Nearly three-quarters of organizations have suffered at least one security breach or incident in the last year that can be blamed on insecure coding practices.
Analysis from SecureFlag found 74% of organizations have suffered an incident as a result of dodgy code, with nearly half of those hit by multiple breaches.
The report comes as AI is beginning to take over some coding duties from developers. Debate remains over whether that code is secure. Some say AI can code better than human developers, but research has suggested insecure code could be easily replicated by AI.
Andrea Scaduto, CEO and co-founder of SecureFlag, said the study highlights the risks faced by enterprises rushing to automate aspects of software development.
"This should be a wake-up call for every business that develops software,” she said. “It’s frankly shocking that in 2025 so many breaches are still happening because of avoidable coding flaws.”
It wasn't all bad news, however. The report revealed that companies are ramping up developer security training as a result of lingering issues. Nearly half (44%) said they offer training updates on a quarterly basis, while 29% offer fresh training schemes monthly.
The report said this shows enterprises are conscious of the risks associated with insecure code and are taking proactive steps to mitigate risks. Indeed, nine-in-ten said they were formally assessing their development teams' secure coding skills.
The most common training format is video-based tutorials (46%) followed by eLearning platforms (42%). Classes, both in-person and virtual, were also popular for four-in-ten companies, as were interactive labs and hands-on environments.
A third of companies surveyed said they run hacking games such as "capture the flag".
ROI for developer security training
Challenges remain, however. According to SecureFlag, respondents said measuring return on investment (ROI) remained a hurdle (40%), followed by a lack of useful content, not enough time, low engagement from employees, and insufficient budget — as well as lack of leadership support.
"Even though most executives believe in the value of training, they struggle to prove in concrete terms how these programs reduce risk or justify their cost, a clear sign that quantifying the impact of secure coding initiatives remains elusive," the report noted.
"Overall, the data highlights that proving ROI to stakeholders and allocating sufficient time and content resources are the prevailing hurdles to overcome, even more so than money or buy-in."
Though they may lack the hard data to prove a ROI, nine-in-ten of those surveyed believe that secure coding has reduced the number of security bugs in development, and view training as a solid move to prevent such incidents.
"Breaches stemming from coding mistakes are preventable – but only if companies invest in proper training," said Emilio Pinna, SecureFlag’s CTO and co-founder. "It’s far cheaper to train a developer than to clean up after a breach."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Want developers to build secure software? You need to ditch these two programming languages
- The NCSC wants developers to get serious on software security
- Shifting left might improve software security, but developers are becoming overwhelmed
-
AI Infrastructure for Business Impact: Enabling Agentic Intelligence with Scalable Computewhitepaper
-
AWS pledges $50 billion to expand AI and HPC infrastructure for US government clientsNews The company said an extra 1.3 gigawatts of compute capacity will help government agencies advance America’s AI leadership
-
If you're not taking insider threats seriously, then the CrowdStrike incident should be a big wake up callNews CrowdStrike has admitted an insider took screenshots of systems and shared them with hackers, and experts say it should serve as a wake up call for enterprises globally.
-
Shai-Hulud malware is back with a vengeance and has hit more than 19,000 GitHub repositories so far — here's what developers need to knowNews The malware has compromised more than 700 widely-used npm packages, and is spreading fast
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
Thousands of ASUS routers are being hijacked in a state-sponsored cyber espionage campaignNews Researchers believe that Operation WrtHug is being carried out by Chinese state-sponsored hackers
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
-
Logitech says zero-day attack saw hackers copy 'certain data' from internal IT systemsNews The incident is believed to have formed part of a campaign by the Clop extortion group that targeted customers of Oracle’s E-Business Suite
-
Google wants to take hackers to courtNews You don't have a package waiting for you, it's a scam – and Google is fighting back
