Why secure code training doesn’t stack up (and what you can do about it)

Published Apr 08, 2021
by Secure Code Warrior
cASE sTUDY

Why secure code training doesn’t stack up (and what you can do about it)

Published Apr 08, 2021
by Secure Code Warrior
View Resource
View Resource

Boring, boring, boring! That’s one of the main responses you’ll hear from developers whenever secure code training is mentioned. At Secure Code Warrior we believe there must be a better way, so we engaged with Evans Data Corp. to conduct primary research into developers’ attitudes towards secure coding, secure code practices, and security operations (download your copy of the whitepaper here).

In the soon-to-be-released Shifting from reaction to prevention: The changing face of application security, developers were asked about their main problems with current secure code training – and the answer was revealing.

Training that brings developers down

Current secure code training, that companies provide does not stack up.
Current secure code training that companies provide is seen as not hands on or work relevant.

40% of surveyed developers felt that secure coding is taught in a vacuum. Another 40% felt the training was too theoretical, not related to their work, and not ‘hands-on’ enough. 30% identified a lack of training in the language:framework they work in every day. This is serious because it tells us that current secure code training is contextually irrelevant and has no meaningful relationship with what developers do every day. 

For many developers, their main challenge is staying awake during mind-numbing, hands-off activities that are neither effective nor inspiring them to keep security front-of-mind. 

Training in a vacuum prevents developers from making the cognitive links between the laboratory and the real world.

3 things developers want from secure code training: 

  1. Overwhelmingly, developers say they want training that is more hands-on and more contextually relevant to their everyday work. 
  2. 65% of developers say more training is required in language-specific vulnerabilities and the OWASP Top 10
  3. 75% of developers surveyed prefer structured, on-the-job training. 

Training that lifts developers up

When it comes to on-the-job training, developers bring with them a certain level of experience and existing knowledge. This points to the need for 'scaffolded’ learning. This is training that is structured – or scaffolded – to build on what the developer already knows. Scaffolded education both activates and enhances any prior experience while continuing to build new skills in bite-sized chunks. This makes it the perfect means for on-the-job learning.

Imparting skills that stick

When it comes to developer security training, we know that developers prefer the  learn-by-doing method to the drudgery of theory-based static learning. In that sense, learning to code securely in a hyper-relevant, contextual environment is key. As champions of change in secure coding, Secure Code Warrior delivers contextual, hands-on education in relevant programming languages and frameworks, with challenges that mimic those developers face in the real world. Learning content includes over 5,500 challenges and missions covering over 147 different vulnerability types, including the all-important OWASP Top 10, OWASP Mobile Top 10, OWASP API Security Top 10 and CWE/SANS Top 25. 

If you’d like to see the potential impact on your teams and their ability to deliver secure code faster, book a demo now.


View Resource
View Resource

Author

Secure Code Warrior

Secure Code Warrior builds a culture of security-driven developers by giving them the skills  to code securely. Our flagship Agile Learning Platform delivers relevant skills-based pathways,  hands-on missions, and contextual tools for developers to rapidly learn, build, and apply  their skills to write secure code at speed.

Want more?

Dive into onto our latest secure coding insights on the blog.

Our extensive resource library aims to empower the human approach to secure coding upskilling.

View Blog
Want more?

Get the latest research on developer-driven security

Our extensive resource library is full of helpful resources from whitepapers to webinars to get you started with developer-driven secure coding. Explore it now.

Resource Hub

Why secure code training doesn’t stack up (and what you can do about it)

Published Apr 08, 2021
By Secure Code Warrior

Boring, boring, boring! That’s one of the main responses you’ll hear from developers whenever secure code training is mentioned. At Secure Code Warrior we believe there must be a better way, so we engaged with Evans Data Corp. to conduct primary research into developers’ attitudes towards secure coding, secure code practices, and security operations (download your copy of the whitepaper here).

In the soon-to-be-released Shifting from reaction to prevention: The changing face of application security, developers were asked about their main problems with current secure code training – and the answer was revealing.

Training that brings developers down

Current secure code training, that companies provide does not stack up.
Current secure code training that companies provide is seen as not hands on or work relevant.

40% of surveyed developers felt that secure coding is taught in a vacuum. Another 40% felt the training was too theoretical, not related to their work, and not ‘hands-on’ enough. 30% identified a lack of training in the language:framework they work in every day. This is serious because it tells us that current secure code training is contextually irrelevant and has no meaningful relationship with what developers do every day. 

For many developers, their main challenge is staying awake during mind-numbing, hands-off activities that are neither effective nor inspiring them to keep security front-of-mind. 

Training in a vacuum prevents developers from making the cognitive links between the laboratory and the real world.

3 things developers want from secure code training: 

  1. Overwhelmingly, developers say they want training that is more hands-on and more contextually relevant to their everyday work. 
  2. 65% of developers say more training is required in language-specific vulnerabilities and the OWASP Top 10
  3. 75% of developers surveyed prefer structured, on-the-job training. 

Training that lifts developers up

When it comes to on-the-job training, developers bring with them a certain level of experience and existing knowledge. This points to the need for 'scaffolded’ learning. This is training that is structured – or scaffolded – to build on what the developer already knows. Scaffolded education both activates and enhances any prior experience while continuing to build new skills in bite-sized chunks. This makes it the perfect means for on-the-job learning.

Imparting skills that stick

When it comes to developer security training, we know that developers prefer the  learn-by-doing method to the drudgery of theory-based static learning. In that sense, learning to code securely in a hyper-relevant, contextual environment is key. As champions of change in secure coding, Secure Code Warrior delivers contextual, hands-on education in relevant programming languages and frameworks, with challenges that mimic those developers face in the real world. Learning content includes over 5,500 challenges and missions covering over 147 different vulnerability types, including the all-important OWASP Top 10, OWASP Mobile Top 10, OWASP API Security Top 10 and CWE/SANS Top 25. 

If you’d like to see the potential impact on your teams and their ability to deliver secure code faster, book a demo now.


We would like your permission to send you information on our products and/or related secure coding topics. We’ll always treat your personal details with the utmost care and will never sell them to other companies for marketing purposes.

To submit the form, please enable 'Analytics' cookies. Feel free to disable them again once you're done.