The path to security champions: How Workday utilized agile learning to upskill developers
Situation
Before Workday implemented agile learning with Secure Code Warrior, they were utilizing in-house courses that comprised of recordings of PowerPoint presentations that covered OWASP top 10 vulnerabilities with some pseudocode examples. Alex Uda, Program Manager for security developer training, realized this wasn’t helping his team and the security team at large to achieve their goals of improving Workday’s overall security posture. Because developers were quickly becoming unengaged in their training, they decided to begin soliciting their feedback and noted that there were two items that continued to come up:
- The need for more hands-on type of training
- The need for more language-specific content
Action
In working with developers, Alex and his team identified two main priorities in winning developer buy-in to create an engaging, successful secure code learning program.
Clarity and simplicity
Most developers do not arrive at their jobs with knowledge of security. Anything that is frustrating or time-consuming will lead developers to stray towards workarounds and hacks. What Workday noted about SCW is that it allowed developers to have a clear sense of the process, own it, and integrate it into their workflows.
Actionability and value
Developers, first and foremost, want to be able to action something that is affecting the codebase/lifecycle, and action it fast. To do so, developers need to be educated on how to do so. If you want a developer to be interested in something like security, highlighting the value of these topics.
In terms of structuring the program, Alex and his team first gathered feedback on the platform from a pilot group of security champions and worked with their customer success manager to implement their suggestions. Alex and the team then looked at their SAST tools and different metrics on the number of incidents and security events to assess what the highest risks are in their current environment, and what is happening across the industry. They initially focused on the OWASP top 10 and the most common, high-risk vulnerabilities at Workday
“By giving developers that learning and that agency, SCW made it so that we were able to make active improvements to our software security. It’s not all about writing code, it’s also about growth opportunities and career opportunities. Workday’s support for the security program exists because it’s an area where the entire company is aligned, so developers were allowed that time for learning and development. Taking two hours a week to do some learning over a period of time helps to build that muscle memory with consistency.”
Results
Traditionally, it’s easy to think of security at the end stage of the development process. Working with the security team, developers at Workday now see security as an important component of the development cycle. They can action security items quickly and earlier in the SDLC, which has been the biggest impact of that program. For one team based in Dublin, their developers went from 4662 security issues - which averaged almost 31.08 issues a day - down to 0 in a period of around 18 months.
Alex described the growth of the program as, “a snowball effect after we began with top-of-mind security champions. As we socialized the program and its benefits to leadership and continued to increase our membership we saw almost a natural growth due to word of mouth. From a training perspective, our goal is to give our developers the necessary skills to develop code securely. This is especially critical as Workday continues to grow."
Key takeaways
According to Alex, “In order to successfully scale security it’s imperative that our developers have a security mindset to help identify security risks during the design phase of their software development. This fits in our shift left initiative to empower our developers to help save time, money, and some heartache. The better job we do in secure code learning, the fewer vulnerabilities we see from our scans and pentest results.”
For developers, it’s important to have fun when learning about security
SCW is great at showing how exciting it can be. If you are getting involved in security learning, embrace it fully. Consider it as a part of your development process and a part of your career growth.
Encourage developers to reach out to the team if they are curious about security
Have a conversation, and start that collaboration.
Security as a black box or as a bolt-on to your project is archaic and ultimately does a disservice to your software
Embracing security as part of the development process - the same way we embrace TDD, agile, and linting - will improve the flow and increase the quality of software being delivered to customers.
Discover how Workday transformed developer training with agile learning through Secure Code Warrior. By empowering developer with hands-on, language-specific education, Workday reduced vulnerabilities early in the SDLC. See their impressive results and key takeaways to build a secure code culture.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demo
Situation
Before Workday implemented agile learning with Secure Code Warrior, they were utilizing in-house courses that comprised of recordings of PowerPoint presentations that covered OWASP top 10 vulnerabilities with some pseudocode examples. Alex Uda, Program Manager for security developer training, realized this wasn’t helping his team and the security team at large to achieve their goals of improving Workday’s overall security posture. Because developers were quickly becoming unengaged in their training, they decided to begin soliciting their feedback and noted that there were two items that continued to come up:
- The need for more hands-on type of training
- The need for more language-specific content
Action
In working with developers, Alex and his team identified two main priorities in winning developer buy-in to create an engaging, successful secure code learning program.
Clarity and simplicity
Most developers do not arrive at their jobs with knowledge of security. Anything that is frustrating or time-consuming will lead developers to stray towards workarounds and hacks. What Workday noted about SCW is that it allowed developers to have a clear sense of the process, own it, and integrate it into their workflows.
Actionability and value
Developers, first and foremost, want to be able to action something that is affecting the codebase/lifecycle, and action it fast. To do so, developers need to be educated on how to do so. If you want a developer to be interested in something like security, highlighting the value of these topics.
In terms of structuring the program, Alex and his team first gathered feedback on the platform from a pilot group of security champions and worked with their customer success manager to implement their suggestions. Alex and the team then looked at their SAST tools and different metrics on the number of incidents and security events to assess what the highest risks are in their current environment, and what is happening across the industry. They initially focused on the OWASP top 10 and the most common, high-risk vulnerabilities at Workday
“By giving developers that learning and that agency, SCW made it so that we were able to make active improvements to our software security. It’s not all about writing code, it’s also about growth opportunities and career opportunities. Workday’s support for the security program exists because it’s an area where the entire company is aligned, so developers were allowed that time for learning and development. Taking two hours a week to do some learning over a period of time helps to build that muscle memory with consistency.”
Results
Traditionally, it’s easy to think of security at the end stage of the development process. Working with the security team, developers at Workday now see security as an important component of the development cycle. They can action security items quickly and earlier in the SDLC, which has been the biggest impact of that program. For one team based in Dublin, their developers went from 4662 security issues - which averaged almost 31.08 issues a day - down to 0 in a period of around 18 months.
Alex described the growth of the program as, “a snowball effect after we began with top-of-mind security champions. As we socialized the program and its benefits to leadership and continued to increase our membership we saw almost a natural growth due to word of mouth. From a training perspective, our goal is to give our developers the necessary skills to develop code securely. This is especially critical as Workday continues to grow."
Key takeaways
According to Alex, “In order to successfully scale security it’s imperative that our developers have a security mindset to help identify security risks during the design phase of their software development. This fits in our shift left initiative to empower our developers to help save time, money, and some heartache. The better job we do in secure code learning, the fewer vulnerabilities we see from our scans and pentest results.”
For developers, it’s important to have fun when learning about security
SCW is great at showing how exciting it can be. If you are getting involved in security learning, embrace it fully. Consider it as a part of your development process and a part of your career growth.
Encourage developers to reach out to the team if they are curious about security
Have a conversation, and start that collaboration.
Security as a black box or as a bolt-on to your project is archaic and ultimately does a disservice to your software
Embracing security as part of the development process - the same way we embrace TDD, agile, and linting - will improve the flow and increase the quality of software being delivered to customers.
Situation
Before Workday implemented agile learning with Secure Code Warrior, they were utilizing in-house courses that comprised of recordings of PowerPoint presentations that covered OWASP top 10 vulnerabilities with some pseudocode examples. Alex Uda, Program Manager for security developer training, realized this wasn’t helping his team and the security team at large to achieve their goals of improving Workday’s overall security posture. Because developers were quickly becoming unengaged in their training, they decided to begin soliciting their feedback and noted that there were two items that continued to come up:
- The need for more hands-on type of training
- The need for more language-specific content
Action
In working with developers, Alex and his team identified two main priorities in winning developer buy-in to create an engaging, successful secure code learning program.
Clarity and simplicity
Most developers do not arrive at their jobs with knowledge of security. Anything that is frustrating or time-consuming will lead developers to stray towards workarounds and hacks. What Workday noted about SCW is that it allowed developers to have a clear sense of the process, own it, and integrate it into their workflows.
Actionability and value
Developers, first and foremost, want to be able to action something that is affecting the codebase/lifecycle, and action it fast. To do so, developers need to be educated on how to do so. If you want a developer to be interested in something like security, highlighting the value of these topics.
In terms of structuring the program, Alex and his team first gathered feedback on the platform from a pilot group of security champions and worked with their customer success manager to implement their suggestions. Alex and the team then looked at their SAST tools and different metrics on the number of incidents and security events to assess what the highest risks are in their current environment, and what is happening across the industry. They initially focused on the OWASP top 10 and the most common, high-risk vulnerabilities at Workday
“By giving developers that learning and that agency, SCW made it so that we were able to make active improvements to our software security. It’s not all about writing code, it’s also about growth opportunities and career opportunities. Workday’s support for the security program exists because it’s an area where the entire company is aligned, so developers were allowed that time for learning and development. Taking two hours a week to do some learning over a period of time helps to build that muscle memory with consistency.”
Results
Traditionally, it’s easy to think of security at the end stage of the development process. Working with the security team, developers at Workday now see security as an important component of the development cycle. They can action security items quickly and earlier in the SDLC, which has been the biggest impact of that program. For one team based in Dublin, their developers went from 4662 security issues - which averaged almost 31.08 issues a day - down to 0 in a period of around 18 months.
Alex described the growth of the program as, “a snowball effect after we began with top-of-mind security champions. As we socialized the program and its benefits to leadership and continued to increase our membership we saw almost a natural growth due to word of mouth. From a training perspective, our goal is to give our developers the necessary skills to develop code securely. This is especially critical as Workday continues to grow."
Key takeaways
According to Alex, “In order to successfully scale security it’s imperative that our developers have a security mindset to help identify security risks during the design phase of their software development. This fits in our shift left initiative to empower our developers to help save time, money, and some heartache. The better job we do in secure code learning, the fewer vulnerabilities we see from our scans and pentest results.”
For developers, it’s important to have fun when learning about security
SCW is great at showing how exciting it can be. If you are getting involved in security learning, embrace it fully. Consider it as a part of your development process and a part of your career growth.
Encourage developers to reach out to the team if they are curious about security
Have a conversation, and start that collaboration.
Security as a black box or as a bolt-on to your project is archaic and ultimately does a disservice to your software
Embracing security as part of the development process - the same way we embrace TDD, agile, and linting - will improve the flow and increase the quality of software being delivered to customers.
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demo
Situation
Before Workday implemented agile learning with Secure Code Warrior, they were utilizing in-house courses that comprised of recordings of PowerPoint presentations that covered OWASP top 10 vulnerabilities with some pseudocode examples. Alex Uda, Program Manager for security developer training, realized this wasn’t helping his team and the security team at large to achieve their goals of improving Workday’s overall security posture. Because developers were quickly becoming unengaged in their training, they decided to begin soliciting their feedback and noted that there were two items that continued to come up:
- The need for more hands-on type of training
- The need for more language-specific content
Action
In working with developers, Alex and his team identified two main priorities in winning developer buy-in to create an engaging, successful secure code learning program.
Clarity and simplicity
Most developers do not arrive at their jobs with knowledge of security. Anything that is frustrating or time-consuming will lead developers to stray towards workarounds and hacks. What Workday noted about SCW is that it allowed developers to have a clear sense of the process, own it, and integrate it into their workflows.
Actionability and value
Developers, first and foremost, want to be able to action something that is affecting the codebase/lifecycle, and action it fast. To do so, developers need to be educated on how to do so. If you want a developer to be interested in something like security, highlighting the value of these topics.
In terms of structuring the program, Alex and his team first gathered feedback on the platform from a pilot group of security champions and worked with their customer success manager to implement their suggestions. Alex and the team then looked at their SAST tools and different metrics on the number of incidents and security events to assess what the highest risks are in their current environment, and what is happening across the industry. They initially focused on the OWASP top 10 and the most common, high-risk vulnerabilities at Workday
“By giving developers that learning and that agency, SCW made it so that we were able to make active improvements to our software security. It’s not all about writing code, it’s also about growth opportunities and career opportunities. Workday’s support for the security program exists because it’s an area where the entire company is aligned, so developers were allowed that time for learning and development. Taking two hours a week to do some learning over a period of time helps to build that muscle memory with consistency.”
Results
Traditionally, it’s easy to think of security at the end stage of the development process. Working with the security team, developers at Workday now see security as an important component of the development cycle. They can action security items quickly and earlier in the SDLC, which has been the biggest impact of that program. For one team based in Dublin, their developers went from 4662 security issues - which averaged almost 31.08 issues a day - down to 0 in a period of around 18 months.
Alex described the growth of the program as, “a snowball effect after we began with top-of-mind security champions. As we socialized the program and its benefits to leadership and continued to increase our membership we saw almost a natural growth due to word of mouth. From a training perspective, our goal is to give our developers the necessary skills to develop code securely. This is especially critical as Workday continues to grow."
Key takeaways
According to Alex, “In order to successfully scale security it’s imperative that our developers have a security mindset to help identify security risks during the design phase of their software development. This fits in our shift left initiative to empower our developers to help save time, money, and some heartache. The better job we do in secure code learning, the fewer vulnerabilities we see from our scans and pentest results.”
For developers, it’s important to have fun when learning about security
SCW is great at showing how exciting it can be. If you are getting involved in security learning, embrace it fully. Consider it as a part of your development process and a part of your career growth.
Encourage developers to reach out to the team if they are curious about security
Have a conversation, and start that collaboration.
Security as a black box or as a bolt-on to your project is archaic and ultimately does a disservice to your software
Embracing security as part of the development process - the same way we embrace TDD, agile, and linting - will improve the flow and increase the quality of software being delivered to customers.
Table of contents
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise
The Secure-by-Design movement is the future of secure software development. Learn about the key elements companies need to keep in mind when they think about a Secure-by-Design initiative.
DigitalOcean Decreases Security Debt with Secure Code Warrior
DigitalOcean's use of Secure Code Warrior training has significantly reduced security debt, allowing teams to focus more on innovation and productivity. The improved security has strengthened their product quality and competitive edge. Looking ahead, the SCW Trust Score will help them further enhance security practices and continue driving innovation.
Resources to get you started
OWASP Top 10 For LLM Applications: What’s New, Changed, and How to Stay Secure
Stay ahead in securing LLM applications with the latest OWASP Top 10 updates. Discover what's new, what’s changed, and how Secure Code Warrior equips you with up-to-date learning resources to mitigate risks in Generative AI.
Trust Score Reveals the Value of Secure-by-Design Upskilling Initiatives
Our research has shown that secure code training works. Trust Score, using an algorithm drawing on more than 20 million learning data points from work by more than 250,000 learners at over 600 organizations, reveals its effectiveness in driving down vulnerabilities and how to make the initiative even more effective.
.png)
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.
The Benefits of Benchmarking Security Skills for Developers
The growing focus on secure code and Secure-by-Design principles requires developers to be trained in cybersecurity from the start of the SDLC, with tools like Secure Code Warrior’s Trust Score helping measure and improve their progress.
Developer-driven coding.
Securely.
Contact us today and make software security an intrinsic part of your development process.
