Security regulations such as the Cyber Resilience Act or KRITIS have now legally recognized the need for secure development and demand comprehensive security measures in the development process.
However, these demands are not exactly with much enthusiasm among development and business teams. "If I implement all this, I can stop developing" are often the first, not unjustified, reactions.
Secure Coding ≠ Secure Development
Secure coding training alone will not make for a secure development process. Secure Coding explains how to write secure code in a specific programming language or framework. It is usually very specific and gives concrete code examples. This is important, but it only really applies in the implementation phase. The previous development phases, as well as the overarching concept of a "Secure Software Development Lifecycle (SSDLC)" are usually not addressed. And this is exactly where the problem arises.
Secure development goes far beyond the mere writing of secure code and covers the entire software development lifecycle (SDLC, Secure Development Life Cycle). Security is considered from the very beginning (security by design) and integrated into every step of the process - from requirements engineering and the design phase to implementation, validation, testing, deployment and maintenance. Non-technical aspects such as secure design principles, threat modeling, risk assessment, etc. are given focus as well.
As we can see, secure coding alone is not enough to establish proper secure development.