Application security expertise is limited in organizations and it can be challenging to ensure development teams get the necessary training to build secure and compliant products. Innovative training techniques such as hands-on coding exercises, gamification and micro learning have gained popularity but are they effective? In this presentation we will share the results of a 2022 primary research study, customer interviews, as well as provide insights that reveal how developers educate themselves today and what they find most valuable from a training perspective. We will also introduce models of how organizations can help to optimize staff time spent on training while improving developer centric AppSec knowledge and building team culture through: Incentivizing and scaling industry-recognized certifications while delivering coding language and role-specific training to secure all stages of the SDLC Delivery of Just-in-Time contextual training that fits into developers' workflow Introducing trackable mechanisms to monitor the relationship between the granular dissemination of security knowledge to the reduction of product vulnerabilities and risk.
Understand problems developers face with training & reference material
Understand the level of maturity and knowledge of security in developers
Assess the reception of developers to different techniques and formats
Distinguish the needs of the developer vs. business decision makers