The million dollar question every developer should be asking their prospective employers
There's a question that needs to be asked by every developer, whether you are a graduate or a veteran. And the answer matters. It's become even more important in an agile world as it will directly impact how successful you will be at software engineering; and how valuable you will be to you next employer.
It's the million dollar question. Actually, it's the multi-multi million dollar question!
Are you committed to helping me to code securely?
The average cost of a data breach now stands at USD$3.6M. The odds of your company being breached this year are as high as one in four. Given these facts, I share the frustrations of many that developers aren't graduating from university with competency in secure coding and security embedded into their DNA.
Why? Software engineering is still a relatively young profession. The emphasis has been on teaching people how to build code quickly, make it elegant and functional, but with very limited focus on making the code secure. The pace of change in methodologies, technologies, languages and opportunities only exacerbates these key skill gaps.
We aren't going to change the academic system quickly, so developers and companies alike should expect that developers need to learn secure coding skills on the job. In some professions, you can learn by making mistakes, but for others, it isn't an option. So it is with cyber security.
The facts show that we haven't done very well with on-the-job developer security training either. Most of the world's major security breaches are due to coding errors which allow hackers gain privileges on computer networks, enabling them to access and harvest valuable data. The Verizon Data Breach Investigation Report (DBIR) 2017, shows that 30% of all breaches are directly caused by weaknesses in web applications security and this conclusion has been consistent in the DBIR report since 2013.
The 2017 Global DevSecOps Skills Survey released in August 2017, confirmed what we already knew: while 65 percent of DevOps professionals believe it is very important to have knowledge of DevSecOps when entering IT, 70 percent feel they're not receiving the necessary training through formal education to be successful in today's DevSecOps world.
Nearly 40 percent of hiring managers surveyed reported that the hardest employees to find are the all-purpose high-end developers with sufficient knowledge about security testing. 70 percent of respondents said the security education they had received is not adequate for their current positions. In fact, less than 4% said they are afforded the opportunity at all.
I saw this first hand when I spent almost a decade working with multiple teams of professional white-hat hackers. With tragic regularity, we broke into large enterprises, start-ups and government departments; always finding the same weaknesses.
This is why developers need to speak up when you are being hired. If your prospective employer isn't taking your developer security training seriously, you should think about what sort of company you are considering joining.
The second question you should ask is how they plan to deliver it. Will it be hands-on and interactive? Developer security training on vulnerabilities using slideware, videos, clickable animations, or abstract discussions are unlikely to assist you directly in your coding. Will they ensure you are continually kept up to date with the latest vulnerabilities? Is there a security guild or community where you can learn from? Are there security mavens who can you can fall back to if you need help?
A commitment to your secure coding skills needs continuous learning through hands-on challenges in specific coding frameworks and confronting you with different vulnerabilities in multiple scenarios. You simply cannot learn about SQL injections through one example. You need exposure to multiple examples of diverse types so that you learn to recognise these dangerous coding patterns.
One of our customers required their developers play a single challenge (5 minutes) every day for two months. It tested their skills before and after the training period and observed a 60% increase in secure coding capability over a group of hundreds of developers. This means less resources spent on finding and fixing security bugs later in the life-cycle and significant long-term savings. It means hackers won't use your code to compromise your company's data.
There were 11 million professional developers in the world in 2014, according to IDC research. In 2015, Burning Glass found there were as many as 7 million job occupations that required coding skills and that programming jobs were growing on average 12% faster than the market.
There are plenty of software jobs out there. So take a stand and choose employers who are committed to taking care of their security, your security and their customers' security. By extension, chose companies who invest in you.
There's a question that needs to be asked by every developer, whether you are a graduate or a veteran. And the answer matters. It's become even more important in an agile world as it will directly impact how successful you will be at software engineering; and how valuable you will be to you next employer.
It's the million dollar question. Actually, it's the multi-multi million dollar question!
Are you committed to helping me to code securely?


There's a question that needs to be asked by every developer, whether you are a graduate or a veteran. And the answer matters.
Chief Executive Officer, Chairman, and Co-Founder

Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoChief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.


There's a question that needs to be asked by every developer, whether you are a graduate or a veteran. And the answer matters. It's become even more important in an agile world as it will directly impact how successful you will be at software engineering; and how valuable you will be to you next employer.
It's the million dollar question. Actually, it's the multi-multi million dollar question!
Are you committed to helping me to code securely?
The average cost of a data breach now stands at USD$3.6M. The odds of your company being breached this year are as high as one in four. Given these facts, I share the frustrations of many that developers aren't graduating from university with competency in secure coding and security embedded into their DNA.
Why? Software engineering is still a relatively young profession. The emphasis has been on teaching people how to build code quickly, make it elegant and functional, but with very limited focus on making the code secure. The pace of change in methodologies, technologies, languages and opportunities only exacerbates these key skill gaps.
We aren't going to change the academic system quickly, so developers and companies alike should expect that developers need to learn secure coding skills on the job. In some professions, you can learn by making mistakes, but for others, it isn't an option. So it is with cyber security.
The facts show that we haven't done very well with on-the-job developer security training either. Most of the world's major security breaches are due to coding errors which allow hackers gain privileges on computer networks, enabling them to access and harvest valuable data. The Verizon Data Breach Investigation Report (DBIR) 2017, shows that 30% of all breaches are directly caused by weaknesses in web applications security and this conclusion has been consistent in the DBIR report since 2013.
The 2017 Global DevSecOps Skills Survey released in August 2017, confirmed what we already knew: while 65 percent of DevOps professionals believe it is very important to have knowledge of DevSecOps when entering IT, 70 percent feel they're not receiving the necessary training through formal education to be successful in today's DevSecOps world.
Nearly 40 percent of hiring managers surveyed reported that the hardest employees to find are the all-purpose high-end developers with sufficient knowledge about security testing. 70 percent of respondents said the security education they had received is not adequate for their current positions. In fact, less than 4% said they are afforded the opportunity at all.
I saw this first hand when I spent almost a decade working with multiple teams of professional white-hat hackers. With tragic regularity, we broke into large enterprises, start-ups and government departments; always finding the same weaknesses.
This is why developers need to speak up when you are being hired. If your prospective employer isn't taking your developer security training seriously, you should think about what sort of company you are considering joining.
The second question you should ask is how they plan to deliver it. Will it be hands-on and interactive? Developer security training on vulnerabilities using slideware, videos, clickable animations, or abstract discussions are unlikely to assist you directly in your coding. Will they ensure you are continually kept up to date with the latest vulnerabilities? Is there a security guild or community where you can learn from? Are there security mavens who can you can fall back to if you need help?
A commitment to your secure coding skills needs continuous learning through hands-on challenges in specific coding frameworks and confronting you with different vulnerabilities in multiple scenarios. You simply cannot learn about SQL injections through one example. You need exposure to multiple examples of diverse types so that you learn to recognise these dangerous coding patterns.
One of our customers required their developers play a single challenge (5 minutes) every day for two months. It tested their skills before and after the training period and observed a 60% increase in secure coding capability over a group of hundreds of developers. This means less resources spent on finding and fixing security bugs later in the life-cycle and significant long-term savings. It means hackers won't use your code to compromise your company's data.
There were 11 million professional developers in the world in 2014, according to IDC research. In 2015, Burning Glass found there were as many as 7 million job occupations that required coding skills and that programming jobs were growing on average 12% faster than the market.
There are plenty of software jobs out there. So take a stand and choose employers who are committed to taking care of their security, your security and their customers' security. By extension, chose companies who invest in you.
There's a question that needs to be asked by every developer, whether you are a graduate or a veteran. And the answer matters. It's become even more important in an agile world as it will directly impact how successful you will be at software engineering; and how valuable you will be to you next employer.
It's the million dollar question. Actually, it's the multi-multi million dollar question!
Are you committed to helping me to code securely?

There's a question that needs to be asked by every developer, whether you are a graduate or a veteran. And the answer matters. It's become even more important in an agile world as it will directly impact how successful you will be at software engineering; and how valuable you will be to you next employer.
It's the million dollar question. Actually, it's the multi-multi million dollar question!
Are you committed to helping me to code securely?
The average cost of a data breach now stands at USD$3.6M. The odds of your company being breached this year are as high as one in four. Given these facts, I share the frustrations of many that developers aren't graduating from university with competency in secure coding and security embedded into their DNA.
Why? Software engineering is still a relatively young profession. The emphasis has been on teaching people how to build code quickly, make it elegant and functional, but with very limited focus on making the code secure. The pace of change in methodologies, technologies, languages and opportunities only exacerbates these key skill gaps.
We aren't going to change the academic system quickly, so developers and companies alike should expect that developers need to learn secure coding skills on the job. In some professions, you can learn by making mistakes, but for others, it isn't an option. So it is with cyber security.
The facts show that we haven't done very well with on-the-job developer security training either. Most of the world's major security breaches are due to coding errors which allow hackers gain privileges on computer networks, enabling them to access and harvest valuable data. The Verizon Data Breach Investigation Report (DBIR) 2017, shows that 30% of all breaches are directly caused by weaknesses in web applications security and this conclusion has been consistent in the DBIR report since 2013.
The 2017 Global DevSecOps Skills Survey released in August 2017, confirmed what we already knew: while 65 percent of DevOps professionals believe it is very important to have knowledge of DevSecOps when entering IT, 70 percent feel they're not receiving the necessary training through formal education to be successful in today's DevSecOps world.
Nearly 40 percent of hiring managers surveyed reported that the hardest employees to find are the all-purpose high-end developers with sufficient knowledge about security testing. 70 percent of respondents said the security education they had received is not adequate for their current positions. In fact, less than 4% said they are afforded the opportunity at all.
I saw this first hand when I spent almost a decade working with multiple teams of professional white-hat hackers. With tragic regularity, we broke into large enterprises, start-ups and government departments; always finding the same weaknesses.
This is why developers need to speak up when you are being hired. If your prospective employer isn't taking your developer security training seriously, you should think about what sort of company you are considering joining.
The second question you should ask is how they plan to deliver it. Will it be hands-on and interactive? Developer security training on vulnerabilities using slideware, videos, clickable animations, or abstract discussions are unlikely to assist you directly in your coding. Will they ensure you are continually kept up to date with the latest vulnerabilities? Is there a security guild or community where you can learn from? Are there security mavens who can you can fall back to if you need help?
A commitment to your secure coding skills needs continuous learning through hands-on challenges in specific coding frameworks and confronting you with different vulnerabilities in multiple scenarios. You simply cannot learn about SQL injections through one example. You need exposure to multiple examples of diverse types so that you learn to recognise these dangerous coding patterns.
One of our customers required their developers play a single challenge (5 minutes) every day for two months. It tested their skills before and after the training period and observed a 60% increase in secure coding capability over a group of hundreds of developers. This means less resources spent on finding and fixing security bugs later in the life-cycle and significant long-term savings. It means hackers won't use your code to compromise your company's data.
There were 11 million professional developers in the world in 2014, according to IDC research. In 2015, Burning Glass found there were as many as 7 million job occupations that required coding skills and that programming jobs were growing on average 12% faster than the market.
There are plenty of software jobs out there. So take a stand and choose employers who are committed to taking care of their security, your security and their customers' security. By extension, chose companies who invest in you.
There's a question that needs to be asked by every developer, whether you are a graduate or a veteran. And the answer matters. It's become even more important in an agile world as it will directly impact how successful you will be at software engineering; and how valuable you will be to you next employer.
It's the million dollar question. Actually, it's the multi-multi million dollar question!
Are you committed to helping me to code securely?

Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demoChief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
There's a question that needs to be asked by every developer, whether you are a graduate or a veteran. And the answer matters. It's become even more important in an agile world as it will directly impact how successful you will be at software engineering; and how valuable you will be to you next employer.
It's the million dollar question. Actually, it's the multi-multi million dollar question!
Are you committed to helping me to code securely?
The average cost of a data breach now stands at USD$3.6M. The odds of your company being breached this year are as high as one in four. Given these facts, I share the frustrations of many that developers aren't graduating from university with competency in secure coding and security embedded into their DNA.
Why? Software engineering is still a relatively young profession. The emphasis has been on teaching people how to build code quickly, make it elegant and functional, but with very limited focus on making the code secure. The pace of change in methodologies, technologies, languages and opportunities only exacerbates these key skill gaps.
We aren't going to change the academic system quickly, so developers and companies alike should expect that developers need to learn secure coding skills on the job. In some professions, you can learn by making mistakes, but for others, it isn't an option. So it is with cyber security.
The facts show that we haven't done very well with on-the-job developer security training either. Most of the world's major security breaches are due to coding errors which allow hackers gain privileges on computer networks, enabling them to access and harvest valuable data. The Verizon Data Breach Investigation Report (DBIR) 2017, shows that 30% of all breaches are directly caused by weaknesses in web applications security and this conclusion has been consistent in the DBIR report since 2013.
The 2017 Global DevSecOps Skills Survey released in August 2017, confirmed what we already knew: while 65 percent of DevOps professionals believe it is very important to have knowledge of DevSecOps when entering IT, 70 percent feel they're not receiving the necessary training through formal education to be successful in today's DevSecOps world.
Nearly 40 percent of hiring managers surveyed reported that the hardest employees to find are the all-purpose high-end developers with sufficient knowledge about security testing. 70 percent of respondents said the security education they had received is not adequate for their current positions. In fact, less than 4% said they are afforded the opportunity at all.
I saw this first hand when I spent almost a decade working with multiple teams of professional white-hat hackers. With tragic regularity, we broke into large enterprises, start-ups and government departments; always finding the same weaknesses.
This is why developers need to speak up when you are being hired. If your prospective employer isn't taking your developer security training seriously, you should think about what sort of company you are considering joining.
The second question you should ask is how they plan to deliver it. Will it be hands-on and interactive? Developer security training on vulnerabilities using slideware, videos, clickable animations, or abstract discussions are unlikely to assist you directly in your coding. Will they ensure you are continually kept up to date with the latest vulnerabilities? Is there a security guild or community where you can learn from? Are there security mavens who can you can fall back to if you need help?
A commitment to your secure coding skills needs continuous learning through hands-on challenges in specific coding frameworks and confronting you with different vulnerabilities in multiple scenarios. You simply cannot learn about SQL injections through one example. You need exposure to multiple examples of diverse types so that you learn to recognise these dangerous coding patterns.
One of our customers required their developers play a single challenge (5 minutes) every day for two months. It tested their skills before and after the training period and observed a 60% increase in secure coding capability over a group of hundreds of developers. This means less resources spent on finding and fixing security bugs later in the life-cycle and significant long-term savings. It means hackers won't use your code to compromise your company's data.
There were 11 million professional developers in the world in 2014, according to IDC research. In 2015, Burning Glass found there were as many as 7 million job occupations that required coding skills and that programming jobs were growing on average 12% faster than the market.
There are plenty of software jobs out there. So take a stand and choose employers who are committed to taking care of their security, your security and their customers' security. By extension, chose companies who invest in you.
There's a question that needs to be asked by every developer, whether you are a graduate or a veteran. And the answer matters. It's become even more important in an agile world as it will directly impact how successful you will be at software engineering; and how valuable you will be to you next employer.
It's the million dollar question. Actually, it's the multi-multi million dollar question!
Are you committed to helping me to code securely?
Table of contents
Chief Executive Officer, Chairman, and Co-Founder

Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Secure by Design: Defining Best Practices, Enabling Developers and Benchmarking Preventative Security Outcomes
In this research paper, Secure Code Warrior co-founders, Pieter Danhieux and Dr. Matias Madou, Ph.D., along with expert contributors, Chris Inglis, Former US National Cyber Director (now Strategic Advisor to Paladin Capital Group), and Devin Lynch, Senior Director, Paladin Global Institute, will reveal key findings from over twenty in-depth interviews with enterprise security leaders including CISOs, a VP of Application Security, and software security professionals.
Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise
Finding meaningful data on the success of Secure-by-Design initiatives is notoriously difficult. CISOs are often challenged when attempting to prove the return on investment (ROI) and business value of security program activities at both the people and company levels. Not to mention, it’s particularly difficult for enterprises to gain insights into how their organizations are benchmarked against current industry standards. The President’s National Cybersecurity Strategy challenged stakeholders to “embrace security and resilience by design.” The key to making Secure-by-Design initiatives work is not only giving developers the skills to ensure secure code, but also assuring the regulators that those skills are in place. In this presentation, we share a myriad of qualitative and quantitative data, derived from multiple primary sources, including internal data points collected from over 250,000 developers, data-driven customer insights, and public studies. Leveraging this aggregation of data points, we aim to communicate a vision of the current state of Secure-by-Design initiatives across multiple verticals. The report details why this space is currently underutilized, the significant impact a successful upskilling program can have on cybersecurity risk mitigation, and the potential to eliminate categories of vulnerabilities from a codebase.
Secure code training topics & content
Our industry-leading content is always evolving to fit the ever changing software development landscape with your role in mind. Topics covering everything from AI to XQuery Injection, offered for a variety of roles from Architects and Engineers to Product Managers and QA. Get a sneak peak of what our content catalog has to offer by topic and role.
Resources to get you started
Revealed: How the Cyber Industry Defines Secure by Design
In our latest white paper, our Co-Founders, Pieter Danhieux and Dr. Matias Madou, Ph.D., sat down with over twenty enterprise security leaders, including CISOs, AppSec leaders and security professionals, to figure out the key pieces of this puzzle and uncover the reality behind the Secure by Design movement. It’s a shared ambition across the security teams, but no shared playbook.
Is Vibe Coding Going to Turn Your Codebase Into a Frat Party?
Vibe coding is like a college frat party, and AI is the centerpiece of all the festivities, the keg. It’s a lot of fun to let loose, get creative, and see where your imagination can take you, but after a few keg stands, drinking (or, using AI) in moderation is undoubtedly the safer long-term solution.