OpenSSF Report: 75% of New Developers Lack Secure Software Skills Amid Rising Supply Chain Security Concerns

A new report commissioned by the Linux Foundation's Open Source Security Foundation (OpenSSF) reveals significant gaps in secure software development training, with 28% of developers unfamiliar with secure coding practices and 53% having never taken a course on the topic.

OpenSSF commissioned the study to identify how they can better support the software supply chain from an educational perspective and collect quantitative data to inform the decision on what course they will develop next.

The foundation noted that cybercrime was estimated to cost organizations $8.15 trillion (USD) in 2023, and exploits are on the rise. Regulatory compliance is also making security vigilance a necessity moving forward. The survey examines growing concerns over supply chain security as a critical area that needs more attention from developers across all levels of experience.

Key Findings Highlight a Potential Security Skills Crisis#

OpenSSF surveyed respondents’ understanding of secure software development and awareness of security training resources. They found that a significant minority of developers are reporting a lack of training, with more than one in four developers indicating they are unfamiliar with secure software practices. Here are a few of the highlights:

75% of Developers with Less Than One Year of Experience Lack Security Familiarity

This indicates a critical gap in secure software development knowledge among newer developers.

28% of Developers Lack Familiarity with Secure Software Development

This highlights a widespread gap in essential security knowledge among those directly involved in software creation.

44% of Professionals Unaware of Good Security Courses

Even if quality secure software training resources are available, responses point towards a significant awareness gap among developers. Other respondents said they are unable to find the time (44%) or lack the budget to cover these types of courses (29%).

73% of Data Scientists Identify Security Training as a Major Challenge

This finding highlights a particular vulnerability in the data science field regarding secure development practices. More than half of security team respondents (56%) also report lack of awareness and training as a challenge for implementing secure software development and deployment.

53% of Professionals Have Never Taken a Secure Software Course

This finding highlights the widespread lack of formal training in the industry.

The percentage of respondents not familiar with secure software development was also further segmented by professional role, open source software role, and years of experience in software development. Early career developers demonstrate that highest lack of familiarity. System operations and OSPO teams show the highest unfamiliarity with secure software development (38% each), while only 16% of security team members report the same, indicating that security awareness is better among those directly focused on it.

For organizations, the top challenge for implementing secure software development, cited by 58% of respondents, is time constraints, followed closely by a lack of security awareness and training (50%). Other significant challenges include the complexity of software and infrastructure (44%), integration into existing processes (39%), and keeping up with emerging threats (36%). Additionally, 35% report a lack of management support as a hurdle, while 34% mention money constraints as a barrier to effective implementation.

Prioritizing Supply Chain Security: Addressing the Complexity in Modern Software Interdependencies#

When surveyed about the most important emerging security issues, respondents identified AI and ML security (57%) and supply chain security (56%) are the leading concerns, reflecting the growing complexity and potential vulnerabilities in these domains. Other critical areas include automated security testing and integration (50%) and human factor risks (48%).

Respondents reported that their organizations need more educational resources related to supply chain security, as the majority of modern software is powered by interdependent open source code.

In an open-ended question, respondents recommended courses covering topics like supply chain security, SBOM, dependency management, screening packages before use, Sigstore, supply chain attacks, and tooling.

OpenSSF to Develop Security Architecture Course#

Based on the survey results, the OpenSSF decided to prioritize a course on security architecture, recognizing its importance across various roles and regions. The published survey explained the reasoning behind the decision:

It’s the top area in overall popularity as well as the top choice by software developers and system operators for gap-filling. It also often scores quite highly even in the areas where it isn’t the top spot. Many indicated that threat assessment was important, and the OpenSSF could consider including that in a security architecture course. No one topic is the top choice for everyone, but given the trade-offs, this appears to be a good choice.

There are some courses in security architecture but not many, and most only discuss a short list of principles. The OpenSSF’s current fundamentals course does discuss security architecture, but like other courses, it mostly discusses a short list of principles. As a result, a security architecture course could be a clear follow-on course that easily extends the existing material.

Prior to conducting the survey, they anticipated respondents would prefer a language-specific course. Although 54% indicated that a language-specific course would be important, OpenSSF found 79% indicated that language-agnostic courses are important. This was consistent across professional roles, OSS involvement, regions, types of companies, and organization sizes.

A Python-specific course is also favored, with 71% of respondents expressing a preference for it. In comparison, 49% prefer a JavaScript (client-side) course, which ranked second when language preferences were considered individually.

Respondents identified a diverse set of preferences for security education formats, but the majority(74%) prefer self-paced training materials, followed by online instructor-led training courses (52%).

The findings from the OpenSSF report highlight a critical juncture for the software development industry. As the complexity of software systems increases and supply chain vulnerabilities become more evident, the lack of secure coding knowledge—especially among newer developers—poses a significant risk.

The new proposed coursework aims to address the urgent need for comprehensive training in secure software architecture. For those looking to expand their security knowledge in the meantime, OpenSSF’s Developing Secure Software (LFD121) course is free and a good place to start.