In April 2023, the Cybersecurity and Infrastructure Security Agency (CISA) launched its Secure by Design initiative, directing technology companies to ‘prioritize the security of customers as a core business requirement, rather than merely treating it as a technical feature’. 

Since then, more than 300 of the world’s top software manufacturers have signed CISA’s Secure by Design pledge, committing to ‘built-in’ protection that incorporates the seven goals of the pledge: Increasing multifactor authentication (MFA); better enabling customers to do their own patching; reducing default passwords; decreasing vulnerabilities; publishing a vulnerability disclosure policy (VDP); expanding vulnerability transparency reporting in every common vulnerabilities and exposures (CVE) record for products; allowing customers to collect evidence of intrusions affecting products.  

It is very encouraging to see such widespread support. Technology providers are committed to integrating defense as a fundamental component of the entire software development life cycle (SDLC), ensuring robust protection from the start, while also complying with regulatory guidelines. 

The support arrives at a time when the software development industry faces considerable challenges, as developers too often rely on poor coding patterns and vulnerable components to meet deadlines. Nearly two-thirds of developers say they find it difficult to write code that is free from vulnerabilities, according to our research. About half admit to leaving vulnerabilities in their code. As artificial intelligence (AI) tools have become de facto coding assistants, the potential for security compromises has only increased, with the majority of software and security team members conceding that insecure AI suggestions are common. 

To be clear, developers should not solely bear responsibility here. They often work under significant pressure to produce more code within increasingly tight deadlines. Moreover, there is no standardized method for them to assess their security proficiency or compare their practices against peers. 

That is why pursuing industry-wide benchmarking is essential as part of a commitment to Secure by Design. It helps set standards for success that lead to a perfectly balanced state of protection and productivity. Ideally, such benchmarking will foster a ‘security-first’ mindset among developers, making security an inherent part of their approach to coding. This will result in impactful risk mitigation and the continuous quantification of their ability to safeguard the products they produce. 

Currently, development teams participate in various training sessions and mandated compliance programs to boost these skills. However, these approaches are fragmented and not comprehensive. As a result, they cannot provide a standardized roadmap for the industry-wide defense of software products, which benchmarking could achieve. 

The measurement of benchmarks — across learner distribution (how individual learners are distributed in terms of skill level) and skill attrition (a reflection of knowledge retention) — provides critical metrics that enable organizations to evaluate their internal practices against industry peers and the state of the industry overall. As a starting point, organizations should assess their developers’ security skill sets in areas such as language proficiency, contributions to secure code reviews, identification and remediation of vulnerabilities (i.e., structured query language [SQL] injection, cross-site scripting) and implementation of secure coding practices (e.g., proper authentication mechanisms). 

Organizations can more readily achieve CISA’s Secure by Design through benchmarking by implementing the following best practices: 

Aligning Benchmarking With Industry Standards and Measuring Progress

Establishing a standardized approach to evaluate and improve security practices against proven benchmarks is essential. Teams should incorporate recommendations from organizations such as the National Institute of Standards and Technology (NIST) and the Open Worldwide Application Security Project (OWASP), while maintaining the flexibility to customize practices to meet their specific organizational and industry needs. These teams must then assess their progress based on specific criteria to measure the effectiveness of their secure coding and encryption throughout the entire SDLC. 

Enhancing Protection Across the Board  
When effectively executed, benchmarking initiatives elevate teams in multiple ways. They help identify and address vulnerabilities, thereby reducing overall risk. They encourage organizations to regularly assess and continuously upskill their developers’ security capabilities, ensuring that teams stay informed about evolving threats and how to mitigate them. Moreover, they foster a culture where security is viewed as an integral part of daily efforts toward continuous improvement, not an afterthought. 

Staying Ahead of Regulatory Requirements
Benchmarking supports organizations as they work to satisfy a wide range of regulatory conditions by providing structured documentation of security practices and skill levels. It also demonstrates a commitment to reducing or eliminating risks, aiming for a state of optimal defense. 

When you think about the phrase ‘secure by design’, it means that defense comes first and is always a given. It is an innate, foundational part of the product, not something that is merely ‘tagged on’ and/or perceived as a bothersome ‘checklist item’. 

By expanding developer team members’ knowledge of threats and measuring their ability to defend against them, benchmarking elevates organizations to new levels of ideal protection, regulatory compliance and continuous improvement. This not only fulfills CISA’s pledge but also builds greater trust with customers.