Nearly three-quarters of organizations have suffered at least one security breach or incident in the last year that can be blamed on insecure coding practices.
Analysis from SecureFlag found 74% of organizations have suffered an incident as a result of dodgy code, with nearly half of those hit by multiple breaches.
The report comes as AI is beginning to take over some coding duties from developers. Debate remains over whether that code is secure. Some say AI can code better than human developers, but research has suggested insecure code could be easily replicated by AI.
Andrea Scaduto, CEO and co-founder of SecureFlag, said the study highlights the risks faced by enterprises rushing to automate aspects of software development.
"This should be a wake-up call for every business that develops software,” she said. “It’s frankly shocking that in 2025 so many breaches are still happening because of avoidable coding flaws.”
It wasn't all bad news, however. The report revealed that companies are ramping up developer security training as a result of lingering issues. Nearly half (44%) said they offer training updates on a quarterly basis, while 29% offer fresh training schemes monthly.
The report said this shows enterprises are conscious of the risks associated with insecure code and are taking proactive steps to mitigate risks. Indeed, nine-in-ten said they were formally assessing their development teams' secure coding skills.
The most common training format is video-based tutorials (46%) followed by eLearning platforms (42%). Classes, both in-person and virtual, were also popular for four-in-ten companies, as were interactive labs and hands-on environments.
A third of companies surveyed said they run hacking games such as "capture the flag".
ROI for developer security training
Challenges remain, however. According to SecureFlag, respondents said measuring return on investment (ROI) remained a hurdle (40%), followed by a lack of useful content, not enough time, low engagement from employees, and insufficient budget — as well as lack of leadership support.
"Even though most executives believe in the value of training, they struggle to prove in concrete terms how these programs reduce risk or justify their cost, a clear sign that quantifying the impact of secure coding initiatives remains elusive," the report noted.
"Overall, the data highlights that proving ROI to stakeholders and allocating sufficient time and content resources are the prevailing hurdles to overcome, even more so than money or buy-in."
Though they may lack the hard data to prove a ROI, nine-in-ten of those surveyed believe that secure coding has reduced the number of security bugs in development, and view training as a solid move to prevent such incidents.
"Breaches stemming from coding mistakes are preventable – but only if companies invest in proper training," said Emilio Pinna, SecureFlag’s CTO and co-founder. "It’s far cheaper to train a developer than to clean up after a breach."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Want developers to build secure software? You need to ditch these two programming languages
- The NCSC wants developers to get serious on software security
- Shifting left might improve software security, but developers are becoming overwhelmed
-
Why this Cybersecurity Awareness Month is particularly urgentAnalysis Major outages at household brands drive home the seriousness of cybersecurity like never before
-
How EDF empowered its decision-makers with a consolidated data strategyCase study Using Informatica solutions as the foundation for its new data platform, EDF has achieved hugely streamlined operations
-
A malicious MCP server is silently stealing user emailsNews Koi Security says it's discovered the first malicious MCP server in the wild, exposing a risk to the entire ecosystem
-
NCA confirms arrest after airport cyber disruptionNews Disruption is easing across Europe following the ransomware incident
-
Cyber skills shortages are pushing firms into dangerous shortcuts – and it’s putting them at huge risk of security breachesNews Chronic cyber skills shortages mean many businesses are implementing quick fixes
-
Pentesters are now a CISOs best friend as critical vulnerabilities skyrocketNews Attack surfaces are expanding rapidly, but pentesters are here to save the day
-
Hackers are disguising malware as ChatGPT, Microsoft Office, and Google Drive to dupe workersNews Beware of downloading applications like ChatGPT, Microsoft Office applications, and Google Drive through search engines
-
Generative AI attacks are accelerating at an alarming rateNews Two new reports from Gartner highlight the new AI-related pressures companies face, and the tools they are using to counter them
-
A terrifying Microsoft flaw could’ve allowed hackers to compromise ‘every Entra ID tenant in the world’News The Entra ID vulnerability could have allowed full access to virtually all Azure customer accounts
-
‘Channel their curiosity into something meaningful’: Cyber expert warns an uptick of youth hackers should be a ‘wake-up call’ after teens charged over TfL attackNews Encouraging youths to engage in positive tech initiatives will guide them down the right path and away from nefarious activities
