Secure Coding Gaps Leave 74% of Enterprises Exposed to Breaches

Despite regular secure coding training, nearly 74% of enterprises experienced breaches or serious vulnerabilities in the past year. The findings from SecureFlag’s latest research expose a troubling gap between education efforts and real-world security outcomes.

SecureFlag researchers found that insecure code continues to be a major challenge for organizations. In the past year, about 74% of enterprises experienced a breach or serious vulnerability, with many incidents occurring within the last six months. The study points to a critical weakness in how companies approach software development, especially the risks of rushing automation without properly integrating secure coding practices.

“This should be a wake-up call for every business that develops software,” said Andrea Scaduto, CEO and Co-founder of SecureFlag. “It’s frankly shocking that in 2025 so many breaches are still happening because of avoidable coding flaws.”

This research also indicates that secure coding education is now standard across UK enterprises, with all surveyed companies offering training and nearly 44% doing so at least quarterly. Moreover, 29% of organizations conduct training every month, and 12% every week

Additionally, around 90% of organizations assess developers’ secure code knowledge in order to ensure the effectiveness of training. They use various methods such as certifications, hands-on coding challenges, and code reviews. Companies also use a variety of formats to make training engaging and effective, including video tutorials, eLearning modules, live classes (both virtual and in-person), hands-on labs, and gamified exercises like Capture-the-Flag.

Why is training impact hard to measure?

The study also points out ongoing challenges for enterprises. Many organizations find it difficult to measure the impact of secure coding training, with return on investment being the biggest concern. Leaders still struggle to connect training efforts with reduced risk and business value.

Other challenges include outdated content, limited developer time, and low engagement. These issues must be addressed to maximize the impact of secure coding initiatives.

What are the recommendations for organizations?

To address these challenges, researchers recommend a multi-pronged approach that strengthens training, modernizes content, and embeds security into every stage of software development.

1. Measure the impact of training

Organizations should prioritize developing methods to evaluate the effectiveness of secure coding training. It’s difficult to justify continued investment or demonstrate how training reduces security risks without clear metrics.

2. Update training content regularly

Companies must ensure their training materials and tools are up-to-date. Outdated content can limit the relevance and effectiveness of developer education.

3. Balance automation with security oversight

As enterprises accelerate software delivery through automation, they should not ignore secure coding practices. Security should be integrated into automated workflows to prevent vulnerabilities from scaling with speed.

4. Use blended learning approaches

Different training formats (such as videos, eLearning, live sessions, and hands-on labs) help engage developers with different learning preferences. Gamified methods, such as Capture the Flag, can also boost participation and retention.

5. Assess developer skills frequently

Organizations should regularly test developers to ensure they can apply secure coding principles. Certifications, coding challenges, and code reviews are effective ways to validate practical skills.