Why scaffolded learning builds security-strong developers
After just a few minutes of browsing tech news, it will quickly become clear just how dangerous the threat landscape is becoming. Every day seems to bring with it a report of a major breach, a new vulnerability, or a dire threat of active exploitation by cyberattackers and criminals. And almost every industry metric and report shows an increasingly dangerous number of cyber threats, with most experts predicting that this trend will continue for years to come.
Lined up against these new threats is a depleted and understaffed frontline of IT security workers. Despite commanding high salaries and being nearly indispensable to any business or organization, there is never enough security personnel to go around. In a recent survey conducted by the Center for Strategic and International Studies, 82% of IT decision-makers said their organizations suffered from a shortage of cybersecurity skills, and 71% said that the shortage had resulted in direct and measurable damage to their organizations. In just the United States alone, the report noted that there were more than 520,000 unfilled cybersecurity jobs in a field where only about 940,000 are employed.
Worldwide, there are currently about 3.5 million cybersecurity jobs that are unfilled, meaning that even organizations that are willing to pay huge amounts of money to hire and retain top-level professionals are having trouble locating suitable candidates. On average, it takes about 21% longer to fill a cybersecurity position than any other job, if they can be filled at all.
Developer enablement has been ignored for too long
We noted in many previous blogs that developers can be tapped to fill in some of those critical gaps in cybersecurity defenses. It’s just that traditionally developers were never trained on cybersecurity. Their job performance was almost entirely based on speed and time to deployments. Security was the job of the AppSec teams further down the line.
Unfortunately, it’s not just a matter of switching gears and asking developers to suddenly begin adding security into their applications and programs. Even if they are willing to make those changes, and surveys have shown that many of them are, they still need training in order to make that happen. They also need encouragement and support from upper management, but being enabled with meaningful learning is the first, and often the largest, stumbling block.
There is a reason that millions of high-paying, highly secure IT security positions remain unfilled worldwide. If it was easy work, everyone would be jumping into that field. Learning how to combat threats and eliminate vulnerabilities within code is difficult, and the threat landscape is constantly changing. Trying to teach cybersecurity, even to relatively tech-savvy developers, can’t be efficiently done using static training that dates quickly and isn’t memorable, and will have a minimal positive impact, especially if those requirements are added to their already overtaxed schedules.
Build a scaffold to reach higher ground
Teaching cybersecurity skills using traditional methods is like trying to build a skyscraper without ever taking your feet off the ground. It’s not possible because students don’t have the foundation needed to master the many higher-level concepts of a complex field like cybersecurity. To compensate, the concept of scaffolded learning can be employed.
When using a scaffolded, or “layered” approach to upskilling, larger topics are typically broken down into discrete learning experiences or concepts. This ensures that students are able to master each concept using appropriate exercises and instruction, providing all the support needed for each component. Newer, more advanced concepts are layered on top of those already mastered, just like physical scaffolding is constructed as a building grows higher. In this way, students are able to achieve higher levels of comprehension and skill acquisition than they would be able to master without assistance.
And just like physical scaffolding, that support is incrementally removed when it is no longer needed, with more responsibility to the students as they become increasingly proficient.
Scaffolded learning is primarily used to reduce the negative emotions and self-perceptions that students may experience when they get frustrated, intimidated, or discouraged when attempting a difficult task without assistance. But it also can hold a lot of value when trying to tackle an extremely difficult concept like modern cybersecurity. Far from being a way to treat developers like children, it’s immensely helpful when their experience with the security team can have the same effect of being frustrating and discouraging, especially when their hard work is sent back with bug fixes and a fresh serving of criticism.
When developers are given tools to understand secure coding fundamentals (usually starting with the OWASP Top 10), they can see for themselves how security bugs happen, why they’re dangerous, and how to remediate them before they end up in production. From there, they can expand their knowledge by tackling more complex vulnerabilities, and getting practical experience in applying good fixes. The layers grow, bit-by-bit, and then when it comes to advanced security issues like insecure software architecture, or engaging in threat modeling, these leaps don’t seem so intimidating and can be tackled with precision.
As an industry, we should never expect developers to become security experts, but organizations can adopt new standards for developer enablement so they can produce higher quality software. As an added bonus for organizations with engineering who are upskilling, each step of the way, or each level of scaffolding, will directly translate to better cybersecurity as they learn. There is no need to wait until the end of a course to see results.
Learning about cybersecurity is difficult, and mastering it is nearly impossible without the right kind of help and instruction. Embracing a security program with scaffolded learning can help make the most of, with benefits becoming evident almost right away. Improvements will start almost immediately, and continually get better over time.
Start building security-strong developers with us; check out:
Courses
Missions
Developer training
... and more!
As an industry, we should never expect developers to become security experts, but organizations can adopt new standards for developer enablement so they can produce higher quality software.
Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoMatias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.
Matias is a researcher and developer with more than 15 years of hands-on software security experience. He has developed solutions for companies such as Fortify Software and his own company Sensei Security. Over his career, Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec and BruCon.
Matias holds a Ph.D. in Computer Engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application.
After just a few minutes of browsing tech news, it will quickly become clear just how dangerous the threat landscape is becoming. Every day seems to bring with it a report of a major breach, a new vulnerability, or a dire threat of active exploitation by cyberattackers and criminals. And almost every industry metric and report shows an increasingly dangerous number of cyber threats, with most experts predicting that this trend will continue for years to come.
Lined up against these new threats is a depleted and understaffed frontline of IT security workers. Despite commanding high salaries and being nearly indispensable to any business or organization, there is never enough security personnel to go around. In a recent survey conducted by the Center for Strategic and International Studies, 82% of IT decision-makers said their organizations suffered from a shortage of cybersecurity skills, and 71% said that the shortage had resulted in direct and measurable damage to their organizations. In just the United States alone, the report noted that there were more than 520,000 unfilled cybersecurity jobs in a field where only about 940,000 are employed.
Worldwide, there are currently about 3.5 million cybersecurity jobs that are unfilled, meaning that even organizations that are willing to pay huge amounts of money to hire and retain top-level professionals are having trouble locating suitable candidates. On average, it takes about 21% longer to fill a cybersecurity position than any other job, if they can be filled at all.
Developer enablement has been ignored for too long
We noted in many previous blogs that developers can be tapped to fill in some of those critical gaps in cybersecurity defenses. It’s just that traditionally developers were never trained on cybersecurity. Their job performance was almost entirely based on speed and time to deployments. Security was the job of the AppSec teams further down the line.
Unfortunately, it’s not just a matter of switching gears and asking developers to suddenly begin adding security into their applications and programs. Even if they are willing to make those changes, and surveys have shown that many of them are, they still need training in order to make that happen. They also need encouragement and support from upper management, but being enabled with meaningful learning is the first, and often the largest, stumbling block.
There is a reason that millions of high-paying, highly secure IT security positions remain unfilled worldwide. If it was easy work, everyone would be jumping into that field. Learning how to combat threats and eliminate vulnerabilities within code is difficult, and the threat landscape is constantly changing. Trying to teach cybersecurity, even to relatively tech-savvy developers, can’t be efficiently done using static training that dates quickly and isn’t memorable, and will have a minimal positive impact, especially if those requirements are added to their already overtaxed schedules.
Build a scaffold to reach higher ground
Teaching cybersecurity skills using traditional methods is like trying to build a skyscraper without ever taking your feet off the ground. It’s not possible because students don’t have the foundation needed to master the many higher-level concepts of a complex field like cybersecurity. To compensate, the concept of scaffolded learning can be employed.
When using a scaffolded, or “layered” approach to upskilling, larger topics are typically broken down into discrete learning experiences or concepts. This ensures that students are able to master each concept using appropriate exercises and instruction, providing all the support needed for each component. Newer, more advanced concepts are layered on top of those already mastered, just like physical scaffolding is constructed as a building grows higher. In this way, students are able to achieve higher levels of comprehension and skill acquisition than they would be able to master without assistance.
And just like physical scaffolding, that support is incrementally removed when it is no longer needed, with more responsibility to the students as they become increasingly proficient.
Scaffolded learning is primarily used to reduce the negative emotions and self-perceptions that students may experience when they get frustrated, intimidated, or discouraged when attempting a difficult task without assistance. But it also can hold a lot of value when trying to tackle an extremely difficult concept like modern cybersecurity. Far from being a way to treat developers like children, it’s immensely helpful when their experience with the security team can have the same effect of being frustrating and discouraging, especially when their hard work is sent back with bug fixes and a fresh serving of criticism.
When developers are given tools to understand secure coding fundamentals (usually starting with the OWASP Top 10), they can see for themselves how security bugs happen, why they’re dangerous, and how to remediate them before they end up in production. From there, they can expand their knowledge by tackling more complex vulnerabilities, and getting practical experience in applying good fixes. The layers grow, bit-by-bit, and then when it comes to advanced security issues like insecure software architecture, or engaging in threat modeling, these leaps don’t seem so intimidating and can be tackled with precision.
As an industry, we should never expect developers to become security experts, but organizations can adopt new standards for developer enablement so they can produce higher quality software. As an added bonus for organizations with engineering who are upskilling, each step of the way, or each level of scaffolding, will directly translate to better cybersecurity as they learn. There is no need to wait until the end of a course to see results.
Learning about cybersecurity is difficult, and mastering it is nearly impossible without the right kind of help and instruction. Embracing a security program with scaffolded learning can help make the most of, with benefits becoming evident almost right away. Improvements will start almost immediately, and continually get better over time.
Start building security-strong developers with us; check out:
Courses
Missions
Developer training
... and more!
After just a few minutes of browsing tech news, it will quickly become clear just how dangerous the threat landscape is becoming. Every day seems to bring with it a report of a major breach, a new vulnerability, or a dire threat of active exploitation by cyberattackers and criminals. And almost every industry metric and report shows an increasingly dangerous number of cyber threats, with most experts predicting that this trend will continue for years to come.
Lined up against these new threats is a depleted and understaffed frontline of IT security workers. Despite commanding high salaries and being nearly indispensable to any business or organization, there is never enough security personnel to go around. In a recent survey conducted by the Center for Strategic and International Studies, 82% of IT decision-makers said their organizations suffered from a shortage of cybersecurity skills, and 71% said that the shortage had resulted in direct and measurable damage to their organizations. In just the United States alone, the report noted that there were more than 520,000 unfilled cybersecurity jobs in a field where only about 940,000 are employed.
Worldwide, there are currently about 3.5 million cybersecurity jobs that are unfilled, meaning that even organizations that are willing to pay huge amounts of money to hire and retain top-level professionals are having trouble locating suitable candidates. On average, it takes about 21% longer to fill a cybersecurity position than any other job, if they can be filled at all.
Developer enablement has been ignored for too long
We noted in many previous blogs that developers can be tapped to fill in some of those critical gaps in cybersecurity defenses. It’s just that traditionally developers were never trained on cybersecurity. Their job performance was almost entirely based on speed and time to deployments. Security was the job of the AppSec teams further down the line.
Unfortunately, it’s not just a matter of switching gears and asking developers to suddenly begin adding security into their applications and programs. Even if they are willing to make those changes, and surveys have shown that many of them are, they still need training in order to make that happen. They also need encouragement and support from upper management, but being enabled with meaningful learning is the first, and often the largest, stumbling block.
There is a reason that millions of high-paying, highly secure IT security positions remain unfilled worldwide. If it was easy work, everyone would be jumping into that field. Learning how to combat threats and eliminate vulnerabilities within code is difficult, and the threat landscape is constantly changing. Trying to teach cybersecurity, even to relatively tech-savvy developers, can’t be efficiently done using static training that dates quickly and isn’t memorable, and will have a minimal positive impact, especially if those requirements are added to their already overtaxed schedules.
Build a scaffold to reach higher ground
Teaching cybersecurity skills using traditional methods is like trying to build a skyscraper without ever taking your feet off the ground. It’s not possible because students don’t have the foundation needed to master the many higher-level concepts of a complex field like cybersecurity. To compensate, the concept of scaffolded learning can be employed.
When using a scaffolded, or “layered” approach to upskilling, larger topics are typically broken down into discrete learning experiences or concepts. This ensures that students are able to master each concept using appropriate exercises and instruction, providing all the support needed for each component. Newer, more advanced concepts are layered on top of those already mastered, just like physical scaffolding is constructed as a building grows higher. In this way, students are able to achieve higher levels of comprehension and skill acquisition than they would be able to master without assistance.
And just like physical scaffolding, that support is incrementally removed when it is no longer needed, with more responsibility to the students as they become increasingly proficient.
Scaffolded learning is primarily used to reduce the negative emotions and self-perceptions that students may experience when they get frustrated, intimidated, or discouraged when attempting a difficult task without assistance. But it also can hold a lot of value when trying to tackle an extremely difficult concept like modern cybersecurity. Far from being a way to treat developers like children, it’s immensely helpful when their experience with the security team can have the same effect of being frustrating and discouraging, especially when their hard work is sent back with bug fixes and a fresh serving of criticism.
When developers are given tools to understand secure coding fundamentals (usually starting with the OWASP Top 10), they can see for themselves how security bugs happen, why they’re dangerous, and how to remediate them before they end up in production. From there, they can expand their knowledge by tackling more complex vulnerabilities, and getting practical experience in applying good fixes. The layers grow, bit-by-bit, and then when it comes to advanced security issues like insecure software architecture, or engaging in threat modeling, these leaps don’t seem so intimidating and can be tackled with precision.
As an industry, we should never expect developers to become security experts, but organizations can adopt new standards for developer enablement so they can produce higher quality software. As an added bonus for organizations with engineering who are upskilling, each step of the way, or each level of scaffolding, will directly translate to better cybersecurity as they learn. There is no need to wait until the end of a course to see results.
Learning about cybersecurity is difficult, and mastering it is nearly impossible without the right kind of help and instruction. Embracing a security program with scaffolded learning can help make the most of, with benefits becoming evident almost right away. Improvements will start almost immediately, and continually get better over time.
Start building security-strong developers with us; check out:
Courses
Missions
Developer training
... and more!
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demoMatias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.
Matias is a researcher and developer with more than 15 years of hands-on software security experience. He has developed solutions for companies such as Fortify Software and his own company Sensei Security. Over his career, Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec and BruCon.
Matias holds a Ph.D. in Computer Engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application.
After just a few minutes of browsing tech news, it will quickly become clear just how dangerous the threat landscape is becoming. Every day seems to bring with it a report of a major breach, a new vulnerability, or a dire threat of active exploitation by cyberattackers and criminals. And almost every industry metric and report shows an increasingly dangerous number of cyber threats, with most experts predicting that this trend will continue for years to come.
Lined up against these new threats is a depleted and understaffed frontline of IT security workers. Despite commanding high salaries and being nearly indispensable to any business or organization, there is never enough security personnel to go around. In a recent survey conducted by the Center for Strategic and International Studies, 82% of IT decision-makers said their organizations suffered from a shortage of cybersecurity skills, and 71% said that the shortage had resulted in direct and measurable damage to their organizations. In just the United States alone, the report noted that there were more than 520,000 unfilled cybersecurity jobs in a field where only about 940,000 are employed.
Worldwide, there are currently about 3.5 million cybersecurity jobs that are unfilled, meaning that even organizations that are willing to pay huge amounts of money to hire and retain top-level professionals are having trouble locating suitable candidates. On average, it takes about 21% longer to fill a cybersecurity position than any other job, if they can be filled at all.
Developer enablement has been ignored for too long
We noted in many previous blogs that developers can be tapped to fill in some of those critical gaps in cybersecurity defenses. It’s just that traditionally developers were never trained on cybersecurity. Their job performance was almost entirely based on speed and time to deployments. Security was the job of the AppSec teams further down the line.
Unfortunately, it’s not just a matter of switching gears and asking developers to suddenly begin adding security into their applications and programs. Even if they are willing to make those changes, and surveys have shown that many of them are, they still need training in order to make that happen. They also need encouragement and support from upper management, but being enabled with meaningful learning is the first, and often the largest, stumbling block.
There is a reason that millions of high-paying, highly secure IT security positions remain unfilled worldwide. If it was easy work, everyone would be jumping into that field. Learning how to combat threats and eliminate vulnerabilities within code is difficult, and the threat landscape is constantly changing. Trying to teach cybersecurity, even to relatively tech-savvy developers, can’t be efficiently done using static training that dates quickly and isn’t memorable, and will have a minimal positive impact, especially if those requirements are added to their already overtaxed schedules.
Build a scaffold to reach higher ground
Teaching cybersecurity skills using traditional methods is like trying to build a skyscraper without ever taking your feet off the ground. It’s not possible because students don’t have the foundation needed to master the many higher-level concepts of a complex field like cybersecurity. To compensate, the concept of scaffolded learning can be employed.
When using a scaffolded, or “layered” approach to upskilling, larger topics are typically broken down into discrete learning experiences or concepts. This ensures that students are able to master each concept using appropriate exercises and instruction, providing all the support needed for each component. Newer, more advanced concepts are layered on top of those already mastered, just like physical scaffolding is constructed as a building grows higher. In this way, students are able to achieve higher levels of comprehension and skill acquisition than they would be able to master without assistance.
And just like physical scaffolding, that support is incrementally removed when it is no longer needed, with more responsibility to the students as they become increasingly proficient.
Scaffolded learning is primarily used to reduce the negative emotions and self-perceptions that students may experience when they get frustrated, intimidated, or discouraged when attempting a difficult task without assistance. But it also can hold a lot of value when trying to tackle an extremely difficult concept like modern cybersecurity. Far from being a way to treat developers like children, it’s immensely helpful when their experience with the security team can have the same effect of being frustrating and discouraging, especially when their hard work is sent back with bug fixes and a fresh serving of criticism.
When developers are given tools to understand secure coding fundamentals (usually starting with the OWASP Top 10), they can see for themselves how security bugs happen, why they’re dangerous, and how to remediate them before they end up in production. From there, they can expand their knowledge by tackling more complex vulnerabilities, and getting practical experience in applying good fixes. The layers grow, bit-by-bit, and then when it comes to advanced security issues like insecure software architecture, or engaging in threat modeling, these leaps don’t seem so intimidating and can be tackled with precision.
As an industry, we should never expect developers to become security experts, but organizations can adopt new standards for developer enablement so they can produce higher quality software. As an added bonus for organizations with engineering who are upskilling, each step of the way, or each level of scaffolding, will directly translate to better cybersecurity as they learn. There is no need to wait until the end of a course to see results.
Learning about cybersecurity is difficult, and mastering it is nearly impossible without the right kind of help and instruction. Embracing a security program with scaffolded learning can help make the most of, with benefits becoming evident almost right away. Improvements will start almost immediately, and continually get better over time.
Start building security-strong developers with us; check out:
Courses
Missions
Developer training
... and more!
Table of contents
Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Resources to get you started
10 Key Predictions: Secure Code Warrior on AI & Secure-by-Design’s Influence in 2025
Organizations are facing tough decisions on AI usage to support long-term productivity, sustainability, and security ROI. It’s become clear to us over the last few years that AI will never fully replace the role of the developer. From AI + developer partnerships to the increasing pressures (and confusion) around Secure-by-Design expectations, let’s take a closer look at what we can expect over the next year.
OWASP Top 10 For LLM Applications: What’s New, Changed, and How to Stay Secure
Stay ahead in securing LLM applications with the latest OWASP Top 10 updates. Discover what's new, what’s changed, and how Secure Code Warrior equips you with up-to-date learning resources to mitigate risks in Generative AI.
Trust Score Reveals the Value of Secure-by-Design Upskilling Initiatives
Our research has shown that secure code training works. Trust Score, using an algorithm drawing on more than 20 million learning data points from work by more than 250,000 learners at over 600 organizations, reveals its effectiveness in driving down vulnerabilities and how to make the initiative even more effective.
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.