Case Studies

The path to security champions: How Workday utilized agile learning to upskill developers

Published Oct 02, 2023

Situation

Before Workday implemented agile learning with Secure Code Warrior, they were utilizing in-house courses that comprised of recordings of PowerPoint presentations that covered OWASP top 10 vulnerabilities with some pseudocode examples. Alex Uda, Program Manager for security developer training, realized this wasn’t helping his team and the security team at large to achieve their goals of improving Workday’s overall security posture. Because developers were quickly becoming unengaged in their training, they decided to begin soliciting their feedback and noted that there were two items that continued to come up:

  1. The need for more hands-on type of training 
  2. The need for more language-specific content

Action 

In working with developers, Alex and his team identified two main priorities in winning developer buy-in to create an engaging, successful secure code learning program.

Clarity and simplicity 

Most developers do not arrive at their jobs with knowledge of security. Anything that is frustrating or time-consuming will lead developers to stray towards workarounds and hacks. What Workday noted about SCW is that it allowed developers to have a clear sense of the process, own it, and integrate it into their workflows.

Actionability and value 

Developers, first and foremost, want to be able to action something that is affecting the codebase/lifecycle, and action it fast. To do so, developers need to be educated on how to do so. If you want a developer to be interested in something like security, highlighting the value of these topics.

In terms of structuring the program, Alex and his team first gathered feedback on the platform from a pilot group of security champions and worked with their customer success manager to implement their suggestions. Alex and the team then looked at their SAST tools and different metrics on the number of incidents and security events to assess what the highest risks are in their current environment, and what is happening across the industry. They initially focused on the OWASP top 10 and the most common, high-risk vulnerabilities at Workday

“By giving developers that learning and that agency, SCW made it so that we were able to make active improvements to our software security. It’s not all about writing code, it’s also about growth opportunities and career opportunities. Workday’s support for the security program exists because it’s an area where the entire company is aligned, so developers were allowed that time for learning and development. Taking two hours a week to do some learning over a period of time helps to build that muscle memory with consistency.”

Results

Traditionally, it’s easy to think of security at the end stage of the development process. Working with the security team, developers at Workday now see security as an important component of the development cycle. They can action security items quickly and earlier in the SDLC, which has been the biggest impact of that program. For one team based in Dublin, their developers went from 4662 security issues - which averaged almost 31.08 issues a day - down to 0 in a period of around 18 months.

For one team based in Dublin, their developers went from 4662 security issues - which averaged almost 31.08 issues a day - down to 0 in a period of around 18 months
Alex described the growth of the program as, “a snowball effect after we began with top-of-mind security champions. As we socialized the program and its benefits to leadership and continued to increase our membership we saw almost a natural growth due to word of mouth. From a training perspective, our goal is to give our developers the necessary skills to develop code securely. This is especially critical as Workday continues to grow."

Key takeaways

According to Alex, “In order to successfully scale security it’s imperative that our developers have a security mindset to help identify security risks during the design phase of their software development. This fits in our shift left initiative to empower our developers to help save time, money, and some heartache. The better job we do in secure code learning, the fewer vulnerabilities we see from our scans and pentest results.”


Lightbulb icon

For developers, it’s important to have fun when learning about security 
SCW is great at showing how exciting it can be. If you are getting involved in security learning, embrace it fully. Consider it as a part of your development process and a part of your career growth.

Lightbulb icon

Encourage developers to reach out to the team if they are curious about security
Have a conversation, and start that collaboration.

Lightbulb icon

Security as a black box or as a bolt-on to your project is archaic and ultimately does a disservice to your software
Embracing security as part of the development process - the same way we embrace TDD, agile, and linting - will improve the flow and increase the quality of software being delivered to customers.

decorative
decorative
Download PDF
View Resource
Download PDF
View Resource

Discover how Workday transformed developer training with agile learning through Secure Code Warrior. By empowering developer with hands-on, language-specific education, Workday reduced vulnerabilities early in the SDLC. See their impressive results and key takeaways to build a secure code culture.

Interested in more?

Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.

Book a demo
Share on:
Author
Published Oct 02, 2023

Share on:
decorative
decorative

Situation

Before Workday implemented agile learning with Secure Code Warrior, they were utilizing in-house courses that comprised of recordings of PowerPoint presentations that covered OWASP top 10 vulnerabilities with some pseudocode examples. Alex Uda, Program Manager for security developer training, realized this wasn’t helping his team and the security team at large to achieve their goals of improving Workday’s overall security posture. Because developers were quickly becoming unengaged in their training, they decided to begin soliciting their feedback and noted that there were two items that continued to come up:

  1. The need for more hands-on type of training 
  2. The need for more language-specific content

Action 

In working with developers, Alex and his team identified two main priorities in winning developer buy-in to create an engaging, successful secure code learning program.

Clarity and simplicity 

Most developers do not arrive at their jobs with knowledge of security. Anything that is frustrating or time-consuming will lead developers to stray towards workarounds and hacks. What Workday noted about SCW is that it allowed developers to have a clear sense of the process, own it, and integrate it into their workflows.

Actionability and value 

Developers, first and foremost, want to be able to action something that is affecting the codebase/lifecycle, and action it fast. To do so, developers need to be educated on how to do so. If you want a developer to be interested in something like security, highlighting the value of these topics.

In terms of structuring the program, Alex and his team first gathered feedback on the platform from a pilot group of security champions and worked with their customer success manager to implement their suggestions. Alex and the team then looked at their SAST tools and different metrics on the number of incidents and security events to assess what the highest risks are in their current environment, and what is happening across the industry. They initially focused on the OWASP top 10 and the most common, high-risk vulnerabilities at Workday

“By giving developers that learning and that agency, SCW made it so that we were able to make active improvements to our software security. It’s not all about writing code, it’s also about growth opportunities and career opportunities. Workday’s support for the security program exists because it’s an area where the entire company is aligned, so developers were allowed that time for learning and development. Taking two hours a week to do some learning over a period of time helps to build that muscle memory with consistency.”

Results

Traditionally, it’s easy to think of security at the end stage of the development process. Working with the security team, developers at Workday now see security as an important component of the development cycle. They can action security items quickly and earlier in the SDLC, which has been the biggest impact of that program. For one team based in Dublin, their developers went from 4662 security issues - which averaged almost 31.08 issues a day - down to 0 in a period of around 18 months.

For one team based in Dublin, their developers went from 4662 security issues - which averaged almost 31.08 issues a day - down to 0 in a period of around 18 months
Alex described the growth of the program as, “a snowball effect after we began with top-of-mind security champions. As we socialized the program and its benefits to leadership and continued to increase our membership we saw almost a natural growth due to word of mouth. From a training perspective, our goal is to give our developers the necessary skills to develop code securely. This is especially critical as Workday continues to grow."

Key takeaways

According to Alex, “In order to successfully scale security it’s imperative that our developers have a security mindset to help identify security risks during the design phase of their software development. This fits in our shift left initiative to empower our developers to help save time, money, and some heartache. The better job we do in secure code learning, the fewer vulnerabilities we see from our scans and pentest results.”


Lightbulb icon

For developers, it’s important to have fun when learning about security 
SCW is great at showing how exciting it can be. If you are getting involved in security learning, embrace it fully. Consider it as a part of your development process and a part of your career growth.

Lightbulb icon

Encourage developers to reach out to the team if they are curious about security
Have a conversation, and start that collaboration.

Lightbulb icon

Security as a black box or as a bolt-on to your project is archaic and ultimately does a disservice to your software
Embracing security as part of the development process - the same way we embrace TDD, agile, and linting - will improve the flow and increase the quality of software being delivered to customers.

Download PDF
View Resource
Download PDF
View Resource

Fill out the form below to download the report

We would like your permission to send you information on our products and/or related secure coding topics. We’ll always treat your personal details with the utmost care and will never sell them to other companies for marketing purposes.

Submit
To submit the form, please enable 'Analytics' cookies. Feel free to disable them again once you're done.
decorative

Situation

Before Workday implemented agile learning with Secure Code Warrior, they were utilizing in-house courses that comprised of recordings of PowerPoint presentations that covered OWASP top 10 vulnerabilities with some pseudocode examples. Alex Uda, Program Manager for security developer training, realized this wasn’t helping his team and the security team at large to achieve their goals of improving Workday’s overall security posture. Because developers were quickly becoming unengaged in their training, they decided to begin soliciting their feedback and noted that there were two items that continued to come up:

  1. The need for more hands-on type of training 
  2. The need for more language-specific content

Action 

In working with developers, Alex and his team identified two main priorities in winning developer buy-in to create an engaging, successful secure code learning program.

Clarity and simplicity 

Most developers do not arrive at their jobs with knowledge of security. Anything that is frustrating or time-consuming will lead developers to stray towards workarounds and hacks. What Workday noted about SCW is that it allowed developers to have a clear sense of the process, own it, and integrate it into their workflows.

Actionability and value 

Developers, first and foremost, want to be able to action something that is affecting the codebase/lifecycle, and action it fast. To do so, developers need to be educated on how to do so. If you want a developer to be interested in something like security, highlighting the value of these topics.

In terms of structuring the program, Alex and his team first gathered feedback on the platform from a pilot group of security champions and worked with their customer success manager to implement their suggestions. Alex and the team then looked at their SAST tools and different metrics on the number of incidents and security events to assess what the highest risks are in their current environment, and what is happening across the industry. They initially focused on the OWASP top 10 and the most common, high-risk vulnerabilities at Workday

“By giving developers that learning and that agency, SCW made it so that we were able to make active improvements to our software security. It’s not all about writing code, it’s also about growth opportunities and career opportunities. Workday’s support for the security program exists because it’s an area where the entire company is aligned, so developers were allowed that time for learning and development. Taking two hours a week to do some learning over a period of time helps to build that muscle memory with consistency.”

Results

Traditionally, it’s easy to think of security at the end stage of the development process. Working with the security team, developers at Workday now see security as an important component of the development cycle. They can action security items quickly and earlier in the SDLC, which has been the biggest impact of that program. For one team based in Dublin, their developers went from 4662 security issues - which averaged almost 31.08 issues a day - down to 0 in a period of around 18 months.

For one team based in Dublin, their developers went from 4662 security issues - which averaged almost 31.08 issues a day - down to 0 in a period of around 18 months
Alex described the growth of the program as, “a snowball effect after we began with top-of-mind security champions. As we socialized the program and its benefits to leadership and continued to increase our membership we saw almost a natural growth due to word of mouth. From a training perspective, our goal is to give our developers the necessary skills to develop code securely. This is especially critical as Workday continues to grow."

Key takeaways

According to Alex, “In order to successfully scale security it’s imperative that our developers have a security mindset to help identify security risks during the design phase of their software development. This fits in our shift left initiative to empower our developers to help save time, money, and some heartache. The better job we do in secure code learning, the fewer vulnerabilities we see from our scans and pentest results.”


Lightbulb icon

For developers, it’s important to have fun when learning about security 
SCW is great at showing how exciting it can be. If you are getting involved in security learning, embrace it fully. Consider it as a part of your development process and a part of your career growth.

Lightbulb icon

Encourage developers to reach out to the team if they are curious about security
Have a conversation, and start that collaboration.

Lightbulb icon

Security as a black box or as a bolt-on to your project is archaic and ultimately does a disservice to your software
Embracing security as part of the development process - the same way we embrace TDD, agile, and linting - will improve the flow and increase the quality of software being delivered to customers.

Interested in more?

Click on the link below and download the PDF of this one pager.

Download

Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.

View reportBook a demo
Share on:
Interested in more?

Share on:
Author
Published Oct 02, 2023

Share on:

Situation

Before Workday implemented agile learning with Secure Code Warrior, they were utilizing in-house courses that comprised of recordings of PowerPoint presentations that covered OWASP top 10 vulnerabilities with some pseudocode examples. Alex Uda, Program Manager for security developer training, realized this wasn’t helping his team and the security team at large to achieve their goals of improving Workday’s overall security posture. Because developers were quickly becoming unengaged in their training, they decided to begin soliciting their feedback and noted that there were two items that continued to come up:

  1. The need for more hands-on type of training 
  2. The need for more language-specific content

Action 

In working with developers, Alex and his team identified two main priorities in winning developer buy-in to create an engaging, successful secure code learning program.

Clarity and simplicity 

Most developers do not arrive at their jobs with knowledge of security. Anything that is frustrating or time-consuming will lead developers to stray towards workarounds and hacks. What Workday noted about SCW is that it allowed developers to have a clear sense of the process, own it, and integrate it into their workflows.

Actionability and value 

Developers, first and foremost, want to be able to action something that is affecting the codebase/lifecycle, and action it fast. To do so, developers need to be educated on how to do so. If you want a developer to be interested in something like security, highlighting the value of these topics.

In terms of structuring the program, Alex and his team first gathered feedback on the platform from a pilot group of security champions and worked with their customer success manager to implement their suggestions. Alex and the team then looked at their SAST tools and different metrics on the number of incidents and security events to assess what the highest risks are in their current environment, and what is happening across the industry. They initially focused on the OWASP top 10 and the most common, high-risk vulnerabilities at Workday

“By giving developers that learning and that agency, SCW made it so that we were able to make active improvements to our software security. It’s not all about writing code, it’s also about growth opportunities and career opportunities. Workday’s support for the security program exists because it’s an area where the entire company is aligned, so developers were allowed that time for learning and development. Taking two hours a week to do some learning over a period of time helps to build that muscle memory with consistency.”

Results

Traditionally, it’s easy to think of security at the end stage of the development process. Working with the security team, developers at Workday now see security as an important component of the development cycle. They can action security items quickly and earlier in the SDLC, which has been the biggest impact of that program. For one team based in Dublin, their developers went from 4662 security issues - which averaged almost 31.08 issues a day - down to 0 in a period of around 18 months.

For one team based in Dublin, their developers went from 4662 security issues - which averaged almost 31.08 issues a day - down to 0 in a period of around 18 months
Alex described the growth of the program as, “a snowball effect after we began with top-of-mind security champions. As we socialized the program and its benefits to leadership and continued to increase our membership we saw almost a natural growth due to word of mouth. From a training perspective, our goal is to give our developers the necessary skills to develop code securely. This is especially critical as Workday continues to grow."

Key takeaways

According to Alex, “In order to successfully scale security it’s imperative that our developers have a security mindset to help identify security risks during the design phase of their software development. This fits in our shift left initiative to empower our developers to help save time, money, and some heartache. The better job we do in secure code learning, the fewer vulnerabilities we see from our scans and pentest results.”


Lightbulb icon

For developers, it’s important to have fun when learning about security 
SCW is great at showing how exciting it can be. If you are getting involved in security learning, embrace it fully. Consider it as a part of your development process and a part of your career growth.

Lightbulb icon

Encourage developers to reach out to the team if they are curious about security
Have a conversation, and start that collaboration.

Lightbulb icon

Security as a black box or as a bolt-on to your project is archaic and ultimately does a disservice to your software
Embracing security as part of the development process - the same way we embrace TDD, agile, and linting - will improve the flow and increase the quality of software being delivered to customers.

Table of contents

Download PDF
View Resource
Interested in more?

Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.

Book a demoDownload
Share on:
Resource hub

Resources to get you started

More posts
Resource hub

Resources to get you started

More posts