Organizations can substantially lower vulnerabilities with secure-by-design practices, report finds | CyberScoop<\/title> <meta name=\"description\" content=\"Former National Cyber Director Chris Inglis says the \u201cquantitative data\u201d in Secure Code Warrior\u2019s report shows the importance of the cybersecurity practice.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/secure-by-design-return-investment-code-warrior\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Organizations can substantially lower vulnerabilities with secure-by-design practices, report finds\"> <meta property=\"og:description\" content=\"Former National Cyber Director Chris Inglis says the \u201cquantitative data\u201d in Secure Code Warrior\u2019s report shows the importance of the cybersecurity practice.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/secure-by-design-return-investment-code-warrior\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-10-15T10:00:00+00:00\"> <meta property=\"article:modified_time\" content=\"2024-10-14T21:53:31+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/organizations-can-substantially-lower-vulnerabilities-with-secure-by-design-practices-report-finds-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"768\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Christian Vasquez\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@chrismvasq\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1725982252g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1728928691g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1728958503g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=ada0ad45b21fc79c6694\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/82146\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.6.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=82146\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fsecure-by-design-return-investment-code-warrior%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fsecure-by-design-return-investment-code-warrior%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-82146 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/secure-by-design-return-investment-code-warrior\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"24.297783933518\">\n<div class=\"single-article__header-content\" readability=\"29.7\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/cybersecurity\/\"> <span>Cybersecurity<\/span> <\/a> <\/li>\n<\/ul>\n<p> Ex-National Cyber Director Inglis says \u201cquantitative data\u201d in Secure Code Warrior\u2019s report shows the importance of the cybersecurity practice. <\/p>\n<p>   <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"256\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/organizations-can-substantially-lower-vulnerabilities-with-secure-by-design-practices-report-finds.jpg?resize=640%2C256&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/organizations-can-substantially-lower-vulnerabilities-with-secure-by-design-practices-report-finds-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/organizations-can-substantially-lower-vulnerabilities-with-secure-by-design-practices-report-finds-2.jpg?resize=300,120 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/organizations-can-substantially-lower-vulnerabilities-with-secure-by-design-practices-report-finds-2.jpg?resize=768,307 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/organizations-can-substantially-lower-vulnerabilities-with-secure-by-design-practices-report-finds-2.jpg?resize=1024,410 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/organizations-can-substantially-lower-vulnerabilities-with-secure-by-design-practices-report-finds-2.jpg?resize=1536,614 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/organizations-can-substantially-lower-vulnerabilities-with-secure-by-design-practices-report-finds-2.jpg?resize=600,240 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/organizations-can-substantially-lower-vulnerabilities-with-secure-by-design-practices-report-finds-2.jpg?resize=1200,480 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/organizations-can-substantially-lower-vulnerabilities-with-secure-by-design-practices-report-finds-2.jpg?resize=1500,600 1500w\" sizes=\"(max-width: 1200px) 100vw, 1200px\"><figcaption> Cyber, internet security and privacy concept. (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"38.739536621824\"><body readability=\"80.577147623019\"><\/p>\n<p>Large organizations that train developers with secure-by-design practices can reliably reduce the number of vulnerabilities introduced into software products by more than 50%, according to a <a href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2024\/10\/Developer-Readiness-Analysis-Secure-by-Design-10.15.24.pdf\">new report from Secure Code Warrior<\/a>.<\/p>\n<p>The Australia-based secure coding platform and software firm <a href=\"https:\/\/www.securecodewarrior.com\/article\/secure-by-design-whitepaper\">analyzed data from 600 enterprise customers<\/a> over nine years to find out what improvements, if any, can be measured based on upskilling secure-by-design practices advocated by the Cybersecurity and Infrastructure Security Agency. The firm looked at vulnerability reduction data and found that companies that employ more than 7,000 developers that were trained using secure-by-design practices can lower vulnerabilities by 47% to 53%.<\/p>\n<p>Chris Inglis, the inaugural former national cyber director, said in an interview with CyberScoop that \u201cthere\u2019s been essentially an implied assumption that we don\u2019t need to make these systems secure by design.\u201d<\/p>\n<p>\u201cWe now have quantitative data that shows that that\u2019s, in fact, the right conclusion: that it is important to do secure by design,\u201d said Inglis, who contributed to the report, along with former acting National Cyber Director Kemba Walden.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>CISA\u2019s <a href=\"https:\/\/cyberscoop.com\/cisa-secure-by-design\/\">secure-by-design initiative<\/a> is the Biden administration\u2019s voluntary push to shift the cybersecurity burden from end users to vendors and manufacturers. The goal is to reduce cyberattacks from petty cybercriminals and state-funded hackers alike by removing known defects in software products. The product development framework is also a part of the national cybersecurity strategy and has seen more than 200 organizations sign up since the initiative began in 2023.<\/p>\n<p>The report noted that if all case studies were combined, vulnerability reduction rates were anywhere from 20% to 80%, with higher averages for smaller organizations.<\/p>\n<p>However, the report also found that without a top-down mandate, which can take the form of regulations or directives from C-suite executives, secure-by-design practices are not likely to be adopted quickly. Secure Code Warrior\u2019s report estimates that around 4% of developers worldwide are using CISA\u2019s secure-by-design development practices.<\/p>\n<p>The National Institute of Standards and Technology said that fixing software defects during testing \u2014 as opposed to following secure-by-design principles \u2014 can take up to 15 times longer and flaws during deployment can cost 30 to 100 times more resources, the report noted.<\/p>\n<p>\u201cIf you\u2019re not prepared to make those investments, then you shouldn\u2019t be writing code that flows into critical infrastructure. I think that\u2019s the bottom line,\u201d Inglis said.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The report also noted that the financial services industry seemed to be the most invested in the secure-by-design initiative. Other critical infrastructure sectors \u2014 such as the defense industrial base, health care, public health, critical manufacturing, transportation and IT infrastructure \u2014 are making progress in upskilling developers with secure-by-design initiatives as well.<\/p>\n<p>The energy and communications sector, meanwhile, was not included in the study because there were fewer than 1,000 active developers in training. However, that does not mean that they are falling behind, according to Matias Madou, co-founder and chief technology officer of Secure Code Warrior. <\/p>\n<p>Madou, one of the report\u2019s authors, said that some sectors rely heavily on IT infrastructure to buy software, so they did not have much relevant data. Additionally, Madou said it made little difference whether the sector was heavily regulated or not.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"1.2211538461538\">\n<div class=\"author-card\" readability=\"9\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/organizations-can-substantially-lower-vulnerabilities-with-secure-by-design-practices-report-finds-1.jpg?w=640&ssl=1\" alt=\"Christian Vasquez\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Christian Vasquez<\/h4>\n<p> Christian covers industrial cybersecurity for CyberScoop News. He previously wrote for E&E News at POLITICO covering cybersecurity in the energy sector. Reach out: christian.vasquez at cyberscoop dot com <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/secure-by-design-return-investment-code-warrior\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Organizations can substantially lower vulnerabilities with secure-by-design practices, report finds<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[934,413,78,452,293,439,989,256,1276],"tags":[936,415,86,454,299,443,992,262,1278],"class_list":["post-5775","post","type-post","status-publish","format-standard","hentry","category-chris-inglis","category-critical-infrastructure","category-cybersecurity","category-cybersecurity-and-infrastructure-security-agency-cisa","category-department-of-homeland-security-dhs","category-policy","category-product-development","category-research","category-secure-by-design","tag-chris-inglis","tag-critical-infrastructure","tag-cybersecurity","tag-cybersecurity-and-infrastructure-security-agency-cisa","tag-department-of-homeland-security-dhs","tag-policy","tag-product-development","tag-research","tag-secure-by-design"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/chris-inglis\/\" rel=\"category tag\">Chris Inglis<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/critical-infrastructure\/\" rel=\"category tag\">critical infrastructure<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity-and-infrastructure-security-agency-cisa\/\" rel=\"category tag\">Cybersecurity and Infrastructure Security Agency (CISA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/department-of-homeland-security-dhs\/\" rel=\"category tag\">Department of Homeland Security (DHS)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/policy\/\" rel=\"category tag\">Policy<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/product-development\/\" rel=\"category tag\">product development<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/secure-by-design\/\" rel=\"category tag\">secure-by-design<\/a>","tag_info":"secure-by-design","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5775","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=5775"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5775\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=5775"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=5775"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=5775"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":5775,"date":"2024-10-15T05:00:00","date_gmt":"2024-10-15T10:00:00","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=82146"},"modified":"2024-10-15T05:00:00","modified_gmt":"2024-10-15T10:00:00","slug":"organizations-can-substantially-lower-vulnerabilities-with-secure-by-design-practices-report-finds","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/10\/15\/organizations-can-substantially-lower-vulnerabilities-with-secure-by-design-practices-report-finds\/","title":{"rendered":"Organizations can substantially lower vulnerabilities with secure-by-design practices, report finds"},"content":{"rendered":"