Modernizing Network Engineering and Operations in the Era of Hybrid and Remot...Modernizing Network Engineering and Operations in the Era of Hybrid and Remot...
Modernizing Network Engineering and Operations in the Era of Hybrid and Remot...
 
Five Managed SD-WAN Trends to Watch in 2023
Five Managed SD-WAN Trends to Watch in 2023Five Managed SD-WAN Trends to Watch in 2023
Five Managed SD-WAN Trends to Watch in 2023
 
Moving Beyond Remote Access: Discover the Power of Zero Trust Network Access
Moving Beyond Remote Access: Discover the Power of Zero Trust Network AccessMoving Beyond Remote Access: Discover the Power of Zero Trust Network Access
Moving Beyond Remote Access: Discover the Power of Zero Trust Network Access
 
[Analyst Research Slides] Build vs. Buy: Finding the Best Path to Network Aut...
[Analyst Research Slides] Build vs. Buy: Finding the Best Path to Network Aut...[Analyst Research Slides] Build vs. Buy: Finding the Best Path to Network Aut...
[Analyst Research Slides] Build vs. Buy: Finding the Best Path to Network Aut...
 
The Critical Role of Workload Automation in Achieving Successful Digital Tran...
The Critical Role of Workload Automation in Achieving Successful Digital Tran...The Critical Role of Workload Automation in Achieving Successful Digital Tran...
The Critical Role of Workload Automation in Achieving Successful Digital Tran...
 
AI-Driven Networks: Leveling Up Network Management
AI-Driven Networks: Leveling Up Network ManagementAI-Driven Networks: Leveling Up Network Management
AI-Driven Networks: Leveling Up Network Management
 
WAN Transformation with SD-WAN: Establishing a Mature Foundation for SASE Suc...
WAN Transformation with SD-WAN: Establishing a Mature Foundation for SASE Suc...WAN Transformation with SD-WAN: Establishing a Mature Foundation for SASE Suc...
WAN Transformation with SD-WAN: Establishing a Mature Foundation for SASE Suc...
 
Identity Management Buyer’s Guide for the SME
Identity Management Buyer’s Guide for the SMEIdentity Management Buyer’s Guide for the SME
Identity Management Buyer’s Guide for the SME
 
Automation, AI, and the Rise of ServiceOps
Automation, AI, and the Rise of ServiceOpsAutomation, AI, and the Rise of ServiceOps
Automation, AI, and the Rise of ServiceOps
 

Recently uploaded

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 

Recently uploaded (20)

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 

Secure Coding Practices – Growing Success or Zero-Day Epidemic

  • 1. | @ema_research Secure Coding Practices – Growing Success or Zero- Day Epidemic? Ken Buckler, CASP, Research Analyst Information Security, Risk, and Compliance Management Enterprise Management Associates KBuckler@enterprisemanagement.com Sponsored by
  • 2. | @ema_research | @ema_research Featured Speaker Ken has over 15 years of industry experience as a noted information and cyber security practitioner, software developer, author, and presenter, focusing on endpoint security and Federal Information Security Management Act (FISMA) and NIST 800-53 compliance. Focusing on strict federal security standards, Ken has consulted with numerous federal organizations, including Defense Information Systems Agency (DISA), Department of Veterans Affairs, and the Census Bureau. He was previously board chair of The Mars Generation’s Student Space Ambassador Leadership Program, an advisory board made up of students and professional mentors focused on STEAM learning and advocacy. His technical career started in the defense sector as a quality assurance and information assurance engineer contracted with the DISA Defense Message System (DMS), eventually designing the top-level architecture of the Host-Based Security System (HBSS) integration for the DMS global messaging backbone. Ken has presented at industry conferences with his research on early warning of cyber-attacks based on open-source intelligence (OSINT). © 2022 Enterprise Management Associates, Inc. 2 Ken Buckler Research Director Information Security, Risk and Compliance Management Enterprise Management Associates | @ema_research
  • 3. | @ema_research | @ema_research Sponsor © 2023 Enterprise Management Associates, Inc. 3
  • 5. | @ema_research | @ema_research Introduction © 2023 Enterprise Management Associates, Inc. 5 *CVSS Severity Distribution Over Time, https://nvd.nist.gov/general/visualizations/vulnerability-visualizations/cvss-severity-distribution-over-time **Cable, Jack. “Security requirements for computer science degrees.” Aug 22, 2019. https://gist.github.com/cablej/f272747f2d545342aec7f34a1bfae4ef
  • 6. | @ema_research Introduction © 2023 Enterprise Management Associates, Inc. 6 Software developers are not being taught secure coding practices at colleges and universities.
  • 7. | @ema_research Introduction © 2023 Enterprise Management Associates, Inc. 7 A significant number of organizations are failing to invest in any secure coding training whatsoever.
  • 8. | @ema_research Introduction © 2023 Enterprise Management Associates, Inc. 8 The growth in new vulnerabilities year after year shows a clear skills gap when it comes to secure coding.
  • 9. | @ema_research | @ema_research Demographics – Primary Industry © 2023 Enterprise Management Associates, Inc. 9
  • 10. | @ema_research Voices of the Survey – Respondent Quotes and Feedback
  • 11. | @ema_research | @ema_research Select Open-Ended Responses Explain your organization’s approach to securing custom-developed applications: what has worked, what hasn’t worked, and where you believe your organization, or the industry, needs to improve © 2023 Enterprise Management Associates, Inc. 11 “Including good security practices early in the software development process can avoid costly refactoring or potentially catastrophic security breaches later in the application's lifecycle.” Executive IT Leader Computer/Tech Software Industry
  • 12. | @ema_research | @ema_research Select Open-Ended Responses Explain your organization’s approach to securing custom-developed applications: what has worked, what hasn’t worked, and where you believe your organization, or the industry, needs to improve © 2023 Enterprise Management Associates, Inc. 12 “It all comes down to good coders on your team. If you can get the right people in there, then you should be ahead of any intrusions. I think the industry just needs more development and learning at the base.” IT Director Computer/Tech Services Industry
  • 13. | @ema_research | @ema_research Select Open-Ended Responses Explain your organization’s approach to securing custom-developed applications: what has worked, what hasn’t worked, and where you believe your organization, or the industry, needs to improve © 2023 Enterprise Management Associates, Inc. 13 “[Our approach is] rethinking security and integrating it into the development process. The most common mistake in security is to treat it as a single step in the process, when security should be comprehensive and systematic.” Development Director Computer/Tech Services Industry
  • 14. | @ema_research Some interesting trends in responses… of organizations have SDLCs that miss critical security steps 69% © 2023 Enterprise Management Associates, Inc. 14
  • 15. | @ema_research Some interesting trends in responses… of organizations have adopted a “shift left” security SDLC model, and 5% are using a “legacy” security SDLC model 25% © 2023 Enterprise Management Associates, Inc. 15
  • 16. | @ema_research Some interesting trends in responses… © 2023 Enterprise Management Associates, Inc. 16 of organizations utilize code reviews for secure coding, but only 87.6% train their employees on secure coding practices 95%
  • 17. | @ema_research Some interesting trends in responses… © 2023 Enterprise Management Associates, Inc. 17 of organizations using a combination of code reviews, code-scanning tools, and third-party training saw improvement in their code security 100%
  • 19. | @ema_research | @ema_research Software Development Lifecycles © 2023 Enterprise Management Associates, Inc. 19
  • 21. | @ema_research | @ema_research Secure Coding Practices © 2023 Enterprise Management Associates, Inc. 21
  • 22. | @ema_research | @ema_research Secure Coding Practices © 2023 Enterprise Management Associates, Inc. 22
  • 23. | @ema_research | @ema_research Secure Coding Practices © 2023 Enterprise Management Associates, Inc. 23
  • 25. | @ema_research | @ema_research Measuring Results – SDLC © 2023 Enterprise Management Associates, Inc. 25
  • 26. | @ema_research | @ema_research Measuring Results – Secure Coding © 2023 Enterprise Management Associates, Inc. 26
  • 27. | @ema_research | @ema_research Measuring Results – Secure Coding © 2023 Enterprise Management Associates, Inc. 27
  • 28. | @ema_research | @ema_research Measuring Results – Training © 2023 Enterprise Management Associates, Inc. 28
  • 29. | @ema_research | @ema_research Measuring Results – Training © 2023 Enterprise Management Associates, Inc. 29
  • 31. | @ema_research Closing Thoughts © 2023 Enterprise Management Associates, Inc. 31 EMA believes the best approach to secure software development is a combination of code reviews, code-scanning tools, and a stronger emphasis on continuous third-party training.
  • 32. | @ema_research Closing Thoughts © 2023 Enterprise Management Associates, Inc. 32 While a “shift left” approach does appear to be more effective, even adopting a legacy security model would be preferable to the incomplete security SDLCs used by almost 70% of organizations today.
  • 33. | @ema_research Closing Thoughts © 2023 Enterprise Management Associates, Inc. 33 Third-party training appears to be the critical component in which some organizations are failing to invest.
  • 34. | @ema_research Closing Thoughts © 2023 Enterprise Management Associates, Inc. 34 Across all industry verticals, software development must shift its focus away from heavily relying on code-scanning tools and more on people and processes.
  • 35. | @ema_research | @ema_research Questions? Contact Ken or Chris Contact us: Chris Steffen, CISSP, CISA - linkedin.com/in/chrissteffen Ken Buckler, CASP - linkedin.com/in/ken-buckler Download the report: https://www.enterprisemanagement.com/research/asset.php/4241/ Secure-Coding-Practices-%96-Growing-Success-or-Zero-Day- Epidemic Be sure to visit: https://www.securityjourney.com/ to learn about Security Journey’s ability to help developers and the entire SDLC team recognize and understand vulnerabilities and threats and proactively mitigate risks © 2023 Enterprise Management Associates, Inc. 35