How to roll out effective developer security training: 5 important lessons
Why does one developer application security training program produce better results than another?
Over my 10+ years as a SANS trainer and the last three years founding and building Secure Code Warrior (SCW), I have seen the value of investing time and resources into making training programs produce the best results.
In our first year of selling, our company engaged over 10,000 developers in secure code training, and I noticed a number of trends among those who had the most effective roll-out. Their results are heart-warming: great engagement, security awareness boost and strong ROI of the program by catching security weaknesses earlier before they become expensive.
I hate to admit it, but there have also been a few who took the "low-effort" approach and tried to roll out a program by sending an email with a link to the training. Not surprisingly, it doesn't fare as well and we had to correct these roll-outs.
Below, I am sharing what I believe are five important lessons that will significantly enhance the engagement levels, impact and success of any developer security training program, including ours.
1. Put some fun into the kick off if you want your program to have impact
Making a special kick-off day event, or giving your program a movie/geeky/gaming theme can make a big difference to the level of excitement and participation from the start. One of our large customers has created a whole fantasy program around a popular TV series, with t-shirts, badges and stickers, making the whole training program an experience no developer would want to miss. Another themed their event around Star Wars, held conveniently on the 4th of May. A bit of fun goes a long way to helping employees get on board, making short bursts of important developer secure code skills training feel like break from work, rather than another task that needs to be done. Milestone #1 achieve, we've got their attention and they know about the program.
2. Find the right developer security training champion (hint: they need communications skills more than security skills!)
Being able to find the right security champions in each scrum team is critical to ongoing program success, especially in larger organisations. In my experience, not all highly-skilled security or developer experts have highly developed people and/or communication skills. The best security champions, those who will give your program positive on-going impact, are those people who are passionate about security and have strong people, influencing and communication skills. Choose wisely and take personality and communication skills into account.
3. Have cool rewards that recognise skills
In general, every computer geek " including developers - like to be recognised for their intelligence and skills. When you reward them with specific status stickers, geeky gadgets, special badges or custom printed t-shirts that recognise their skills, they will wear or display them with pride. If someone achieves something significant in the training program, it is important to think of ways to give them recognition and exposure. I saw a great initiative with one customer who regularly took photos of their Secure Code Warrior champions and posted them alongside a photo and message from the company's CISO in the employee newsletter.
4. Don't try and make your developers into security experts
While you want to make your developers the "first line of defense" in your security program by helping them to code securely, that doesn't mean they need to be the most in-depth security experts in your business; or that you should continuously push new security vulnerabilities and data breach examples to them. While security is important, their primary objective is often building a great product or service and following the pace of the business. If you overload someone with too much security, you run the risk of disengaging them. Key lessons learned, they need to understand basic security hygiene and support them with tools to code securely, but they don't need to be the company security expert.
5. Don't measure the training, measure the impact
Don't measure how many hours of training your developers take or how many videos they watch, measure the number of weaknesses that get picked up in the development life-cycle through code analysis, bug-bounties or classic vulnerability testing before your start the program in each team. If your training program is working, the number of vulnerabilities being identified will go down. The second thing to measure is the time it takes to fix a vulnerability. If it takes a developer a month to fix it, this clearly shows they don't understand how to do it, but if they can fix it in an hour, you know they master the skills. These are the two metrics that clever companies are employing to measure the impact of their developer secure coding training.
5 important lessons on how to roll out effective developer security training:
- Put some fun into the kick off if you want your program to have impact
- Find the right developer security training champion (hint: they need communications skills more than security skills!)
- Have cool rewards that recognise skills
- Don't try and make your developers into security experts
- Don't measure the training, measure the impact
5 important lessons on how to roll out effective developer security training
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoChief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
Why does one developer application security training program produce better results than another?
Over my 10+ years as a SANS trainer and the last three years founding and building Secure Code Warrior (SCW), I have seen the value of investing time and resources into making training programs produce the best results.
In our first year of selling, our company engaged over 10,000 developers in secure code training, and I noticed a number of trends among those who had the most effective roll-out. Their results are heart-warming: great engagement, security awareness boost and strong ROI of the program by catching security weaknesses earlier before they become expensive.
I hate to admit it, but there have also been a few who took the "low-effort" approach and tried to roll out a program by sending an email with a link to the training. Not surprisingly, it doesn't fare as well and we had to correct these roll-outs.
Below, I am sharing what I believe are five important lessons that will significantly enhance the engagement levels, impact and success of any developer security training program, including ours.
1. Put some fun into the kick off if you want your program to have impact
Making a special kick-off day event, or giving your program a movie/geeky/gaming theme can make a big difference to the level of excitement and participation from the start. One of our large customers has created a whole fantasy program around a popular TV series, with t-shirts, badges and stickers, making the whole training program an experience no developer would want to miss. Another themed their event around Star Wars, held conveniently on the 4th of May. A bit of fun goes a long way to helping employees get on board, making short bursts of important developer secure code skills training feel like break from work, rather than another task that needs to be done. Milestone #1 achieve, we've got their attention and they know about the program.
2. Find the right developer security training champion (hint: they need communications skills more than security skills!)
Being able to find the right security champions in each scrum team is critical to ongoing program success, especially in larger organisations. In my experience, not all highly-skilled security or developer experts have highly developed people and/or communication skills. The best security champions, those who will give your program positive on-going impact, are those people who are passionate about security and have strong people, influencing and communication skills. Choose wisely and take personality and communication skills into account.
3. Have cool rewards that recognise skills
In general, every computer geek " including developers - like to be recognised for their intelligence and skills. When you reward them with specific status stickers, geeky gadgets, special badges or custom printed t-shirts that recognise their skills, they will wear or display them with pride. If someone achieves something significant in the training program, it is important to think of ways to give them recognition and exposure. I saw a great initiative with one customer who regularly took photos of their Secure Code Warrior champions and posted them alongside a photo and message from the company's CISO in the employee newsletter.
4. Don't try and make your developers into security experts
While you want to make your developers the "first line of defense" in your security program by helping them to code securely, that doesn't mean they need to be the most in-depth security experts in your business; or that you should continuously push new security vulnerabilities and data breach examples to them. While security is important, their primary objective is often building a great product or service and following the pace of the business. If you overload someone with too much security, you run the risk of disengaging them. Key lessons learned, they need to understand basic security hygiene and support them with tools to code securely, but they don't need to be the company security expert.
5. Don't measure the training, measure the impact
Don't measure how many hours of training your developers take or how many videos they watch, measure the number of weaknesses that get picked up in the development life-cycle through code analysis, bug-bounties or classic vulnerability testing before your start the program in each team. If your training program is working, the number of vulnerabilities being identified will go down. The second thing to measure is the time it takes to fix a vulnerability. If it takes a developer a month to fix it, this clearly shows they don't understand how to do it, but if they can fix it in an hour, you know they master the skills. These are the two metrics that clever companies are employing to measure the impact of their developer secure coding training.
5 important lessons on how to roll out effective developer security training:
- Put some fun into the kick off if you want your program to have impact
- Find the right developer security training champion (hint: they need communications skills more than security skills!)
- Have cool rewards that recognise skills
- Don't try and make your developers into security experts
- Don't measure the training, measure the impact
Why does one developer application security training program produce better results than another?
Over my 10+ years as a SANS trainer and the last three years founding and building Secure Code Warrior (SCW), I have seen the value of investing time and resources into making training programs produce the best results.
In our first year of selling, our company engaged over 10,000 developers in secure code training, and I noticed a number of trends among those who had the most effective roll-out. Their results are heart-warming: great engagement, security awareness boost and strong ROI of the program by catching security weaknesses earlier before they become expensive.
I hate to admit it, but there have also been a few who took the "low-effort" approach and tried to roll out a program by sending an email with a link to the training. Not surprisingly, it doesn't fare as well and we had to correct these roll-outs.
Below, I am sharing what I believe are five important lessons that will significantly enhance the engagement levels, impact and success of any developer security training program, including ours.
1. Put some fun into the kick off if you want your program to have impact
Making a special kick-off day event, or giving your program a movie/geeky/gaming theme can make a big difference to the level of excitement and participation from the start. One of our large customers has created a whole fantasy program around a popular TV series, with t-shirts, badges and stickers, making the whole training program an experience no developer would want to miss. Another themed their event around Star Wars, held conveniently on the 4th of May. A bit of fun goes a long way to helping employees get on board, making short bursts of important developer secure code skills training feel like break from work, rather than another task that needs to be done. Milestone #1 achieve, we've got their attention and they know about the program.
2. Find the right developer security training champion (hint: they need communications skills more than security skills!)
Being able to find the right security champions in each scrum team is critical to ongoing program success, especially in larger organisations. In my experience, not all highly-skilled security or developer experts have highly developed people and/or communication skills. The best security champions, those who will give your program positive on-going impact, are those people who are passionate about security and have strong people, influencing and communication skills. Choose wisely and take personality and communication skills into account.
3. Have cool rewards that recognise skills
In general, every computer geek " including developers - like to be recognised for their intelligence and skills. When you reward them with specific status stickers, geeky gadgets, special badges or custom printed t-shirts that recognise their skills, they will wear or display them with pride. If someone achieves something significant in the training program, it is important to think of ways to give them recognition and exposure. I saw a great initiative with one customer who regularly took photos of their Secure Code Warrior champions and posted them alongside a photo and message from the company's CISO in the employee newsletter.
4. Don't try and make your developers into security experts
While you want to make your developers the "first line of defense" in your security program by helping them to code securely, that doesn't mean they need to be the most in-depth security experts in your business; or that you should continuously push new security vulnerabilities and data breach examples to them. While security is important, their primary objective is often building a great product or service and following the pace of the business. If you overload someone with too much security, you run the risk of disengaging them. Key lessons learned, they need to understand basic security hygiene and support them with tools to code securely, but they don't need to be the company security expert.
5. Don't measure the training, measure the impact
Don't measure how many hours of training your developers take or how many videos they watch, measure the number of weaknesses that get picked up in the development life-cycle through code analysis, bug-bounties or classic vulnerability testing before your start the program in each team. If your training program is working, the number of vulnerabilities being identified will go down. The second thing to measure is the time it takes to fix a vulnerability. If it takes a developer a month to fix it, this clearly shows they don't understand how to do it, but if they can fix it in an hour, you know they master the skills. These are the two metrics that clever companies are employing to measure the impact of their developer secure coding training.
5 important lessons on how to roll out effective developer security training:
- Put some fun into the kick off if you want your program to have impact
- Find the right developer security training champion (hint: they need communications skills more than security skills!)
- Have cool rewards that recognise skills
- Don't try and make your developers into security experts
- Don't measure the training, measure the impact
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demoChief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
Why does one developer application security training program produce better results than another?
Over my 10+ years as a SANS trainer and the last three years founding and building Secure Code Warrior (SCW), I have seen the value of investing time and resources into making training programs produce the best results.
In our first year of selling, our company engaged over 10,000 developers in secure code training, and I noticed a number of trends among those who had the most effective roll-out. Their results are heart-warming: great engagement, security awareness boost and strong ROI of the program by catching security weaknesses earlier before they become expensive.
I hate to admit it, but there have also been a few who took the "low-effort" approach and tried to roll out a program by sending an email with a link to the training. Not surprisingly, it doesn't fare as well and we had to correct these roll-outs.
Below, I am sharing what I believe are five important lessons that will significantly enhance the engagement levels, impact and success of any developer security training program, including ours.
1. Put some fun into the kick off if you want your program to have impact
Making a special kick-off day event, or giving your program a movie/geeky/gaming theme can make a big difference to the level of excitement and participation from the start. One of our large customers has created a whole fantasy program around a popular TV series, with t-shirts, badges and stickers, making the whole training program an experience no developer would want to miss. Another themed their event around Star Wars, held conveniently on the 4th of May. A bit of fun goes a long way to helping employees get on board, making short bursts of important developer secure code skills training feel like break from work, rather than another task that needs to be done. Milestone #1 achieve, we've got their attention and they know about the program.
2. Find the right developer security training champion (hint: they need communications skills more than security skills!)
Being able to find the right security champions in each scrum team is critical to ongoing program success, especially in larger organisations. In my experience, not all highly-skilled security or developer experts have highly developed people and/or communication skills. The best security champions, those who will give your program positive on-going impact, are those people who are passionate about security and have strong people, influencing and communication skills. Choose wisely and take personality and communication skills into account.
3. Have cool rewards that recognise skills
In general, every computer geek " including developers - like to be recognised for their intelligence and skills. When you reward them with specific status stickers, geeky gadgets, special badges or custom printed t-shirts that recognise their skills, they will wear or display them with pride. If someone achieves something significant in the training program, it is important to think of ways to give them recognition and exposure. I saw a great initiative with one customer who regularly took photos of their Secure Code Warrior champions and posted them alongside a photo and message from the company's CISO in the employee newsletter.
4. Don't try and make your developers into security experts
While you want to make your developers the "first line of defense" in your security program by helping them to code securely, that doesn't mean they need to be the most in-depth security experts in your business; or that you should continuously push new security vulnerabilities and data breach examples to them. While security is important, their primary objective is often building a great product or service and following the pace of the business. If you overload someone with too much security, you run the risk of disengaging them. Key lessons learned, they need to understand basic security hygiene and support them with tools to code securely, but they don't need to be the company security expert.
5. Don't measure the training, measure the impact
Don't measure how many hours of training your developers take or how many videos they watch, measure the number of weaknesses that get picked up in the development life-cycle through code analysis, bug-bounties or classic vulnerability testing before your start the program in each team. If your training program is working, the number of vulnerabilities being identified will go down. The second thing to measure is the time it takes to fix a vulnerability. If it takes a developer a month to fix it, this clearly shows they don't understand how to do it, but if they can fix it in an hour, you know they master the skills. These are the two metrics that clever companies are employing to measure the impact of their developer secure coding training.
5 important lessons on how to roll out effective developer security training:
- Put some fun into the kick off if you want your program to have impact
- Find the right developer security training champion (hint: they need communications skills more than security skills!)
- Have cool rewards that recognise skills
- Don't try and make your developers into security experts
- Don't measure the training, measure the impact
Table of contents
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise
The Secure-by-Design movement is the future of secure software development. Learn about the key elements companies need to keep in mind when they think about a Secure-by-Design initiative.
DigitalOcean Decreases Security Debt with Secure Code Warrior
DigitalOcean's use of Secure Code Warrior training has significantly reduced security debt, allowing teams to focus more on innovation and productivity. The improved security has strengthened their product quality and competitive edge. Looking ahead, the SCW Trust Score will help them further enhance security practices and continue driving innovation.
Resources to get you started
Trust Score Reveals the Value of Secure-by-Design Upskilling Initiatives
Our research has shown that secure code training works. Trust Score, using an algorithm drawing on more than 20 million learning data points from work by more than 250,000 learners at over 600 organizations, reveals its effectiveness in driving down vulnerabilities and how to make the initiative even more effective.
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.
The Benefits of Benchmarking Security Skills for Developers
The growing focus on secure code and Secure-by-Design principles requires developers to be trained in cybersecurity from the start of the SDLC, with tools like Secure Code Warrior’s Trust Score helping measure and improve their progress.
Driving Meaningful Success for Enterprise Secure-by-Design Initiatives
Our latest research paper, Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise is the result of deep analysis of real Secure-by-Design initiatives at the enterprise level, and deriving best practice approaches based on data-driven findings.