AppSec training is widely mandated but often undervalued by organizations despite clear benefits for developers and businesses alike.
This webinar explored findings from Security Compass’ survey across developers in the US, Canada, and the UK, shedding light on real developer sentiment toward application security training — what’s working, what isn’t, and what companies can do better.
Why Do Organizations Mandate AppSec Training?
Most companies require AppSec training due to compliance or internal policies, not always because they value its impact.
-
81% of companies in the study mandate training.
-
75% of respondents reported that their AppSec training was mandatory to meet compliance.
-
Larger organizations (1,000–5,000 developers) nearly universally enforce it to support secure-by-design initiatives.
However, this mandates-based approach often prioritizes checking a box over meaningful learning outcomes.
Are Developers Learning Security in School?
Most developers learn AppSec on the job, not during formal education.
-
University programs still rarely include comprehensive AppSec training.
-
Developers often enter the workforce aware of terms like SQL injection but lack broader security skills.
-
Companies are expected to fill this gap through in-house training.
This raises concerns about how prepared entry-level developers are to write secure code from day one.
What Motivates Developers to Embrace AppSec Training?
Developers value training for its personal and professional benefits, not just because it’s mandatory.
Top reasons developers pursue AppSec accreditations:
-
Career growth (raises/promotions).
-
Job performance improvement.
-
Ease of doing secure development.
Interestingly, ISC2 accreditations (e.g., CISSP) were rated as highly valuable, with nearly 90% of respondents viewing them as “very” or “extremely” beneficial.
When Is the Best Time to Deliver AppSec Training?
Just-in-time training, delivered close to when a developer needs it, is the most effective.
Timing | Developer Preference |
---|---|
During cloud configuration | High |
At the start of new requirements | High |
Set time of year (e.g., Oct) | Common but suboptimal |
Intensive training once a year leads to knowledge decay. Developers retain information better when it’s contextual and timely.
How Do Developers Prefer to Learn?
No single training method dominates — a mix of formats helps reinforce learning.
Training Method | Popularity |
---|---|
Instructor-led | Most used |
Online self-paced courses | Common |
Hands-on labs/quizzes | Reinforcing |
Company-funded resources | Standard |
Organizations should offer multiple formats to match diverse learning styles and reinforce secure coding principles effectively.
Common Frustrations with AppSec Training
Outdated content and lack of relevance to specific technologies or regulations are top developer complaints.
Top pain points:
-
Training not aligned with regulations
-
Content not up-to-date
-
No integration with HR systems for automation
-
Lack of role-specific or tech-specific examples
These frustrations highlight the need for targeted, modernized training solutions that go beyond checkbox compliance.
Is AppSec Training a Budget Priority?
Despite macroeconomic pressures, most companies are maintaining or increasing AppSec training budgets.
Budget Outlook | % of Companies |
---|---|
Increasing | ~75% |
Staying the same | Remaining % |
Decreasing | 0% |
Organizations driven by compliance are more likely to increase their budgets. This suggests a growing understanding of the ROI of AppSec training.
What Standards Are Guiding AppSec Practices?
ISO 27001 and SOC 2 dominate, but BSIMM and OpenSAMM are gaining traction for secure SDLC maturity.
Standard | Use Case |
---|---|
ISO 27001 | Broad security framework |
SOC 2 | Customer trust, SaaS providers |
BSIMM/OpenSAMM | Software security maturity models |
Over 50% of respondents use BSIMM or OpenSAMM, showing growing awareness of software-specific frameworks beyond generic cybersecurity standards.
How Is AI Impacting AppSec Frameworks?
There’s no gold standard yet — but OWASP AI Top 10 is emerging as a tactical reference.
-
Organizations are exploring various frameworks to assess AI risk.
-
ISO and NIST may become de facto standards in time.
-
Adoption remains fragmented due to the rapid pace of AI change.
The lack of consistency underscores the need for evolving best practices around AI in secure development.
How Do You Measure AppSec Training Success?
Completion rates, accreditations, and reduced risk exposure are key indicators of program effectiveness.
-
Track who completes training and whether they retain knowledge.
-
Certifications like ISC2 offer external proof of skills.
-
Fewer vulnerabilities over time may signal an improved security posture.
Compliance and defensibility are also growing concerns, especially with new EU regulations around software liability on the horizon.
What Do Mature AppSec Programs Have in Common?
They align training with frameworks, invest in resources, and track outcomes rigorously.
Common traits:
-
Adoption of standards (e.g., BSIMM, ISO 27001)
-
Budget allocation for training and tooling
-
Security champions programs
-
Training integrated into the SDLC
-
Metrics and audits to show defensibility
Less mature programs often rely on voluntary training, offer fewer resources, and treat AppSec as an afterthought.
Final Takeaway: Make the Business Case for AppSec Training
To protect the budget and drive buy-in, align AppSec training with risk reduction, compliance, and industry norms.
-
Use research data to show that peers are increasing budgets.
-
Highlight legal trends, like EU product liability shifts.
-
Emphasize training’s dual benefits: better code and career growth.
In a world of growing threats, AppSec training is not optional — it’s foundational.