The path to security champions: How Workday utilized agile learning to upskill developers
Situation
Before Workday implemented agile learning with Secure Code Warrior, they were utilizing in-house courses that comprised of recordings of PowerPoint presentations that covered OWASP top 10 vulnerabilities with some pseudocode examples. Alex Uda, Program Manager for security developer training, realized this wasn’t helping his team and the security team at large to achieve their goals of improving Workday’s overall security posture. Because developers were quickly becoming unengaged in their training, they decided to begin soliciting their feedback and noted that there were two items that continued to come up:
- The need for more hands-on type of training
- The need for more language-specific content
Action
In working with developers, Alex and his team identified two main priorities in winning developer buy-in to create an engaging, successful secure code learning program.
Clarity and simplicity
Most developers do not arrive at their jobs with knowledge of security. Anything that is frustrating or time-consuming will lead developers to stray towards workarounds and hacks. What Workday noted about SCW is that it allowed developers to have a clear sense of the process, own it, and integrate it into their workflows.
Actionability and value
Developers, first and foremost, want to be able to action something that is affecting the codebase/lifecycle, and action it fast. To do so, developers need to be educated on how to do so. If you want a developer to be interested in something like security, highlighting the value of these topics.
In terms of structuring the program, Alex and his team first gathered feedback on the platform from a pilot group of security champions and worked with their customer success manager to implement their suggestions. Alex and the team then looked at their SAST tools and different metrics on the number of incidents and security events to assess what the highest risks are in their current environment, and what is happening across the industry. They initially focused on the OWASP top 10 and the most common, high-risk vulnerabilities at Workday
“By giving developers that learning and that agency, SCW made it so that we were able to make active improvements to our software security. It’s not all about writing code, it’s also about growth opportunities and career opportunities. Workday’s support for the security program exists because it’s an area where the entire company is aligned, so developers were allowed that time for learning and development. Taking two hours a week to do some learning over a period of time helps to build that muscle memory with consistency.”
Results
Traditionally, it’s easy to think of security at the end stage of the development process. Working with the security team, developers at Workday now see security as an important component of the development cycle. They can action security items quickly and earlier in the SDLC, which has been the biggest impact of that program. For one team based in Dublin, their developers went from 4662 security issues - which averaged almost 31.08 issues a day - down to 0 in a period of around 18 months.
Alex described the growth of the program as, “a snowball effect after we began with top-of-mind security champions. As we socialized the program and its benefits to leadership and continued to increase our membership we saw almost a natural growth due to word of mouth. From a training perspective, our goal is to give our developers the necessary skills to develop code securely. This is especially critical as Workday continues to grow."
Key takeaways
According to Alex, “In order to successfully scale security it’s imperative that our developers have a security mindset to help identify security risks during the design phase of their software development. This fits in our shift left initiative to empower our developers to help save time, money, and some heartache. The better job we do in secure code learning, the fewer vulnerabilities we see from our scans and pentest results.”
For developers, it’s important to have fun when learning about security
SCW is great at showing how exciting it can be. If you are getting involved in security learning, embrace it fully. Consider it as a part of your development process and a part of your career growth.
Encourage developers to reach out to the team if they are curious about security
Have a conversation, and start that collaboration.
Security as a black box or as a bolt-on to your project is archaic and ultimately does a disservice to your software
Embracing security as part of the development process - the same way we embrace TDD, agile, and linting - will improve the flow and increase the quality of software being delivered to customers.
Discover how Workday transformed developer training with agile learning through Secure Code Warrior. By empowering developer with hands-on, language-specific education, Workday reduced vulnerabilities early in the SDLC. See their impressive results and key takeaways to build a secure code culture.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoSituation
Before Workday implemented agile learning with Secure Code Warrior, they were utilizing in-house courses that comprised of recordings of PowerPoint presentations that covered OWASP top 10 vulnerabilities with some pseudocode examples. Alex Uda, Program Manager for security developer training, realized this wasn’t helping his team and the security team at large to achieve their goals of improving Workday’s overall security posture. Because developers were quickly becoming unengaged in their training, they decided to begin soliciting their feedback and noted that there were two items that continued to come up:
- The need for more hands-on type of training
- The need for more language-specific content
Action
In working with developers, Alex and his team identified two main priorities in winning developer buy-in to create an engaging, successful secure code learning program.
Clarity and simplicity
Most developers do not arrive at their jobs with knowledge of security. Anything that is frustrating or time-consuming will lead developers to stray towards workarounds and hacks. What Workday noted about SCW is that it allowed developers to have a clear sense of the process, own it, and integrate it into their workflows.
Actionability and value
Developers, first and foremost, want to be able to action something that is affecting the codebase/lifecycle, and action it fast. To do so, developers need to be educated on how to do so. If you want a developer to be interested in something like security, highlighting the value of these topics.
In terms of structuring the program, Alex and his team first gathered feedback on the platform from a pilot group of security champions and worked with their customer success manager to implement their suggestions. Alex and the team then looked at their SAST tools and different metrics on the number of incidents and security events to assess what the highest risks are in their current environment, and what is happening across the industry. They initially focused on the OWASP top 10 and the most common, high-risk vulnerabilities at Workday
“By giving developers that learning and that agency, SCW made it so that we were able to make active improvements to our software security. It’s not all about writing code, it’s also about growth opportunities and career opportunities. Workday’s support for the security program exists because it’s an area where the entire company is aligned, so developers were allowed that time for learning and development. Taking two hours a week to do some learning over a period of time helps to build that muscle memory with consistency.”
Results
Traditionally, it’s easy to think of security at the end stage of the development process. Working with the security team, developers at Workday now see security as an important component of the development cycle. They can action security items quickly and earlier in the SDLC, which has been the biggest impact of that program. For one team based in Dublin, their developers went from 4662 security issues - which averaged almost 31.08 issues a day - down to 0 in a period of around 18 months.
Alex described the growth of the program as, “a snowball effect after we began with top-of-mind security champions. As we socialized the program and its benefits to leadership and continued to increase our membership we saw almost a natural growth due to word of mouth. From a training perspective, our goal is to give our developers the necessary skills to develop code securely. This is especially critical as Workday continues to grow."
Key takeaways
According to Alex, “In order to successfully scale security it’s imperative that our developers have a security mindset to help identify security risks during the design phase of their software development. This fits in our shift left initiative to empower our developers to help save time, money, and some heartache. The better job we do in secure code learning, the fewer vulnerabilities we see from our scans and pentest results.”
For developers, it’s important to have fun when learning about security
SCW is great at showing how exciting it can be. If you are getting involved in security learning, embrace it fully. Consider it as a part of your development process and a part of your career growth.
Encourage developers to reach out to the team if they are curious about security
Have a conversation, and start that collaboration.
Security as a black box or as a bolt-on to your project is archaic and ultimately does a disservice to your software
Embracing security as part of the development process - the same way we embrace TDD, agile, and linting - will improve the flow and increase the quality of software being delivered to customers.
Situation
Before Workday implemented agile learning with Secure Code Warrior, they were utilizing in-house courses that comprised of recordings of PowerPoint presentations that covered OWASP top 10 vulnerabilities with some pseudocode examples. Alex Uda, Program Manager for security developer training, realized this wasn’t helping his team and the security team at large to achieve their goals of improving Workday’s overall security posture. Because developers were quickly becoming unengaged in their training, they decided to begin soliciting their feedback and noted that there were two items that continued to come up:
- The need for more hands-on type of training
- The need for more language-specific content
Action
In working with developers, Alex and his team identified two main priorities in winning developer buy-in to create an engaging, successful secure code learning program.
Clarity and simplicity
Most developers do not arrive at their jobs with knowledge of security. Anything that is frustrating or time-consuming will lead developers to stray towards workarounds and hacks. What Workday noted about SCW is that it allowed developers to have a clear sense of the process, own it, and integrate it into their workflows.
Actionability and value
Developers, first and foremost, want to be able to action something that is affecting the codebase/lifecycle, and action it fast. To do so, developers need to be educated on how to do so. If you want a developer to be interested in something like security, highlighting the value of these topics.
In terms of structuring the program, Alex and his team first gathered feedback on the platform from a pilot group of security champions and worked with their customer success manager to implement their suggestions. Alex and the team then looked at their SAST tools and different metrics on the number of incidents and security events to assess what the highest risks are in their current environment, and what is happening across the industry. They initially focused on the OWASP top 10 and the most common, high-risk vulnerabilities at Workday
“By giving developers that learning and that agency, SCW made it so that we were able to make active improvements to our software security. It’s not all about writing code, it’s also about growth opportunities and career opportunities. Workday’s support for the security program exists because it’s an area where the entire company is aligned, so developers were allowed that time for learning and development. Taking two hours a week to do some learning over a period of time helps to build that muscle memory with consistency.”
Results
Traditionally, it’s easy to think of security at the end stage of the development process. Working with the security team, developers at Workday now see security as an important component of the development cycle. They can action security items quickly and earlier in the SDLC, which has been the biggest impact of that program. For one team based in Dublin, their developers went from 4662 security issues - which averaged almost 31.08 issues a day - down to 0 in a period of around 18 months.
Alex described the growth of the program as, “a snowball effect after we began with top-of-mind security champions. As we socialized the program and its benefits to leadership and continued to increase our membership we saw almost a natural growth due to word of mouth. From a training perspective, our goal is to give our developers the necessary skills to develop code securely. This is especially critical as Workday continues to grow."
Key takeaways
According to Alex, “In order to successfully scale security it’s imperative that our developers have a security mindset to help identify security risks during the design phase of their software development. This fits in our shift left initiative to empower our developers to help save time, money, and some heartache. The better job we do in secure code learning, the fewer vulnerabilities we see from our scans and pentest results.”
For developers, it’s important to have fun when learning about security
SCW is great at showing how exciting it can be. If you are getting involved in security learning, embrace it fully. Consider it as a part of your development process and a part of your career growth.
Encourage developers to reach out to the team if they are curious about security
Have a conversation, and start that collaboration.
Security as a black box or as a bolt-on to your project is archaic and ultimately does a disservice to your software
Embracing security as part of the development process - the same way we embrace TDD, agile, and linting - will improve the flow and increase the quality of software being delivered to customers.
Click on the link below and download the PDF of this one pager.
DownloadSecure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demoSituation
Before Workday implemented agile learning with Secure Code Warrior, they were utilizing in-house courses that comprised of recordings of PowerPoint presentations that covered OWASP top 10 vulnerabilities with some pseudocode examples. Alex Uda, Program Manager for security developer training, realized this wasn’t helping his team and the security team at large to achieve their goals of improving Workday’s overall security posture. Because developers were quickly becoming unengaged in their training, they decided to begin soliciting their feedback and noted that there were two items that continued to come up:
- The need for more hands-on type of training
- The need for more language-specific content
Action
In working with developers, Alex and his team identified two main priorities in winning developer buy-in to create an engaging, successful secure code learning program.
Clarity and simplicity
Most developers do not arrive at their jobs with knowledge of security. Anything that is frustrating or time-consuming will lead developers to stray towards workarounds and hacks. What Workday noted about SCW is that it allowed developers to have a clear sense of the process, own it, and integrate it into their workflows.
Actionability and value
Developers, first and foremost, want to be able to action something that is affecting the codebase/lifecycle, and action it fast. To do so, developers need to be educated on how to do so. If you want a developer to be interested in something like security, highlighting the value of these topics.
In terms of structuring the program, Alex and his team first gathered feedback on the platform from a pilot group of security champions and worked with their customer success manager to implement their suggestions. Alex and the team then looked at their SAST tools and different metrics on the number of incidents and security events to assess what the highest risks are in their current environment, and what is happening across the industry. They initially focused on the OWASP top 10 and the most common, high-risk vulnerabilities at Workday
“By giving developers that learning and that agency, SCW made it so that we were able to make active improvements to our software security. It’s not all about writing code, it’s also about growth opportunities and career opportunities. Workday’s support for the security program exists because it’s an area where the entire company is aligned, so developers were allowed that time for learning and development. Taking two hours a week to do some learning over a period of time helps to build that muscle memory with consistency.”
Results
Traditionally, it’s easy to think of security at the end stage of the development process. Working with the security team, developers at Workday now see security as an important component of the development cycle. They can action security items quickly and earlier in the SDLC, which has been the biggest impact of that program. For one team based in Dublin, their developers went from 4662 security issues - which averaged almost 31.08 issues a day - down to 0 in a period of around 18 months.
Alex described the growth of the program as, “a snowball effect after we began with top-of-mind security champions. As we socialized the program and its benefits to leadership and continued to increase our membership we saw almost a natural growth due to word of mouth. From a training perspective, our goal is to give our developers the necessary skills to develop code securely. This is especially critical as Workday continues to grow."
Key takeaways
According to Alex, “In order to successfully scale security it’s imperative that our developers have a security mindset to help identify security risks during the design phase of their software development. This fits in our shift left initiative to empower our developers to help save time, money, and some heartache. The better job we do in secure code learning, the fewer vulnerabilities we see from our scans and pentest results.”
For developers, it’s important to have fun when learning about security
SCW is great at showing how exciting it can be. If you are getting involved in security learning, embrace it fully. Consider it as a part of your development process and a part of your career growth.
Encourage developers to reach out to the team if they are curious about security
Have a conversation, and start that collaboration.
Security as a black box or as a bolt-on to your project is archaic and ultimately does a disservice to your software
Embracing security as part of the development process - the same way we embrace TDD, agile, and linting - will improve the flow and increase the quality of software being delivered to customers.
Table of contents
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
DigitalOcean Decreases Security Debt with Secure Code Warrior
DigitalOcean's use of Secure Code Warrior training has significantly reduced security debt, allowing teams to focus more on innovation and productivity. The improved security has strengthened their product quality and competitive edge. Looking ahead, the SCW Trust Score will help them further enhance security practices and continue driving innovation.
Resources to get you started
Coders Conquer Security: Share & Learn - Cross-Site Scripting (XSS)
Cross-site scripting (XSS) uses the trust of browsers and ignorance of users to steal data, take over accounts, and deface websites; it's a vulnerability that can get very ugly, very quickly. Let's take a look at how XSS works, what damage can be done, and how to prevent it.
Coders Conquer Security: Share & Learn - Cross-Site Scripting (XSS)
Cross-site scripting (XSS) uses the trust of browsers and ignorance of users to steal data, take over accounts, and deface websites; it's a vulnerability that can get very ugly, very quickly. Let's take a look at how XSS works, what damage can be done, and how to prevent it.