Key Takeaways

Kamer van Koophandel (KVK) has built a modern, developer-first security program that stands out as a model for the industry. In partnership with Secure Code Warrior, KVK has embedded secure coding practices into everyday development workflows, established a structured certification program embraced across the organization, and achieved measurable risk reduction that demonstrates the power of a proactive, developer-driven approach to security. Highlights include:

"We already had a strong security foundation, but we wanted to take it further and make security second nature for every developer. That’s why we partnered with Secure Code Warrior and made education the cornerstone of our strategy, equipping our teams to build secure software with confidence from the start."

– Sebastiaan Rijnbout, Product Owner of Development Services

‍The challenge

Creating a Developer-First Security Mindset

KVK, the Netherlands Chamber of Commerce, plays a pivotal role in supporting entrepreneurs across the Netherlands. As the official body responsible for registering businesses, legal entities, and organizations engaged in economic activities, KVK fosters transparency and strengthens the integrity of the business ecosystem. Beyond registration, KVK provides valuable information and advice on key entrepreneurial topics, from legal and regulatory guidance to insights on financing, current developments, and cybersecurity. By offering reliable data and collaborating with both national and regional economic stakeholders, KVK helps create a secure and well-informed environment for entrepreneurs to thrive in. When KVK began its journey to further enhance application security, it had established foundational security measures in place, including penetration testing. While these measures provided valuable insights, KVK saw an opportunity to scale security earlier in the development lifecycle and empower developers to take ownership of risk reduction.

In 2022, KVK selected Secure Code Warrior and launched its first secure coding training initiative with a developer-focused approach. What began as a grassroots effort to engage developers, quickly evolved into a cross-functional program backed by leadership and the CISO office, transforming secure development from an aspiration into an organizational standard.

The solution

Building a Culture, Not Just a Program

With sponsorship from the CISO, KVK’s Secure Software Development Lifecycle team partnered with Secure Code Warrior to define an organization-wide strategy and build a mandatory, role-based certification program that:

KVK harnessed the flexibility of Secure Code Warrior’s platform to create a certification program tailored to their unique organizational needs. By mapping training programs to specific roles, new hires begin with OWASP Top 10 awareness training, while senior engineers tackle advanced, scenario-based exercises mapped to real-world workflows. Champion-level developers mentor peers, foster knowledge-sharing, and help scale security expertise across teams. KVK’s program includes annual re-certification to ensure skills stay current, with full implementation underway as the organization continues to expand coverage and adapt to new risks like AI-driven vulnerabilities and emerging threats.

“Integrating certifications into our development process was a turning point,” said Sebastiaan. “It showed every developer that security is a shared priority and a natural part of how we build software. With Secure Code Warrior, learning isn’t a one-off event, it’s continuous, contextual, and seamlessly woven into our daily development culture.”

The result: training felt relevant, achievable, and directly tied to developers’ day-to-day work. By early 2024, 90% of KVK developers had achieved the Foundation level certification — a milestone that validated both the strategy and the cultural shift toward developer-led security.

The Results

Real Impact, Measurable Progress

KVK’s investment in secure development with Secure Code Warrior has delivered powerful results:

KVK leverages SCW Trust Score®, a benchmark that measures an organization’s commitment to secure coding practices based on key security metrics. Over the course of six months, KVK’s Trust Score rose significantly, placing them in the top 12% of organizations worldwide.

“The SCW Trust Score gives us clear, data-driven visibility into where our risks lie and how to focus our training where it matters most,” Sebastiaan explained. “It’s not just a benchmark, it’s a roadmap that helps us prove progress, and demonstrate the real business value of secure development.”

KVK, in partnership with Secure Code Warrior, has set a new standard for developer-driven security. By uniting strong leadership, a clear strategy, and measurable outcomes, they have transformed secure development into a core business capability, one that meets compliance requirements and serves as a model for the industry. With SCW’s reporting aligned to ISO 27001/27002 certification standards, KVK can also validate its program’s effectiveness during audits, demonstrating that secure development is not merely recommended, it is required.

KVK has plans to expand its certification program beyond engineering to include QA testers, DevOps, and low-code developers, reinforcing that security is a shared responsibility across the organization. They also plan to introduce SCW’s AI/LLM-focused content to help developers code securely alongside tools like GitHub Copilot and are working with SCW Professional Services to optimize the rollout of Trust Agent. These efforts showcase what’s possible when secure coding becomes a shared responsibility, not just for developers but for the entire organization.

“Our partnership with Secure Code Warrior has been smooth and productive,” said Sebastiaan. “They helped us implement and improve our training program, resulting in measurable risk reduction and a stronger culture of secure development.”

With Secure Code Warrior, KVK has laid a strong foundation for secure development, and they’re just getting started.

Developer Risk Management is a holistic and proactive approach to application security, focused on code contributors rather than within the bits and bytes of the application layer itself.

Proactively measure, manage and mitigate developer security risk across the SDLC to improve security posture, release software faster and cut vulnerabilities by 53% or more.

The philosophy behind Developer Risk Management is that, through upskilling code contributors and applying governance to secure coding skills programmatically, the benefits and impact of developer-driven secure code initiatives increase exponentially.

Want to dominate the OWASP Top 10? Download the No-BS Guide to Defending Your Applications Against the OWASP Top 10:2025

The ten most common security vulnerabilities don’t stand a chance against security-skilled, quality developers like you. This free eBook is your ultimate field guide to understanding each infamous entry in the OWASP Top 10 2025 and how each bug operates. 

You’ll see why they’re so dangerous and, most importantly, how you can banish every one of them from your software forever. As an added bonus, this guide features links to guided video learning modules to assist your skill development.

You'll:

• Learn how to identify and defeat common bugs, like injection flaws and the number one, Broken Access Control
• Gain new insights and hands-on learning into brand-new entries like Software Supply Chain Failures and Mishandling of Exceptional Conditions
• Understand why secure coding and focus on code quality are robust defences in reducing the risk of vulnerabilities and cyberattacks.

Are you ready for your next secure coding conquest?

Innovate Fast and Securely – Trust Agent: AI

The widespread adoption of AI coding tools is introducing a critical new layer of risk into your development lifecycle. Without visibility and governance, you're exposed to "shadow AI" and an influx of insecure code. Trust Agent: AI provides the deep observability and control you need to confidently manage AI adoption without sacrificing security. By correlating AI tool usage with developer secure coding skills, our solution helps you identify and mitigate risk at the commit level, ensuring you can innovate faster and more securely than ever before.

Download our one-pager today to learn how SCW Trust Agent: AI can help you strengthen your security posture, optimize your development lifecycle, and significantly reduce vulnerabilities.

‍

OpenText Application Security, previously known as Fortify, and Secure Code Warrior have partnered to enhance application security by empowering developers to become security champions. The integration enables targeted vulnerability education, faster remediation, and hands-on training to upskill developers in writing secure code from the start.

This collaboration reduces security risks, minimizes costs, and streamlines compliance by embedding security into the software development lifecycle, helping companies build customer trust and ship high-quality code faster.

Read more about the partnership in our One Pager.

Sage is a British multinational enterprise software company that provides businesses with software and services that are simple and easy to use for Payroll, HR, and Finance. As of 2017, it is the UK's second largest technology company, the world's third-largest supplier of enterprise resource planning software, and the largest supplier to small businesses - with over 6 million customers worldwide.

Situation 

Before working with Secure Code Warrior, Sage began outlining their Security Champion Network for approximately 10 years. Despite the robust network of security-focused developers, training was sporadic and not structured to focus on risk reduction. 

Sage recognized that it was important to spend time building relationships and embedding security over a period of time with a flexible approach. Sage’s program tied its goals to risk reduction and the material impact of that program. When piloting the program with certain business units, they focused on how to measure risk reduction and replay it back to the business to win developer and senior leadership’s buy-in. 

Action

Mads Howard, People-Centered Security Lead at Sage, worked with developers to understand the personas of security champions. She met with developers in each business unit and conducted interviews with them to understand what motivates them, how they like to learn, and what limitations they see in their work. She and her team worked to build relationships with developers and their team leads, and emphasized the importance of being flexible in their approach.

Mads emphasizes a relationship building approach,

“We spent a lot of time building relationships with dev. team leaders, engineering team leaders, and product managers- the people that control the time spent on education during sprint cycles.”

According to Mads, it also boiled down to scaling out their security champions network,

“The security champion network has been seen as a key control of that program. So in order for products to move through this program, we had to really take seriously the role of having somebody as a security champion and also provide them with solid security training.” 

The Global Security Teams goal at Sage was to implement a Security Control Program that took into consideration the learning needs of developers in a complex technology environment and choose a partner that worked alongside their existing security tooling to aid in vulnerability management. 

It was important that education was seen as an important aspect of a mature security control program. They focused on measuring risk reduction through: 

• Risk Score Improvement
• Vulnerability Age Reduction in vulnerability backlog
• Resolution Time
• No closed vulnerabilities v. open vulnerabilities
• Number of issues per line of Sage written code (not third party)

For Mads,

"The next phase for Sage as a business is to demonstrate that upskilling through a secure coding program that is embedded in developer workflows delivers measurable risk reduction."

Results

Mads emphasized the importance of the partnership and guidance Secure Code Warrior provided her and her team,

“I honestly would say that we would not have been able to get this far and build out a kind of a program that has this level of maturity in terms of different layers or dev team across different technologies without the support of Secure Code Warrior.” 

Once Mads and her team completed their interviews and won developer buy-in, she began to implement Secure Code Warrior to be part of a wider security culture program. 

The results, according to Mads, is,

“Sage has 200 plus security champions now enrolled in the program, and if a security champion is dedicating 3.5 hours a week (or 10% of their time) to skills building, they can advocate for a secure coding program, they can advocate for continuous training, and they can advocate for the value it gives them.” 

With senior leader buy-in and measurable goals around risk reduction - Mads was able to begin to measure success around not only the number of people on a platform and the hours played, but time to fix vulnerabilities, vulnerability age, and then comparing with the new features that have been built for customers to give a holistic viewpoint on vulnerability reduction. For one team the impact felt was enormous - with an 82% reduction in mean time to fix a vulnerability. 

However, what mattered more, Howard added, was the unquantifiable - the engagement, the commitment, and the willingness of teams to be involved in the program.

Key Takeaways

The Sage experience underlines the relevance of well-planned and executed security training, the importance of a flexible, integrated approach - a lesson worth learning for any organization aiming for a robust, secure coding program. According to Mads, it’s important to remember that working with developers, not against them, is the key to implementing a successful security control program and embedding security into the company’s culture. 

• Creating a Security Culture doesn’t happen overnight. It’s important to spend time building relationships and embedding security over a period of time, and dedicating resources to do so. 
• Tie everything back to risk reduction and focus on what the material impact is of a secure coding program.
• Focus on how you can measure that risk reduction to replay it back to the business so the program is seen as impactful and successful by both developers and senior leadership alike. 

For developers looking to be security champions, she and her team also offered this advice: 

• Build a network around you of people who are interested in security and get involved in conferences and talks. Spend time learning about the topics that interest you. 
• Keep in mind an organization’s culture isn’t going to change overnight, and it will take time to develop and mature. 

‍

During the webinar she discusses:

• Possible methods for locating developers
• Challenges faced by SCW customers
• Trust Agent: Commits for Developer Discovery
• Next steps for new customers
  ‍