VENDORiQ: Secure Code Warrior Adds a Yardstick for Secure Coding Skills

IBRS analysis sheds light on the importance of continuous measurement of secure coding skills and industry benchmarks for cybersecurity readiness.

The Latest

Secure Code Warrior (SCW) has added benchmarking to its secure coding skills learning packages. This trust score will provide a measure of your learners’ skill level and progress. It will be useful for assessing internal progress and additionally provide a comparative measure to similar organisations.

Why it’s Important

For any organisation developing software, the only true measure of the developers’ secure coding skills is a reduction in flaws found in testing. Training can help to provide some measure of this, but not in a repeatable fashion. Agile learning platforms can impact the need for rework.

It is important to be able to continually measure the skill rather than at a point in time. The SCW Trust Score enables managers to see an overall benchmark of their teams’ skills continuously.

SCW is also providing industry benchmarks as a global measure, along with benchmarks for finance and technology. Participating organisations can use this to assess their position relative to their peers.

With the local emphasis on third party security assessments driven by APRA’s CPS 234 this Trust Score could provide a quantitative perspective on the security of in-house developed software. It could be offered to assess entities by vendors in the finance arena. The Trust Score and the industry benchmark would provide a repeatable independent measure.

Who’s Impacted

  • Software development teams
  • Security teams
  • Third party auditors

What’s Next

One essential component is to enable an effective shift left philosophy education in secure coding skills. Organisations already using SCW should explore this metric to qualify program effectiveness.

Organisations starting to shift left should assess the SCW offering to enable their developers to write secure code rather than having security teams point out security flaws in code written.

Trouble viewing this article?