Going beyond compliance: How Secure Code Warrior empowered Netskope developers to code cloud solutions at scale
Background
Netskope, a global SASE leader, helps organizations apply zero trust principles and AI/ML innovations to protect data and defend against cyber threats. Fast and easy to use, the Netskope platform provides optimized access and real-time security for people, devices, and data anywhere they go. Netskope helps customers reduce risk, accelerate performance, and get unrivaled visibility into any cloud, web, and private application activity. Thousands of customers trust Netskope and its powerful NewEdge network to address evolving threats, new risks, technology shifts, organizational and network changes, and new regulatory requirements.
Situation
The speed of innovation in cloud computing and A.I. has greatly accelerated the software development lifecycle. James Robinson - CISO at Netskope - recognized that the way of doing training for developers by meeting compliance objectives with videos about secure development in only a handful of languages was not sustainable in today’s market. Their rapid adoption and rapid change in his organization created a challenge in keeping Netskope developers up to speed on new languages and technologies, but also keeping them skilled at security.
Netskope attempted to create more custom connections to broaden the languages and coverage developers received, but the engagement was still very low and soon, the training began to challenge to productivity. James wanted to shift their approach so that developers were excited about the subject through more hands-on learning approaches.
Action
Training that was done annually, or available ad-hoc, didn’t holistically address the variety of SAST Tools, infrastructure as code scanners, and could be integrated into the CI and CD security steps at Netskope. Netskope needed to be able to integrate developers’ participation in security into the analysis and testing process. That provided a baseline for secure development education that supplemented their compliance requirements.
Shift left
As Netskope began discussing “shift left”, it begged the question - what does shift left actually mean? How far does one need to shift? Leadership made the decision to change the name internally to “self-service adoption”. What this did, in principle, was empower developers to be proactive about their secure code education. In working with Secure Code Warrior, they built a program that made security content visible and accessible to developers so they wouldn’t wander to unvetted solutions.
Actionability and value
The customizable content and a myriad of hands-on learning activities from Secure Code Warrior also opened the floor for more open, productive conversations between security and developer teams. When developers began realizing value, outside of just achieving compliance, they became more engaged and intrigued about security. It also opened up the opportunity to look at critical and recurring vulnerabilities in order to create more educational content to supplement their program.
Results
After rolling out their program, Netskope was diligent in collecting feedback from developers to ensure they were getting the most value from the platform. The results were overwhelmingly positive.
According to James Robinson, CISO at Netskope:
Our developer team, thanks in large part to Secure Code Warrior’s platform, has successfully shifted left by embracing a more enticing, self-service learning approach that gets learning pathways into the developers’ hands sooner. More importantly, we feel we’re getting a better return on investment with our developer educational training efforts because of higher participation and the fact that these efforts no longer feel like they’re a check-the-box, compliance mandated activity. The byproduct of all of this is that we’re enabling our developers to be security champions.”
Key takeaways
- Organizations that do not invest in a strong application security team allow for more risk to be introduced through their code. This ultimately wastes both time and money fixing vulnerabilities and addressing security issues.
- Take advantage of a program that helps save time with just a couple of key-learnings every month through relevant content, rather than a hour-long compliance oriented annual training. The time saved through educating developers will manifest in the reduction of rework needed to fix vulnerabilities that shouldn’t have been introduced in the first place.
- There is a new mandate to code cloud solutions at scale. Years ago, there was an expectation to get developers fully invested in securing code through one programming language. That is no longer the case in today’s high-tech marketplace. You need to pick multiple languages that align best to the cloud infrastructure and applications a company wants to build out and pursue.
This case study explores how Netskope transformed developer security education with Secure Code Warrior, empowering their developers to be proactive, engaged security champions.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demo
Background
Netskope, a global SASE leader, helps organizations apply zero trust principles and AI/ML innovations to protect data and defend against cyber threats. Fast and easy to use, the Netskope platform provides optimized access and real-time security for people, devices, and data anywhere they go. Netskope helps customers reduce risk, accelerate performance, and get unrivaled visibility into any cloud, web, and private application activity. Thousands of customers trust Netskope and its powerful NewEdge network to address evolving threats, new risks, technology shifts, organizational and network changes, and new regulatory requirements.
Situation
The speed of innovation in cloud computing and A.I. has greatly accelerated the software development lifecycle. James Robinson - CISO at Netskope - recognized that the way of doing training for developers by meeting compliance objectives with videos about secure development in only a handful of languages was not sustainable in today’s market. Their rapid adoption and rapid change in his organization created a challenge in keeping Netskope developers up to speed on new languages and technologies, but also keeping them skilled at security.
Netskope attempted to create more custom connections to broaden the languages and coverage developers received, but the engagement was still very low and soon, the training began to challenge to productivity. James wanted to shift their approach so that developers were excited about the subject through more hands-on learning approaches.
Action
Training that was done annually, or available ad-hoc, didn’t holistically address the variety of SAST Tools, infrastructure as code scanners, and could be integrated into the CI and CD security steps at Netskope. Netskope needed to be able to integrate developers’ participation in security into the analysis and testing process. That provided a baseline for secure development education that supplemented their compliance requirements.
Shift left
As Netskope began discussing “shift left”, it begged the question - what does shift left actually mean? How far does one need to shift? Leadership made the decision to change the name internally to “self-service adoption”. What this did, in principle, was empower developers to be proactive about their secure code education. In working with Secure Code Warrior, they built a program that made security content visible and accessible to developers so they wouldn’t wander to unvetted solutions.
Actionability and value
The customizable content and a myriad of hands-on learning activities from Secure Code Warrior also opened the floor for more open, productive conversations between security and developer teams. When developers began realizing value, outside of just achieving compliance, they became more engaged and intrigued about security. It also opened up the opportunity to look at critical and recurring vulnerabilities in order to create more educational content to supplement their program.
Results
After rolling out their program, Netskope was diligent in collecting feedback from developers to ensure they were getting the most value from the platform. The results were overwhelmingly positive.
According to James Robinson, CISO at Netskope:
Our developer team, thanks in large part to Secure Code Warrior’s platform, has successfully shifted left by embracing a more enticing, self-service learning approach that gets learning pathways into the developers’ hands sooner. More importantly, we feel we’re getting a better return on investment with our developer educational training efforts because of higher participation and the fact that these efforts no longer feel like they’re a check-the-box, compliance mandated activity. The byproduct of all of this is that we’re enabling our developers to be security champions.”
Key takeaways
- Organizations that do not invest in a strong application security team allow for more risk to be introduced through their code. This ultimately wastes both time and money fixing vulnerabilities and addressing security issues.
- Take advantage of a program that helps save time with just a couple of key-learnings every month through relevant content, rather than a hour-long compliance oriented annual training. The time saved through educating developers will manifest in the reduction of rework needed to fix vulnerabilities that shouldn’t have been introduced in the first place.
- There is a new mandate to code cloud solutions at scale. Years ago, there was an expectation to get developers fully invested in securing code through one programming language. That is no longer the case in today’s high-tech marketplace. You need to pick multiple languages that align best to the cloud infrastructure and applications a company wants to build out and pursue.
Background
Netskope, a global SASE leader, helps organizations apply zero trust principles and AI/ML innovations to protect data and defend against cyber threats. Fast and easy to use, the Netskope platform provides optimized access and real-time security for people, devices, and data anywhere they go. Netskope helps customers reduce risk, accelerate performance, and get unrivaled visibility into any cloud, web, and private application activity. Thousands of customers trust Netskope and its powerful NewEdge network to address evolving threats, new risks, technology shifts, organizational and network changes, and new regulatory requirements.
Situation
The speed of innovation in cloud computing and A.I. has greatly accelerated the software development lifecycle. James Robinson - CISO at Netskope - recognized that the way of doing training for developers by meeting compliance objectives with videos about secure development in only a handful of languages was not sustainable in today’s market. Their rapid adoption and rapid change in his organization created a challenge in keeping Netskope developers up to speed on new languages and technologies, but also keeping them skilled at security.
Netskope attempted to create more custom connections to broaden the languages and coverage developers received, but the engagement was still very low and soon, the training began to challenge to productivity. James wanted to shift their approach so that developers were excited about the subject through more hands-on learning approaches.
Action
Training that was done annually, or available ad-hoc, didn’t holistically address the variety of SAST Tools, infrastructure as code scanners, and could be integrated into the CI and CD security steps at Netskope. Netskope needed to be able to integrate developers’ participation in security into the analysis and testing process. That provided a baseline for secure development education that supplemented their compliance requirements.
Shift left
As Netskope began discussing “shift left”, it begged the question - what does shift left actually mean? How far does one need to shift? Leadership made the decision to change the name internally to “self-service adoption”. What this did, in principle, was empower developers to be proactive about their secure code education. In working with Secure Code Warrior, they built a program that made security content visible and accessible to developers so they wouldn’t wander to unvetted solutions.
Actionability and value
The customizable content and a myriad of hands-on learning activities from Secure Code Warrior also opened the floor for more open, productive conversations between security and developer teams. When developers began realizing value, outside of just achieving compliance, they became more engaged and intrigued about security. It also opened up the opportunity to look at critical and recurring vulnerabilities in order to create more educational content to supplement their program.
Results
After rolling out their program, Netskope was diligent in collecting feedback from developers to ensure they were getting the most value from the platform. The results were overwhelmingly positive.
According to James Robinson, CISO at Netskope:
Our developer team, thanks in large part to Secure Code Warrior’s platform, has successfully shifted left by embracing a more enticing, self-service learning approach that gets learning pathways into the developers’ hands sooner. More importantly, we feel we’re getting a better return on investment with our developer educational training efforts because of higher participation and the fact that these efforts no longer feel like they’re a check-the-box, compliance mandated activity. The byproduct of all of this is that we’re enabling our developers to be security champions.”
Key takeaways
- Organizations that do not invest in a strong application security team allow for more risk to be introduced through their code. This ultimately wastes both time and money fixing vulnerabilities and addressing security issues.
- Take advantage of a program that helps save time with just a couple of key-learnings every month through relevant content, rather than a hour-long compliance oriented annual training. The time saved through educating developers will manifest in the reduction of rework needed to fix vulnerabilities that shouldn’t have been introduced in the first place.
- There is a new mandate to code cloud solutions at scale. Years ago, there was an expectation to get developers fully invested in securing code through one programming language. That is no longer the case in today’s high-tech marketplace. You need to pick multiple languages that align best to the cloud infrastructure and applications a company wants to build out and pursue.
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demo
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoBackground
Netskope, a global SASE leader, helps organizations apply zero trust principles and AI/ML innovations to protect data and defend against cyber threats. Fast and easy to use, the Netskope platform provides optimized access and real-time security for people, devices, and data anywhere they go. Netskope helps customers reduce risk, accelerate performance, and get unrivaled visibility into any cloud, web, and private application activity. Thousands of customers trust Netskope and its powerful NewEdge network to address evolving threats, new risks, technology shifts, organizational and network changes, and new regulatory requirements.
Situation
The speed of innovation in cloud computing and A.I. has greatly accelerated the software development lifecycle. James Robinson - CISO at Netskope - recognized that the way of doing training for developers by meeting compliance objectives with videos about secure development in only a handful of languages was not sustainable in today’s market. Their rapid adoption and rapid change in his organization created a challenge in keeping Netskope developers up to speed on new languages and technologies, but also keeping them skilled at security.
Netskope attempted to create more custom connections to broaden the languages and coverage developers received, but the engagement was still very low and soon, the training began to challenge to productivity. James wanted to shift their approach so that developers were excited about the subject through more hands-on learning approaches.
Action
Training that was done annually, or available ad-hoc, didn’t holistically address the variety of SAST Tools, infrastructure as code scanners, and could be integrated into the CI and CD security steps at Netskope. Netskope needed to be able to integrate developers’ participation in security into the analysis and testing process. That provided a baseline for secure development education that supplemented their compliance requirements.
Shift left
As Netskope began discussing “shift left”, it begged the question - what does shift left actually mean? How far does one need to shift? Leadership made the decision to change the name internally to “self-service adoption”. What this did, in principle, was empower developers to be proactive about their secure code education. In working with Secure Code Warrior, they built a program that made security content visible and accessible to developers so they wouldn’t wander to unvetted solutions.
Actionability and value
The customizable content and a myriad of hands-on learning activities from Secure Code Warrior also opened the floor for more open, productive conversations between security and developer teams. When developers began realizing value, outside of just achieving compliance, they became more engaged and intrigued about security. It also opened up the opportunity to look at critical and recurring vulnerabilities in order to create more educational content to supplement their program.
Results
After rolling out their program, Netskope was diligent in collecting feedback from developers to ensure they were getting the most value from the platform. The results were overwhelmingly positive.
According to James Robinson, CISO at Netskope:
Our developer team, thanks in large part to Secure Code Warrior’s platform, has successfully shifted left by embracing a more enticing, self-service learning approach that gets learning pathways into the developers’ hands sooner. More importantly, we feel we’re getting a better return on investment with our developer educational training efforts because of higher participation and the fact that these efforts no longer feel like they’re a check-the-box, compliance mandated activity. The byproduct of all of this is that we’re enabling our developers to be security champions.”
Key takeaways
- Organizations that do not invest in a strong application security team allow for more risk to be introduced through their code. This ultimately wastes both time and money fixing vulnerabilities and addressing security issues.
- Take advantage of a program that helps save time with just a couple of key-learnings every month through relevant content, rather than a hour-long compliance oriented annual training. The time saved through educating developers will manifest in the reduction of rework needed to fix vulnerabilities that shouldn’t have been introduced in the first place.
- There is a new mandate to code cloud solutions at scale. Years ago, there was an expectation to get developers fully invested in securing code through one programming language. That is no longer the case in today’s high-tech marketplace. You need to pick multiple languages that align best to the cloud infrastructure and applications a company wants to build out and pursue.
Table of contents
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise
The Secure-by-Design movement is the future of secure software development. Learn about the key elements companies need to keep in mind when they think about a Secure-by-Design initiative.
DigitalOcean Decreases Security Debt with Secure Code Warrior
DigitalOcean's use of Secure Code Warrior training has significantly reduced security debt, allowing teams to focus more on innovation and productivity. The improved security has strengthened their product quality and competitive edge. Looking ahead, the SCW Trust Score will help them further enhance security practices and continue driving innovation.
Resources to get you started
Trust Score Reveals the Value of Secure-by-Design Upskilling Initiatives
Our research has shown that secure code training works. Trust Score, using an algorithm drawing on more than 20 million learning data points from work by more than 250,000 learners at over 600 organizations, reveals its effectiveness in driving down vulnerabilities and how to make the initiative even more effective.
.png)
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.
The Benefits of Benchmarking Security Skills for Developers
The growing focus on secure code and Secure-by-Design principles requires developers to be trained in cybersecurity from the start of the SDLC, with tools like Secure Code Warrior’s Trust Score helping measure and improve their progress.
Driving Meaningful Success for Enterprise Secure-by-Design Initiatives
Our latest research paper, Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise is the result of deep analysis of real Secure-by-Design initiatives at the enterprise level, and deriving best practice approaches based on data-driven findings.
Developer-driven coding.
Securely.
Contact us today and make software security an intrinsic part of your development process.
