Nearly three-quarters of organizations have suffered at least one security breach or incident in the last year that can be blamed on insecure coding practices.
Analysis from SecureFlag found 74% of organizations have suffered an incident as a result of dodgy code, with nearly half of those hit by multiple breaches.
The report comes as AI is beginning to take over some coding duties from developers. Debate remains over whether that code is secure. Some say AI can code better than human developers, but research has suggested insecure code could be easily replicated by AI.
Andrea Scaduto, CEO and co-founder of SecureFlag, said the study highlights the risks faced by enterprises rushing to automate aspects of software development.
"This should be a wake-up call for every business that develops software,” she said. “It’s frankly shocking that in 2025 so many breaches are still happening because of avoidable coding flaws.”
It wasn't all bad news, however. The report revealed that companies are ramping up developer security training as a result of lingering issues. Nearly half (44%) said they offer training updates on a quarterly basis, while 29% offer fresh training schemes monthly.
The report said this shows enterprises are conscious of the risks associated with insecure code and are taking proactive steps to mitigate risks. Indeed, nine-in-ten said they were formally assessing their development teams' secure coding skills.
The most common training format is video-based tutorials (46%) followed by eLearning platforms (42%). Classes, both in-person and virtual, were also popular for four-in-ten companies, as were interactive labs and hands-on environments.
A third of companies surveyed said they run hacking games such as "capture the flag".
ROI for developer security training
Challenges remain, however. According to SecureFlag, respondents said measuring return on investment (ROI) remained a hurdle (40%), followed by a lack of useful content, not enough time, low engagement from employees, and insufficient budget — as well as lack of leadership support.
"Even though most executives believe in the value of training, they struggle to prove in concrete terms how these programs reduce risk or justify their cost, a clear sign that quantifying the impact of secure coding initiatives remains elusive," the report noted.
"Overall, the data highlights that proving ROI to stakeholders and allocating sufficient time and content resources are the prevailing hurdles to overcome, even more so than money or buy-in."
Though they may lack the hard data to prove a ROI, nine-in-ten of those surveyed believe that secure coding has reduced the number of security bugs in development, and view training as a solid move to prevent such incidents.
"Breaches stemming from coding mistakes are preventable – but only if companies invest in proper training," said Emilio Pinna, SecureFlag’s CTO and co-founder. "It’s far cheaper to train a developer than to clean up after a breach."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Want developers to build secure software? You need to ditch these two programming languages
- The NCSC wants developers to get serious on software security
- Shifting left might improve software security, but developers are becoming overwhelmed
-
Microsoft claims AI is 'augmenting developers rather than replacing them'News Researchers at Microsoft wanted to demystify how AI is being used by software developers – their findings show the benefits are finally becoming clear.
-
Data I/O shuts down systems in wake of ransomware attackNews Regulatory filings by Data I/O suggest the costs of dealing with the attack could be significant
-
Data I/O shuts down systems in wake of ransomware attack
News Regulatory filings by Data I/O suggest the costs of dealing with the attack could be significant
-
Cyber pros say the buck stops with the board when it comes to security failingsNews Fines, sanctions, and even prosecution are all on the table when it comes to cyber failings, practitioners believe
-
Microsoft quietly launched an AI agent that can detect and reverse engineer malwareNews Researchers say the tool is already achieving the “gold standard” in malware classification
-
Employee distraction is now your biggest cybersecurity riskNews Workplace distraction is the top reason organizations fall victim to cyber attacks, according to new research.
-
Apple just released an emergency patch for a zero-day exploited in the wild – here’s why you need to update nowNews Apple is warning millions of users of iPhones, iPads and Macs to update their software to protect against an out-of-bounds write vulnerability
-
Cyber teams are struggling to keep up with a torrent of security alertsNews Fragmented identity security processes are creating blind spots, and the proliferation of tools doesn't help
-
The Allianz Life data breach just took a huge turn for the worseNews Around 1.1 million Allianz Life customers are believed to have been impacted in a recent data breach, making up the vast majority of the insurer's North American customers.
-
US authorities just took down 'one of the most powerful DDoS botnets to ever exist’ with help from AWSNews The Rapper Bot botnet was responsible for a series of large-scale DDoS attacks on government agencies and tech companies. Now it's gone.
