The programs issue points to participants who can use them for discounts or purchases in the future. Some airline programs also reward loyal customers with perks such as priority boarding and lounge access.

It’s becoming clear that the software development industry could use something similar, especially when it comes to ensuring a ‘security first’ mindset among developers. Without such a system, it is difficult - if not impossible - for organisations and their developer teams to assess their security proficiency and compare their competencies with peers.

According to recent research, such assessments are needed now more than ever, as nearly two-thirds of developers report they find it challenging to write code free of vulnerabilities.

Skills recognition

To address these issues, many development teams are undergoing training and earning mandated certificates to boost their security skills and practices. However, these approaches - mainly when conducted in a piecemeal fashion - remain limited in terms of providing a comprehensive view of how participants’ proficiency progress aligns with organisational security objectives.

Whether teams opt for on-the-job collaborative training opportunities or interactive, agile learning sessions, they would substantially benefit from standardised developer benchmarking for success. Such benchmarking could lead to a ‘trust score’ that, much like rewards programs, would provide incentives to developers for their security achievements and offer clear pathways for improvement.  

There are a number of criteria that organisations should focus on when coming up with impactful industry benchmarking and an informative, actionable trust score. They include: 

• Skill proficiency: Leverage data to evaluate team members’ understanding of safe coding principles. Ask whether they are up-to-speed on the various languages and trends that affect the protection of products from vulnerabilities. Also check whether they are deploying the right tools and methodologies to support a proactive, ‘security-first’ culture.
  
  
• Industry frameworks: It is essential to gauge team members’ adherence to industry-respected security frameworks. This includes the OWASP Top 10 which helps developers stay updated on critical risks as well as secure–by-design principles which are a necessary step toward ensuring more consistent secure software development lifecycles. 

• Continuous training and skills improvement: Organisations should consistently invest in learning opportunities to help teams continuously improve, along with metrics that measure members’ commitment to upskilling their capacity for protection. 

• Team collaboration/efficiency/performance: Benchmarking and trust scores are necessary to establish a baseline for measuring the true impact and effectiveness of learning programs and the overall security posture of developer teams. Also, a benchmark provides an appropriate jumping-off point for deeper conversations and collaborations between development, engineering and security teams, helping to close potential security gaps and find solutions in the software supply chain.
    
• In-production performance measurement: To effectively gauge developers’ security capabilities, evaluations should extend beyond training and skill assessments to analyse their behaviour during code production. With these benchmarks in place, consider the following questions: How many mistakes are developers still making? Are they learning from their mistakes and fixing security bugs? Are they coaching peers to develop codes securely? Do they conduct peer review pull reviews for security flaws?
    
• Competitive analysis: This aspect will answer the overarching question of how one organisation compares to others in its industry. Determine whether certain trust scores are lagging competitors, indicating a need for immediate attention and training. 

Establishing a baseline

Developer teams are under constant pressure to produce better code faster. As a result, they may view security as a barrier to innovation, leading them to take shortcuts or ignore vulnerabilities entirely.

To evaluate the current security culture and the mentorship provided to developers, it is important to assess not only whether they are coaching their peers but also the depth and effectiveness of their guidance and how it impacts their own security practices.

By establishing a baseline to verify developers’ secure coding skills and measurement, security teams will get a clear sense of how well they are producing secure code from the beginning. They will gain a greater appreciation for how ‘security-first’ contributes to more robust products and will even save time in the long haul since they wouldn’t have to ‘work backward’ late in the process to fix issues.

Also, they will recognise that benchmarking/trust score-driven continuous improvement makes them more capable and marketable on a professional level, leading to more intriguing job opportunities and promotions. The end result is a win for the organisation, developers, and software security.