For years, developers and IT security teams have been at loggerheads. While developers feel security slows progress, security teams assert that developers sacrifice security priorities in their quest to accelerate production.

This disconnect results in flawed software that is vulnerable to attack. While advocates for speed and security clash, consumers must often pay the price when threat actors strike. 48% of developers admitted they were still shipping code with vulnerabilities in 2022.

It’s clearly time for a change. Many believe that “secure-by-design” is the way forward. But the big question remains: who is responsible for securing the code?

What is secure-by-design?

“Secure-by-design” is a software development approach that aims to create systems that are impenetrable to cyberattacks. As a core tenet of DevSecOps (development, security and operations), teams embrace secure design patterns from the initial conception. The goal is to create foundationally robust products free of flaws, weaknesses and vulnerabilities — instead of relying on patches or software updates.

However, “secure-by-design” is a theory, not a standard practice governed by any law. The reality of shipped software and hardware products is much different.

💡Related: Intro to DevSecOps: Why Integrated Security is Key in 2021

The dark reality of application security

Despite the aspirations for security by design, code is far from impervious. Even at major government organizations, like health and financial institutions, application security remains rife with vulnerabilities.

A December 2020 survey by the Linux Foundation revealed most open-source programmers prefer to improve tools, code new features and work on new ideas. Security is the last priority — with the average contributor spending less than 3% of their time securing their code.

And here’s the crux of the problem: Open-source code is everywhere. The 2023 OSSRA report by Synopsys reviewed codebases across 17 key industry sectors. The findings were bleak:

  • 96% of software applications contain open-source software components
  • 92% of codebases across all 17 industry sectors have open-source code
  • 84% of codebases contain at least one vulnerability.

Most worryingly, several sectors have open source in 100% of their databases — including Aerospace, Aviation, Automotive, Transportation, Logistics and the Internet of Things.

Why now is the time for secure-by-design

Poorly coded applications present more viable attack vectors for cyber criminals to exploit. At the level of small companies or consumers, attackers could steal personally identifiable information (PII) to take over accounts and run identity theft scams.

But for enterprises and government bodies, the potential consequences are much worse. If state-sponsored threat actors in Russia or China attack critical infrastructure such as the water systems, transport or banking services, it will impact millions of people across the United States.

That scenario has already come close to becoming a reality. In 2020, a Russian intelligence agency exploited a software vulnerability in SolarWinds to hack the State Department, the Pentagon, Homeland Security and dozens of federal agencies. But despite this wake-up call, the underlying problems persist.

A year after the SolarWinds attack, a federal cybersecurity evaluation found seven out of eight federal agencies failed to meet basic cybersecurity standards. Reliance on aging computer systems and outdated code was a problem across the board.

However, private companies are not doing much better. In December 2022, Google confirmed its ninth zero-day vulnerability that year, meaning some 3.2 billion Chrome users were at risk. It’s clear the threat isn’t going away.

Who is responsible for security in the development cycle?

Cybersecurity and Infrastructure Security Agency Director Jen Easterly addressed the ongoing frailties in a speech to Carnegie Mellon University:

“As we’ve integrated technology into nearly every facet in our lives, we’ve unwittingly come to accept as normal that such technology is dangerous by design.”

Easterly called for private industries to improve security in technology products, emphasizing their responsibility to end users.

“We’ve normalized the fact that the cybersecurity burden is placed disproportionately on the shoulders of consumers and small organizations who are often least aware of the threat and least capable of protecting themselves.”

As CISA pushes for more accountability from software companies, Easterly laid out some principles for companies to improve security by design:

  • The burden of safety should never fall on customers. Instead, the industry must take ownership of security outcomes.
  • Manufacturers must embrace radical transparency to disclose and help consumers better understand the scope of consumer safety challenges.
  • Tech industry leaders need to focus on building safe products and publish road maps explaining how they plan to develop and update secure-by-design technology.

By transforming the development process into one that puts security first, companies can spend less time fixing bugs and creating patches. Instead, software companies can invest more time in growth and innovation.

Left shift or culture shift?

Until now, security has been an afterthought, often reluctantly addressed at the end — or users or attackers discover flaws. The general consensus in the industry is that shifting security left in the software development life cycle (SDLC) is the solution. But that’s easier said than done.

Friction between development and security teams centers around the belief that the other department is also causing problems. This “us against them” mentality defeats the purpose of DevSecOps, leaving the teams to work in silos.

Before change can happen in the SDLC, there must be a cultural shift to bridge the gap between the teams.

Companies must do more to educate security professionals on the challenges developers face. By taking basic coding courses and working alongside programmers, security professionals can see how hard it is to meet security standards.

Breaking down the silos to get the perspective from the coder’s side will help the people governing the SDLC gain more empathy for developers. Similarly, as developers get more education on security, they can understand its importance and ROI. With proper coaching, developers can find ways to integrate security in a more seamless way.

CISA is calling on more universities to include security as a standard aspect of computer science coursework. By making security a key quality metric, the expectation is developers will begin taking it seriously.

Collaboration is the catalyst for change

Without secure code, applications remain at risk of attack. But the buck must stop with technology companies. Security teams and developers need to embrace the spirit of DevSecOps to deliver secure products capable of protecting sensitive data.

By adopting a collaborative culture that puts security top of mind from the start of the SDLC, companies can encourage old foes to come together to become the bastion of defense consumers need.

As development and security teams foster an ethos of “secure-by-design” and help each other achieve their goals, companies can ensure better code quality and security, ready to combat cyberattacks today and in the future.

Ready to start building a culture of security by design? The IBM Cloud DevSecOps Specialty helps cloud professionals understand the convergence of development, security and operations to seamlessly integrate security within a continuous delivery pipeline. You can start training today.

More from Risk Management

2024 trends: Were they accurate?

4 min read - The new year always kicks off with a flood of prediction articles; then, 12 months later, our newsfeed is filled with wrap-up articles. But we are often left to wonder if experts got it right in January about how the year would unfold. As we close out 2024, let’s take a moment to go back and see if the crystal balls were working about how the year would play out in cybersecurity.Here are five trends that were often predicted for…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today