Best Practices for Developing

a Successful Secure Coding

Training Program
THE ONLY GUIDE YOU NEED (with checklist!)
Contents
INTRODUCTION 3

STEPS TO DEVELOPING A SUCCESSFUL SECURE CODING TRAINING PROGRAM 4

STEP 1: CREATING A SECURITY CULTURE 5

STEP 2: DEVELOP TRAINING THAT MEETS DEVELOPERS WHERE THEY ARE 6

1. SELECTING THE DELIVERY FORMAT 7

2. SCHEDULING 11

3. TRAINING TOPICS 12

4. DEVELOPER ENGAGEMENT 13

5. SECURITY CHAMPIONS 14

STEP 3: CONTINUALLY MEASURE AND OPTIMIZE 15

CONCLUSION 16

CHECKLIST 16

2
INTRODUCTION
Ransomware has certainly had its 15 minutes of fame over the past year, but hacking is still on top when it comes to
the methodology a variety of bad actors are relying upon to infiltrate systems. That was the good news. The bad news?
Over 90 percent of recent hacks succeeded through vulnerabilities in web applications. In order to reduce the threat
of breaches, the obvious solution for companies is to fortify their application security thereby eliminating the most
common attack vector. However, developers outnumber security professionals by an estimated ratio of 500 to one.
This begs the question that every leader in the software industry should be asking themselves: How can we secure our
applications given that there is an insufficient hiring pool?

Much investment in recent years has gone into procuring and deploying the tools to “shift left” and make security more
ingrained within the software architecture, design, and development phases. But technology alone will not solve the
problem.

The real solution is education.

In HackEDU’s 2021 Vulnerabilities Benchmark Report, we pointed out that the top vulnerability on the most recent
OWASP Top 10 list, code injections, has been at the top of the list for 14 years. This is mainly because it is the
vulnerability that is most often fixed incorrectly. A contributing factor to this startling problem - none of the Top 40
coding programs in the US, and none of the top 5 globally, require a secure coding or secure application design class.
While tertiary education cannot be expected to provide all the knowledge required to be successful in the workplace,
the issue is further compounded by the fact that 53% of developers in the workforce do not receive any secure coding
training on the job. Although it appears this trend may be changing, it’s evident that a large number of developers are not
equipped with the knowledge to code securely.

Well-trained developers are the foundation of a secure software development lifecycle (SDLC), and effective secure
coding training helps ensure the strength of that foundation. Given the sizable number of developers who have not
received any form of formal secure coding instruction, the only way to scale secure coding efforts is to train the
developers at scale. This should be done in a way that is both effective and that is empathetic to the modern developer’s
situation. A well-trained development team reduces the dependency on application security teams to support a robust
application security program, resulting in more secure software, and a lower likelihood of being breached.

3
STEPS TO DEVELOPING A SUCCESSFUL SECURE CODING
TRAINING PROGRAM
Successful organizational shifts are preceded by planning that includes the following ingredients:

1 A clear vision

2 Demonstrable benefits

3 Executive sponsorship

4 Adequate resources

5 Sound methodology

This guide was developed in alignment with these principles, and the methodology has proven to be successful for our
customers.

Organizations that want to develop a successful secure coding training program must follow three important steps:

• Step 1: Create a Security Culture

• Step 2: Develop Training That Meets Developers Where They Are

• Step 3: Continually Measure and Optimize

4
 STEP 1: CREATING A SECURITY CULTURE
Cultural shifts can originate from any point within an organization, but success demands that leaders commit themselves
to new behaviors for both themselves, and their employees. The biggest resistance (the “that’s the way things have
always been done here” mindset) can be overcome with the right approach and commitment. The two main drivers for
change are a company’s leadership and the Security Champions they select.

LEADERSHIP BUY-IN AND SUPPORT

A company’s leadership must be prepared to support the development of a security culture if they want to achieve
success in this arena. Leadership refers both to the executive suite, as well as individual leaders of development and
security teams. If the leaders aren’t fully on board, or if their support is flagging, the chances of success are minuscule.

The initial contribution of the executive leaders should be to help develop a long-term vision for security that aligns with
the company’s goals, and to communicate that vision across the organization, positioning it as a strategic imperative.
They must help initiate the transformation of the organization’s mindset from one where the instinctive response to
security concerns is “but,...” to one of “yes, and this is how we’ll do it”.

As part of this effort, executive leadership must create a safe environment for the people involved in the security
effort to voice concerns and initiate changes, and help them deal with pushbacks or setbacks in the process. Lobbying
for, and securing a budget for the effort is also an important task that the executive leadership team must perform. A
comprehensive budget is required for training, tools, communications, and incentives. While it may be tempting to only
partially fund a security push, an inadequate budget will hamstring the effort, and will not provide the intended effects.

Leaders at the operational level have a key role to play in helping to ensure the success of the company’s effort to create
a security culture. They are responsible for selecting the right security champions, and supporting them as they serve as
ambassadors for the organization’s efforts to develop a security culture.

THE IMPORTANCE OF SECURITY CHAMPIONS

Security Champions are critical to the success of any organization’s attempt to make the shift to a culture where security
is pervasive. From our experience, Security Champions are a constant component across all successful application
security programs. We’ll expand upon the role of the Security Champions in the next section.

5
 STEP 2: DEVELOP TRAINING THAT MEETS DEVELOPERS
WHERE THEY ARE
The process of developing the training has multiple components, each of which revolves around the ultimate goals of
maximizing motivation, engagement and quality of learning for your developers. There are five primary considerations
when developing the training program:

1 Selecting the Delivery Format

2 Scheduling

3 Training Topics

4 Developer Engagement

5 Security Champions

6
1. Selecting the Delivery Format

THE MODERN DEVELOPER, AND THE CHALLENGES THEY FACE

Software developers are under greater pressure than ever to deliver code. Fifty-one percent of developers report
that their codebases are 100 times greater in volume than they were 10 years ago, while within the same time span,
92 percent say they have to release code faster. Globally, 38% of developers are pushing out releases at a cadence
of once a month or faster. Given expectations around the speed of delivery, tasks that interrupt the roadmap
of delivery are generally looked upon unfavorably; in the past, secure coding training has often been viewed in
that light, as an impediment to success rather than an asset. That’s why software delivery roadmaps should be
created with an integrated approach to secure coding practices, and the training programs should be designed and
developed in conjunction with plans to revise software development lifecycles.

The correct delivery format (i.e. how the knowledge is presented) is a vital component of a successful secure coding
training program. A well-designed delivery platform contributes to:
1. An improvement in the level of motivation to take and complete the training.
2. An increase in the level of comprehension, retention, and ability to apply the knowledge that the training
delivers.

The delivery format selected for secure coding training can create a culture of empathy for developers and the
challenges they face on the job. An optimally designed program will optimize the use of their time, teach them clearly
and effectively, and enhance the relevance of the training to the work that they do. Thankfully, there’s reliable research
to help guide the decision-making process. The following science-backed principles are the ingredients you should look
for when looking for training with a sound delivery format:

I. LEARNING SCIENCE PRINCIPLES

Learning Science principles are the basic principles that underlie effective learning. They provide the blueprint for how
to train effectively, and are a vital component of a successful training program. When selecting a secure code training
program, look for curriculums that incorporate the following principles:

» Bite-sized lessons

– Too much information at once can impede students’ ability to learn effectively. Any training that’s monolithic
and delivered all at once is detrimental to effective learning.

– TAKEAWAY: Look for a delivery format that allows for bite-sized lessons.

7
» Conceptual and Procedural Knowledge

– Procedural knowledge refers to knowledge of the steps and actions needed to solve a challenge, whereas
conceptual knowledge refers to the principles that underlie the procedures and the relationships between
associated blocks of knowledge. In simpler terms, procedural knowledge is the “how” of doing something,
whereas conceptual knowledge is the “why”. Both are important, but each alone isn’t sufficient in ensuring
true proficiency in a subject. Without conceptual knowledge, a developer’s ability to solve problems
is limited to the problem with which they were presented during the training. Exercising conceptual
knowledge, a developer has the ability to tackle almost any problem that relates to the topic.

– TAKEAWAY: Look for a delivery format that provides both conceptual and procedural knowledge.

» Goal-directed practice and targeted feedback

– Learning is most effective when students engage in hands-on practice that focuses on a specific goal and
targets the appropriate degree of difficulty. Each segment of practice should be combined with feedback
that addresses students’ performance relative to the goal, gives them information to help them make
progress towards those goals, and is delivered at the time when it is most useful to them.

– Without hands-on practice and targeted feedback working in tandem with each other, learning effectiveness
will likely be stunted. This is the reason why trainings that take a video-only format or base outcomes on
multiple choice assessments, are often ineffective.

– TAKEAWAY: Look for training that includes hands-on practice which is relevant to the subject matter or
lesson, and that provides prompt and relevant feedback.

– BONUS TAKEAWAY: Look for training that provides a mechanism for instant, live help from an expert.

» Connected knowledge structures

– Research on cognition and learning reveals that the way knowledge is organized contributes significantly to
the development of expertise in a subject matter. Numerous studies have concluded that experts in a field
of study do not just amass more knowledge about that domain; they also understand how different sectors
of knowledge relate to each other and the level of priority and usefulness.

– Organizing lessons and content in a way that enables students to make appropriate connections between
both existing knowledge and newly presented knowledge improves developers’ ability to gain proficiency of
the subject matter.

– TAKEAWAY: Look for training that is built upon the principles of connected knowledge structures.

8
II. TRAINING PHILOSOPHY
Training philosophy is a foundational element of any secure coding training program; all elements of a program are built
atop the philosophy. The two prevailing philosophies are: “offensive + defensive” and “defensive only”.

A University of Mannheim study that compared the two philosophies concluded with two main findings:

1. “Offensive + defensive” training led to a significantly better understanding of information security vs. defensive
alone.

2. “Offensive + defensive” training resulted in a superior level of student motivation vs. defensive alone.

» TAKEAWAY: Look for training programs that contain both offensive and defensive components.

III. CONTEXTUAL LEARNING

Contextual learning in secure code training involves directly connecting the training to what developers experience,
know, and are comfortable with in their everyday lives. In practice, it engages them in meaningful and interactive
activities to which they can relate back to experiences in their professional environment. In the case of secure coding
training, developers should be trained within a familiar context, whether by:

» Using an interface that they’re already familiar with (e.g. a development environment).

» Teaching them in the programming language(s) they know best.

» Relating content to issues and vulnerabilities that they are likely to see in their code.

Contextual learning has been scientifically proven to improve the effectiveness of training by enhancing critical thinking
skills. When it comes to software development, elevating critical thinking results in more secure code.

» TAKEAWAY: Look for training programs that provide contextual learning instead of training that doesn’t match
what developers experience on the job. The training experience should be hands-on, delivered in a programming
language that developers are familiar with, and demonstrate that the learning material is directly applicable to
their everyday jobs.

9
IV. POSITIVE REINFORCEMENT
Positive reinforcement refers to the introduction of a pleasant or desirable stimulus in response to a behavior. That
stimulus reinforces the behavior, increasing the chances that the behavior will happen again. Positive reinforcement has
long been proven effective at increasing motivation and enhancing the enjoyment of learning. The four primary forms of
positive reinforcers are:

1. Natural
a. This type of reinforcer occurs as a direct result of the behavior.
b. e.g. Developers write code with less vulnerabilities after completing training.

2. Token
a. Involves the use of points or tokens that can be handed out upon successful completion of expected
behaviors. These can then be exchanged for rewards that the students consider valuable.
b. e.g. Developers receive points upon the successful completion of each training module, which they can then
exchange for company merchandise.

3. Social
a. Expressions of praise or gratitude from others when a student exhibits the appropriate behavior.
b. e.g. A team lead recognizing a developer in front of her peers at a weekly stand up meeting for successfully
completing her secure coding training.

4. Tangible
a. Physical or monetary rewards given upon successful completion of milestones.
b. e.g. Developers each receive an Amazon gift card after completing their training on schedule.

Technology has made it easier to implement token, social, and tangible reinforcement, and should be a core component
of any training program. Having these reinforcements built into a secure coding training program will increase
developers’ motivation to complete the training.

» TAKEAWAY: Make sure that training programs you evaluate include a feature that lets you provide one or more
forms of positive reinforcement.

10
2. SCHEDULING
When scheduling training, there are two key things to keep in mind:

1. The training schedule should be sensitive to the pressures that developers are facing (refer to the sidebar on
page 7).

2. The schedule should be set up in a way that it promotes effective learning.

Based on what we’ve seen work well, that translates to the following:

» Training that is delivered continuously throughout the year is the most effective format for participation and
knowledge acquisition.

– Monolithic training, or training that’s delivered all at once, will detract from developers’ work or personal
schedule, and will make it less likely that they will take it.

– Inundating developers with information will make it difficult for them to comprehend and retain the
information. Smaller chunks of information, interspersed with hands-on coding, delivered on an ongoing
basis, helps reinforce the knowledge constantly and provides better learning outcomes.

» On-demand training (between 1-3 hours every month) eases incorporation into everyday practice and long-term
development goals.

– Short lessons of between 20-30 minutes long, delivered on-demand, make secure coding training much
easier to fit into developers’ workflow. They can do it during testing/compile time or during breaks.

– If developers decide to take the training at home, it is much easier for them to find 20-30 minute chunks in
their day than it is to take entire days off to train.

» TAKEAWAY: Make sure that the training program you specify delivers bite-sized lessons that can be taken
anytime it’s convenient for the developers.

11
3. TRAINING TOPICS
The list of training topics should cover the most common software vulnerabilities, emerging threats, and vulnerabilities
being discovered in the company’s codebase. Additionally, it is extremely beneficial to teach developers about
vulnerabilities that have appeared in their own code. This can be done through the use of integrations with the testing
tools and other tools in the company’s DevSecOps toolchain.

» The following list of training topics covers the majority of what modern developers need to know:

– OWASP Top 10

– API Security

– Mobile Vulnerabilities

– Security for the latest technologies (JWT, OAuth, NoSQL, etc)

» Lesson plans should include the following:

– Instruction on vulnerabilities that are actually being discovered in the developer’s code. This type of
adaptive content provides a higher degree of relevance and urgency to the developer, as the vulnerabilities
they are learning about are immediately applicable to them.

– The latest attacks such as publicly disclosed vulnerabilities and techniques such as lessons on the latest data
breaches.

ROLE-BASED TRAINING
Different roles require different training plans. If the lesson plans are based on an adaptive feature, where actual
vulnerabilities in code are used to inform lesson plans, then the lessons will automatically be tailored towards the
developer and her/his role. If the lesson plan isn’t adaptive, then lessons should be specified based on the following:

» Development stack being used

» Role - Front-end vs. back-end vs. QA

» Level of seniority

Consulting with your secure coding training vendor will help you determine the best way to set up a training program for
your organization.

12
4. DEVELOPER ENGAGEMENT
Ideally, developer engagement should be incorporated into the core design of the training platform that you use, using
the principles described in the “Selecting the Delivery Format” section of this guide. Once that baseline has been
established, other things you can focus on to increase developer engagement include:

» Create relevance

– Irrelevant content and lesson plans will cause developers to immediately lose interest in the training. Always
try to tailor lesson plans and content to a developer’s needs. Your training solutions partner should provide
you with recommendations based on what they’ve seen work well in other training deployments. Where
possible, look for training that offers adaptive training plans to help ensure that the lessons are always
relevant.

» Integrate training into work activities

– Dedicating time each month or quarter for developers to take training sends the message that training is a
valuable activity, and not just a burden that developers must shoulder in addition to their regular workload.
Training sessions can be turned into a social event, where a group of developers learn together in a
conference room and help each other out when someone faces difficulties.

» Align training with KPIs

– Making the completion of secure coding training one of the developers’ KPIs helps to communicate that it is
important, and is part of the company’s imperatives for its developers

» Require accountability

– In some extreme cases, we’ve seen companies force accountability for training by limiting developers’ ability
to perform pull requests until they’ve completed training. We don’t advocate for this type of negative
reinforcement, and view it as a last resort for dealing with situations where compliance requirements must
be met.

13
5. SECURITY CHAMPIONS
It’s important to note that a secure coding training program can be rolled out successfully without having Security
Champions on board. There are many examples of successful training deployments that have done so. However, having
one or more Security Champions will enhance your efforts, as they can:

» Help the training administrator(s) to develop the training plan, since they have a close-up view of the codebase
and common vulnerabilities, and know what’s relevant and what isn’t.

» Encourage their peers to complete the training, then take additional challenges or lessons to expand their
knowledge.

Selecting the right Security Champions is a very important consideration in the process of developing a successful secure
coding training program. They are the ambassadors of security, and the subject matter experts within the developer
sphere. They help shape success for the initiative not only through their knowledge and technical acumen, but also by
virtue of their ability to lead and inspire.

When possible, you should encourage experienced members of your company’s development team who show an
interest in security to volunteer to serve as Security Champions. There are a few reasons for this:

» By encouraging developers who have already expressed an interest in security to be Security Champions, you are
not assigning someone who’s disinterested in the topic a burden, but instead, building upon existing interest.

» Experienced developers are more likely to have the respect and trust of their peers, and be in a better position to
influence them.

» There’s a higher likelihood that they understand the context within which secure coding fits into the bigger
picture of what the development team does and are able to shape the effort and communication in a way that’s
more readily understood and accepted.

» The networks they have are likely to be more extensive than a less experienced person, which will make it easier
for them to influence change.

» They are naturally looked up to by more junior developers, and can help encourage and coach them.

14
 STEP 3: CONTINUALLY MEASURE AND OPTIMIZE

SETTING METRICS
» Evaluate developers’ abilities continually by looking at these key metrics:

– The number of vulnerabilities that a developer can detect and fix in their production code.

– The number of vulnerabilities that appear in a developer’s code, before and after training.

MEASUREMENT
» There are three primary ways to measure and track metrics:

– Map what you are currently doing to find vulnerabilities in Static Application Security Testing (SAST) and
Dynamic Application Security Testing (DAST) with training progress. Automate this where possible, or use
a training platform that makes this available. You want to see trends in vulnerability data and a reduction
based on the lessons that have been taken. This can be used to both measure effectiveness as well as
understand where more practice is necessary.

– Use the training platform’s measurement for level of proficiency of each lesson to serve as a proxy.

– Conduct an assessment before training begins to establish a baseline, then perform periodic assessments
once the training is underway.

OPTIMIZATION
» Use feedback loops based on Baseline & Metrics to change behavior

– Assign additional lessons or challenges to shore up developers’ knowledge of topics that they lack
proficiency in, or get them support from a Security Champion on your team.

15
CONCLUSION
Developing a secure software development lifecycle is a continuous process that marries the right tools, a culture
of security, and a development team that’s well trained on secure coding practices. While there are many ways to
accomplish the latter, selecting the right secure coding training solution is important in ensuring that developers actually
take and complete the training, retain the knowledge they’ve learned, and know how to apply the principles that result in
more secure code.

CHECKLIST

3 Use the checklist below to simplify your evaluation of secure coding training solutions.

Download The Checklist

ABOUT HACKEDU
HackEDU has helped hundreds of companies and organizations secure their software development lifecycle
through our secure coding training platform and our PREPARE, PREVENT and PROTECT approach.

PREPARE PREVENT PROTECT

We train your developers Our training platform integrates We integrate with bug
on how to detect and fix with code repositories, SAST, DAST bounty programs to
vulnerabilities so that they can and SCA tools, and issue trackers to automatically deliver tailored
write more secure code. New automatically generate lesson plans training content based on the
and experienced developers based on vulnerabilities found in vulnerabilities discovered in
have successfully improved their your code, before you deploy it. your code.
secure coding skills.

Our interactive, web-based training is conducted using a real web application that sits in a sandbox environment,
and our lessons focus on both offensive and defensive skills. Our robust administrative tools make it easy for
administrators to set up, deploy, assess and manage training.

Visit us at www.hackedu.com to learn more

16