Companies that provide information services typically store a lot of user or client data, making the security of their applications a number one priority. Our client, one of the world’s biggest names in information services and software solutions, was already training their development teams in security for years now. But the company’s security task force still felt their training programs weren’t nearly as effective as they ought to have been. Something important was missing.
The client had product teams spread out across the world, with people in the USA, Europe, the UK, South East Asia, India and Australia. Any training programs they delivered would have to be virtual. But there was an issue: fewer and fewer people were attending instructor-led programs. Even though security training was mandatory for teams to complete, people were simply skipping it.
After asking the teams for some feedback, there were some common pain points they discovered:
The company’s security task force saw that we45 was presenting at the OWASP AppSec EU conferences and heard extremely positive reviews about the training programs we’d conducted there. In our initial conversations with them, we saw that the company’s training needs were across a variety of disparate subjects.
They needed training in Threat Modelling, Advanced AppSec, Advanced Cloud Security for AWS and Azure, Containers & Kubernetes security and secrets management. Even though we had courses covering all these subjects, we discussed extensively with them to customise our training programs to suit what the client needed. As for our labs and training content, everything was cloud hosted, which made accessing them as simple as loading a web page. This meant way more people found it easy and convenient to participate in training.
Our training programs were met with positive feedback across the board. The company’s teams had great things to say about the content of our courses, the trainers and how we did practical learning with labs.
One of things our courses emphasised was the ‘Purple Team’ (Attack + Defence) approach, something the majority of training programs weren’t doing. Every offensive scenario we portrayed was countered with a defensive strategy, as a way for the attendees to visualise how they’d find and fix vulnerabilities in a real-world environment. This was instrumental in getting their teams to better understand attack surfaces and vectors, as well as effective remediation practices.
Since we began training the company in 2019, we’ve conducted 15 programs for their security and development teams around the world. With the help of our programs, the company’s task force have made major improvements to their threat modelling process, AWS & Azure cloud security controls, and building Container and Kubernetes-specific security controls.