The Linux Foundation and Open Source Security Foundation recently published a report entitled "Secure Software Development Education 2024 Survey—Understanding Current Needs." This report highlights the urgent need for formalized training and education in secure software development. It was derived from an industry survey of nearly 400 software developers, which revealed significant knowledge gaps.
To help you understand what this report's findings mean for your Linux security administration, I'll walk you through the findings, their implications for Linux security, and practical recommendations for closing the secure software development knowledge gap.
Breaking Down This Report's Key Findings
Nearly one-third of all professionals involved in software development and deployment, whether software developers, committers, or maintainers, report feeling uninformed about secure software development. This statistic is alarming because these individuals are responsible for maintaining and creating the critical code that underpins organizations' applications and systems.
David A. Wheeler, the Linux Foundation's director of open-source supply chain security, highlights the importance of this issue: "We've seen software vulnerabilities exploited with catastrophic results, which highlights the need for developers to have the necessary knowledge and skills to write secure code."
The report highlights several barriers to learning about secure software development:
- Lack of time: Many professionals 58%) struggle to find the time to learn more due to their busy schedules.
- Lack of Training and Awareness: There is a large gap between the available resources and where to find quality training for 50% of respondents.
- Self-Directed Learning: Most (74%) respondents use self-directed methods, such as videos, books, and online tutorials. However, these can lack depth and structure compared to formal courses.
- Emerging Security Issues: As new challenges such as AI and supply chain security become more critical, staying updated and continuing education is necessary.
What Are the Implications of These Findings for Linux Admins?
The findings of this report are particularly relevant for Linux admins and IT teams managing Linux systems. Linux environments are the foundation of many enterprise infrastructures, and these systems' secure development and maintenance are paramount. Linux administrators who do not have a solid understanding of secure software can expose their systems to vulnerabilities, which could lead to data breaches, system failures, and other disastrous events.
Admins must stay up-to-date with the latest developments in the field. Anyone in the field should have a professional development plan with robust training and learning.
Practical Recommendations for Addressing The Secure Software Development Knowledge Gap
The report suggests several strategies to bridge the knowledge gap identified:
- Formal Training Programs: Industry-wide efforts must prioritize secure development education. OpenSSF and the Linux Foundation offer courses that cover secure software development. For example, OpenSSF provides a free course called "Developing Secure Software" (LFD121). These programs provide structured and in-depth information essential for building secure software. As Christopher "CRob," co-chair of OpenSSF Education Special Interest Group and chair of OpenSSF Technical Advisory Council, highlights: "The first step to addressing the problem of secure software development is to identify areas where additional training should be provided. It is important to make an effort to increase awareness of the available resources and the importance of secure software practices."
- Incentivize Training: Organizations should encourage their employees to participate in secure software development training by making it a component of their career development plans. This can be done through certifications or professional development credits.
- Open Source Resources: OpenSSF, the Linux Foundation, and other organizations like LinuxSecurity.com provide valuable guides and learning materials. These resources are available to industry professionals to help them improve their knowledge and understanding of secure software practices.
- Collaborative Learning: Promote a culture that encourages knowledge sharing in teams and within the industry. Peer learning, mentorship, and collaborative projects are all ways to spread the word and embed secure practices into everyday workflows.
Our Final Thoughts: What Are the Main Takeaways of This Report?
The "Secure Software Development Education 2024 survey" is an important wake-up call to the industry. The report highlights a knowledge gap that, if left unaddressed, could have severe implications for software security worldwide. This is particularly important for Linux administrators, as they are usually at the forefront of maintaining the secure infrastructure within enterprises.
The industry can overcome challenges by focusing on secure software development education. This will also increase awareness about available resources, encourage training and the use of open-source security tools, and cultivate a culture that promotes collaborative learning. The Linux Foundation's and OpenSSF’s commitment to providing high-quality, accessible training materials is an excellent example of the leadership required to close this knowledge gap.
"Our research revealed that a lack of education is a critical challenge in secure software development. Practitioners don't know where to begin and learn as they go," says David A. Wheeler, emphasizing that the industry must make a concerted effort to promote secure development education as a top priority.
By addressing the shortcomings of traditional education approaches, the software industry can better prepare itself to face ever-evolving security threats. This will ensure a safer future for all technology applications.