Secure Code Warrior

Why secure code training doesn’t stack up (and what you can do about it)

Boring, boring, boring! That’s one of the main responses you’ll hear from developers whenever secure code training is mentioned. At Secure Code Warrior we believe there must be a better way.

Boring, boring, boring! That’s one of the main responses you’ll hear from developers whenever secure code training is mentioned. At Secure Code Warrior we believe there must be a better way, so we engaged with Evans Data Corp. to conduct primary research into developers’ attitudes towards secure coding, secure code practices, and security operations (download your copy of the whitepaper here).

In the soon-to-be-released Shifting from reaction to prevention: The changing face of application security, developers were asked about their main problems with current secure code training – and the answer was revealing.

Training that brings developers down

Current secure code training, that companies provide does not stack up.
Current secure code training that companies provide is seen as not hands on or work relevant.

40% of surveyed developers felt that secure coding is taught in a vacuum. Another 40% felt the training was too theoretical, not related to their work, and not ‘hands-on’ enough. 30% identified a lack of training in the language:framework they work in every day. This is serious because it tells us that current secure code training is contextually irrelevant and has no meaningful relationship with what developers do every day. 

For many developers, their main challenge is staying awake during mind-numbing, hands-off activities that are neither effective nor inspiring them to keep security front-of-mind. 

Training in a vacuum prevents developers from making the cognitive links between the laboratory and the real world.

3 things developers want from secure code training: 

  1. Overwhelmingly, developers say they want training that is more hands-on and more contextually relevant to their everyday work. 
  2. 65% of developers say more training is required in language-specific vulnerabilities and the OWASP Top 10
  3. 75% of developers surveyed prefer structured, on-the-job training. 

Training that lifts developers up

When it comes to on-the-job training, developers bring with them a certain level of experience and existing knowledge. This points to the need for 'scaffolded’ learning. This is training that is structured – or scaffolded – to build on what the developer already knows. Scaffolded education both activates and enhances any prior experience while continuing to build new skills in bite-sized chunks. This makes it the perfect means for on-the-job learning.

Imparting skills that stick

When it comes to developer security training, we know that developers prefer the  learn-by-doing method to the drudgery of theory-based static learning. In that sense, learning to code securely in a hyper-relevant, contextual environment is key. As champions of change in secure coding, Secure Code Warrior delivers contextual, hands-on education in relevant programming languages and frameworks, with challenges that mimic those developers face in the real world. Learning content includes over 5,500 challenges and missions covering over 147 different vulnerability types, including the all-important OWASP Top 10, OWASP Mobile Top 10, OWASP API Security Top 10 and CWE/SANS Top 25. 

If you’d like to see the potential impact on your teams and their ability to deliver secure code faster, book a demo now.