What Do Developers Want from AppSec Training?

Developers want security training that is contextual, integrated into their workflow, and tailored to their roles and responsibilities.

This webinar brought together experts from across the development and security spectrum to discuss how organizations can make application security (AppSec) training truly valuable for developers. The discussion revealed a common theme: effective AppSec training isn’t about checking a compliance box — it’s about embedding security into culture, process, and daily work.

Why Developers Struggle with Traditional Security Training

Traditional AppSec training often lacks context, is too generic, and feels disconnected from real developer challenges.

Key Issues Identified:

  • Irrelevant Examples: Web-centric training doesn’t resonate with firmware or hardware developers.

  • Late-stage Learning: Training often occurs too late, after bugs are found, not during design or implementation.

  • One-size-fits-all Fails: Uniform training programs overlook the diversity in developer roles and learning styles.

  • Compliance-driven Content: Mandated training is often too focused on ticking boxes rather than enabling learning.

When and How Developers Prefer to Learn

Developers prefer to learn about security during architecture, design, and implementation, not as an afterthought.

Preferred Learning Moments:

  • During coding and implementation

  • During the architecture and design phases

  • After threat modeling, not just after bug reports

Developer Role Ideal Time for Security Learning
Architect During system design
Coder During implementation
Tester Post-deployment or during validation

Embedding Security into Development Culture

Security must be part of the engineering DNA, not an add-on.

To move beyond reactive, checkbox training, organizations need to:

  • Integrate security into development standards and lifecycle practices

  • Establish security champions within teams who understand both the product and sthe ecurity context

  • Design role-specific, context-aware training modules

  • Enable developers with vetted, secure, reusable components

From Training to Continuous Learning

Security knowledge should be continuously reinforced through team practices and embedded learning.

Recommendations:

  • Use real-world incidents and bug bounty data to inform relevant training

  • Offer modular, just-in-time learning paths rather than long annual courses

  • Facilitate code reviews and pair programming to reinforce secure coding practices

  • Leverage Slack channels, GitHub tagging, and office hours for real-time support

Challenges with Mandated Training

Mandatory training satisfies customers and compliance, but doesn’t always lead to real behavioral change.

Compliance Driver Real-World Impact
Mandatory training Often ignored or gamed
Questionnaire checkboxes Drives surface-level investment
Uniform content Doesn’t address team-specific needs

Security teams often face pressure to enforce mandatory training to satisfy client audits and regulatory reviews. While necessary, this approach must be supplemented with more adaptive, practical methods.

Final Takeaways for AppSec Leaders

To be effective, AppSec training must evolve into a continuous, context-rich learning experience embedded within the SDLC.

Key Action Points:

  • Tailor training by role, domain, and development environment (e.g., firmware vs. web)

  • Reward curiosity and hands-on experimentation

  • Make security visible but seamless — part of product requirements and design discussions

  • Respect developer time and create minimal-friction, maximum-impact interventions