The path to security champions: How Workday utilized agile learning to upskill developers
The path to security champions: How Workday utilized agile learning to upskill developers
Situation
Before Workday implemented agile learning with Secure Code Warrior, they were utilizing in-house courses that comprised of recordings of PowerPoint presentations that covered OWASP top 10 vulnerabilities with some pseudocode examples. Alex Uda, Program Manager for security developer training, realized this wasn’t helping his team and the security team at large to achieve their goals of improving Workday’s overall security posture. Because developers were quickly becoming unengaged in their training, they decided to begin soliciting their feedback and noted that there were two items that continued to come up:
- The need for more hands-on type of training
- The need for more language-specific content
Action
In working with developers, Alex and his team identified two main priorities in winning developer buy-in to create an engaging, successful secure code learning program.
Clarity and simplicity
Most developers do not arrive at their jobs with knowledge of security. Anything that is frustrating or time-consuming will lead developers to stray towards workarounds and hacks. What Workday noted about SCW is that it allowed developers to have a clear sense of the process, own it, and integrate it into their workflows.
Actionability and value
Developers, first and foremost, want to be able to action something that is affecting the codebase/lifecycle, and action it fast. To do so, developers need to be educated on how to do so. If you want a developer to be interested in something like security, highlighting the value of these topics.
In terms of structuring the program, Alex and his team first gathered feedback on the platform from a pilot group of security champions and worked with their customer success manager to implement their suggestions. Alex and the team then looked at their SAST tools and different metrics on the number of incidents and security events to assess what the highest risks are in their current environment, and what is happening across the industry. They initially focused on the OWASP top 10 and the most common, high-risk vulnerabilities at Workday
“By giving developers that learning and that agency, SCW made it so that we were able to make active improvements to our software security. It’s not all about writing code, it’s also about growth opportunities and career opportunities. Workday’s support for the security program exists because it’s an area where the entire company is aligned, so developers were allowed that time for learning and development. Taking two hours a week to do some learning over a period of time helps to build that muscle memory with consistency.”
Results
Traditionally, it’s easy to think of security at the end stage of the development process. Working with the security team, developers at Workday now see security as an important component of the development cycle. They can action security items quickly and earlier in the SDLC, which has been the biggest impact of that program. For one team based in Dublin, their developers went from 4662 security issues - which averaged almost 31.08 issues a day - down to 0 in a period of around 18 months.
Alex described the growth of the program as, “a snowball effect after we began with top-of-mind security champions. As we socialized the program and its benefits to leadership and continued to increase our membership we saw almost a natural growth due to word of mouth. From a training perspective, our goal is to give our developers the necessary skills to develop code securely. This is especially critical as Workday continues to grow."
Key takeaways
According to Alex, “In order to successfully scale security it’s imperative that our developers have a security mindset to help identify security risks during the design phase of their software development. This fits in our shift left initiative to empower our developers to help save time, money, and some heartache. The better job we do in secure code learning, the fewer vulnerabilities we see from our scans and pentest results.”
For developers, it’s important to have fun when learning about security
SCW is great at showing how exciting it can be. If you are getting involved in security learning, embrace it fully. Consider it as a part of your development process and a part of your career growth.
Encourage developers to reach out to the team if they are curious about security
Have a conversation, and start that collaboration.
Security as a black box or as a bolt-on to your project is archaic and ultimately does a disservice to your software
Embracing security as part of the development process - the same way we embrace TDD, agile, and linting - will improve the flow and increase the quality of software being delivered to customers.
Related Articles We Recommend
Related Articles We Recommend
Dive into onto our latest secure coding insights on the blog.
Our extensive resource library aims to empower the human approach to secure coding upskilling.
Get the latest research on developer-driven security
Our extensive resource library is full of helpful resources from whitepapers to webinars to get you started with developer-driven secure coding. Explore it now.
The path to security champions: How Workday utilized agile learning to upskill developers
Situation
Before Workday implemented agile learning with Secure Code Warrior, they were utilizing in-house courses that comprised of recordings of PowerPoint presentations that covered OWASP top 10 vulnerabilities with some pseudocode examples. Alex Uda, Program Manager for security developer training, realized this wasn’t helping his team and the security team at large to achieve their goals of improving Workday’s overall security posture. Because developers were quickly becoming unengaged in their training, they decided to begin soliciting their feedback and noted that there were two items that continued to come up:
- The need for more hands-on type of training
- The need for more language-specific content
Action
In working with developers, Alex and his team identified two main priorities in winning developer buy-in to create an engaging, successful secure code learning program.
Clarity and simplicity
Most developers do not arrive at their jobs with knowledge of security. Anything that is frustrating or time-consuming will lead developers to stray towards workarounds and hacks. What Workday noted about SCW is that it allowed developers to have a clear sense of the process, own it, and integrate it into their workflows.
Actionability and value
Developers, first and foremost, want to be able to action something that is affecting the codebase/lifecycle, and action it fast. To do so, developers need to be educated on how to do so. If you want a developer to be interested in something like security, highlighting the value of these topics.
In terms of structuring the program, Alex and his team first gathered feedback on the platform from a pilot group of security champions and worked with their customer success manager to implement their suggestions. Alex and the team then looked at their SAST tools and different metrics on the number of incidents and security events to assess what the highest risks are in their current environment, and what is happening across the industry. They initially focused on the OWASP top 10 and the most common, high-risk vulnerabilities at Workday
“By giving developers that learning and that agency, SCW made it so that we were able to make active improvements to our software security. It’s not all about writing code, it’s also about growth opportunities and career opportunities. Workday’s support for the security program exists because it’s an area where the entire company is aligned, so developers were allowed that time for learning and development. Taking two hours a week to do some learning over a period of time helps to build that muscle memory with consistency.”
Results
Traditionally, it’s easy to think of security at the end stage of the development process. Working with the security team, developers at Workday now see security as an important component of the development cycle. They can action security items quickly and earlier in the SDLC, which has been the biggest impact of that program. For one team based in Dublin, their developers went from 4662 security issues - which averaged almost 31.08 issues a day - down to 0 in a period of around 18 months.
Alex described the growth of the program as, “a snowball effect after we began with top-of-mind security champions. As we socialized the program and its benefits to leadership and continued to increase our membership we saw almost a natural growth due to word of mouth. From a training perspective, our goal is to give our developers the necessary skills to develop code securely. This is especially critical as Workday continues to grow."
Key takeaways
According to Alex, “In order to successfully scale security it’s imperative that our developers have a security mindset to help identify security risks during the design phase of their software development. This fits in our shift left initiative to empower our developers to help save time, money, and some heartache. The better job we do in secure code learning, the fewer vulnerabilities we see from our scans and pentest results.”
For developers, it’s important to have fun when learning about security
SCW is great at showing how exciting it can be. If you are getting involved in security learning, embrace it fully. Consider it as a part of your development process and a part of your career growth.
Encourage developers to reach out to the team if they are curious about security
Have a conversation, and start that collaboration.
Security as a black box or as a bolt-on to your project is archaic and ultimately does a disservice to your software
Embracing security as part of the development process - the same way we embrace TDD, agile, and linting - will improve the flow and increase the quality of software being delivered to customers.
