74% of companies admit insecure code caused a security breach

A large number of data breaches are linked to insecure code, prompting calls for better training

Nicole Kobie's avatar
By
published
in News
Software security concept image showing binary code snippets with some highlighted on a digital interface.
(Image credit: Getty Images)

Nearly three-quarters of organizations have suffered at least one security breach or incident in the last year that can be blamed on insecure coding practices.

Analysis from SecureFlag found 74% of organizations have suffered an incident as a result of dodgy code, with nearly half of those hit by multiple breaches.

The report comes as AI is beginning to take over some coding duties from developers. Debate remains over whether that code is secure. Some say AI can code better than human developers, but research has suggested insecure code could be easily replicated by AI.

Andrea Scaduto, CEO and co-founder of SecureFlag, said the study highlights the risks faced by enterprises rushing to automate aspects of software development.

"This should be a wake-up call for every business that develops software,” she said. “It’s frankly shocking that in 2025 so many breaches are still happening because of avoidable coding flaws.”

It wasn't all bad news, however. The report revealed that companies are ramping up developer security training as a result of lingering issues. Nearly half (44%) said they offer training updates on a quarterly basis, while 29% offer fresh training schemes monthly.

The report said this shows enterprises are conscious of the risks associated with insecure code and are taking proactive steps to mitigate risks. Indeed, nine-in-ten said they were formally assessing their development teams' secure coding skills.

The most common training format is video-based tutorials (46%) followed by eLearning platforms (42%). Classes, both in-person and virtual, were also popular for four-in-ten companies, as were interactive labs and hands-on environments.

A third of companies surveyed said they run hacking games such as "capture the flag".

ROI for developer security training

Challenges remain, however. According to SecureFlag, respondents said measuring return on investment (ROI) remained a hurdle (40%), followed by a lack of useful content, not enough time, low engagement from employees, and insufficient budget — as well as lack of leadership support.

"Even though most executives believe in the value of training, they struggle to prove in concrete terms how these programs reduce risk or justify their cost, a clear sign that quantifying the impact of secure coding initiatives remains elusive," the report noted.

"Overall, the data highlights that proving ROI to stakeholders and allocating sufficient time and content resources are the prevailing hurdles to overcome, even more so than money or buy-in."

Though they may lack the hard data to prove a ROI, nine-in-ten of those surveyed believe that secure coding has reduced the number of security bugs in development, and view training as a solid move to prevent such incidents.

"Breaches stemming from coding mistakes are preventable – but only if companies invest in proper training," said Emilio Pinna, SecureFlag’s CTO and co-founder. "It’s far cheaper to train a developer than to clean up after a breach."

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

Nicole Kobie
Nicole Kobie

Freelance journalist Nicole Kobie first started writing for ITPro in 2007, with bylines in New Scientist, Wired, PC Pro and many more.

Nicole the author of a book about the history of technology, The Long History of the Future.

Latest
You might also like
View More ▸