Secure coding training is a better investment than code scanning tools for reducing application vulnerabilities

A new secure coding practices study, released by EMA, reveals implementation of ‘shift-left’ is slow, with only 25% of organizations adopting a ‘shift-left’ strategy for security

Pittsburgh, PA, Jan. 19, 2023 (GLOBE NEWSWIRE) -- The EMA study on secure coding practices, sponsored by leading application security education company Security Journey, reveals code scanning tools are less effective at reducing application vulnerabilities than trained developers. The survey of 129 software development professionals uncovered that for those using code scanning tools, only 10% of organizations prevented a higher percentage of vulnerabilities than organizations not using code scanning tools, while continuous training greatly improved code security for over 60% of organizations that adopted it. EMA also found that as many as 70% of organizations are missing critical security steps in their software development lifecycle (SDLC), highlighting a struggle with a ‘shift-left’ approach.

Despite the fact that new vulnerabilities per year in the National Vulnerability Database have grown over 210% (from 6,487 to 20,139) between 2015 to 2021, the ‘shift-left’ approach has not been well adopted. Only 25% of organizations are using a shift-left security strategy, according to EMA’s study, despite the growing industry awareness of its importance. The research showed that security remains a lower priority for many organizations – almost 50% do not dedicate a step for security validation, 20% don’t plan their application security and 4% don’t have a dedicated security implementation step. Yet the benefits of making the shift are well proven: 9 in 10 of those that have adopted a shift-left approach have realized reductions in vulnerabilities.

“We have seen a worrying increase in new vulnerabilities over the last several years. While 99% of organizations have security awareness training programs, this approach does not go far enough for those in security-critical roles like developers,” says Amy Baker, Security Education Evangelist at Security Journey. “Awareness is a primer for knowledge, but to truly shift the paradigm and solve the AppSec dilemma, the focus must change from ‘awareness’ of AppSec to ‘in-depth knowledge’ and training developers on secure coding practices is the next step in security awareness programs. Vulnerabilities detected earlier in development are easier to resolve and far less costly. And this requires a programmatic and continuous approach to application security education and specifically secure coding training for developers.”

Continuous training: invaluable to improving code security

Training is often an under-utilized method for delivering more secure applications. The EMA study found that secure coding training has a high return on investment, 28.8% of respondents utilizing continuous training prevented over 90% of vulnerabilities from reaching production.  The study also found the most common barriers to investment in training are perceived impacts on productivity. Yet when continuous training is delivered by third parties and implemented in tandem with code reviews and code scanning tools, 100% of organizations saw improvement in their code security.

“All too often, when it comes to cybersecurity, the human element is the most overlooked component of any system,” says Ken Buckler, Research Analyst at EMA. “With lowest adoption rates (54%) and highest code improvement rates (100%), third-party training appears to be the critical component some organizations are failing to invest in. Code reviews without training may ultimately prove to be futile efforts, simply checking a compliance checkbox that the code was reviewed. After all, how can those reviewing the code understand if the code is secure if those reviewers haven’t been given the proper training in the first place?”

To read all insights from the EMA Secure Coding Practices research, download the full paper or signup to attend the webinar on February 7, 2023. 


About Security Journey 

Security Journey helps enterprises reduce vulnerabilities through application security education for developers and everyone in the SDLC. Their programmatic approach provides a large library of video-based lessons with text summaries along with hands-on secure coding lessons in application sandboxes.  All culminating in a collective security-first culture among development teams. 

HackEDU’s spring 2022 acquisition of Security Journey brought together two powerful companies to provide application security education for developers and the entire SDLC team. Over 450 companies around the world are teaching their teams how to build safer apps using Security Journey.  Learn more and try our training at


About EMA 

Founded in 1996, EMA is a leading industry analyst firm that provides deep insight across the full spectrum of IT and data management technologies. EMA analysts leverage a unique combination of practical experience, insight into industry best practices, and in-depth knowledge of current and planned vendor solutions to help their clients achieve their goals. Learn more about EMA research, analysis, and consulting services for enterprise line of business users, IT professionals, and IT vendors at


The Security Impact of Training

Contact Data