The cost of security breaches are skyrocketing, bug bounty programs are getting expensive, cybersecurity professionals are difficult to find, and developers don’t want to take security training or they’re “too busy” working on new features. And to top it off, society is becoming more and more reliant on this technology that untrained developers are building.
It’s 2018. We’ve had interactive platforms for learning how to write software for many years now (thanks Codecademy!), and we think it's time to reinvent security training in the same way.
It’s pretty simple - today’s security training isn’t good enough. Here are some of the problems we are solving.
Developers Don’t Want to Take Training
HackEDU training is different in that it focuses on offensive security which is both more interesting than defensive only training and uses developer’s interest in problem solving.
To create additional incentives we can set up awards for developers. With our platform you can create a contest so that developers can win money/prizes. Developers take all of the lessons so they are prepared for the competition.
We are confident in our training - if a developer takes fewer than 3 lessons, we’re happy to refund their seat.
Videos Are Not Engaging
Developers are tinkerers. They don’t learn by watching videos, they learn through experimentation. Drop off rates in with popular security training videos are around 83% - far less than our interactive training.
Developers are Busy Working on Product Features
We’ve all been here, and it’s true. Developers are busy and your company needs to keep releasing new features and supporting your current products.
This is going to be true this quarter, and in Q2, and Q3. This is today’s reality - your developers are busy.
But this is the point - you need your developers to be efficient, which means they need to understand how to develop secure code. The earlier vulnerabilities are found in the development life cycle, the cheaper and faster they are to fix. You don’t want your developers releasing code with the same vulnerabilities over and over again and have to wait for your security team to find and fix them. A "secure at the source" approach to development had a fourfold return on application security investments (the Aberdeen Group).
Data breaches are expensive. You lose consumer trust, pay for lawsuits, scramble to fix bugs - the list goes on. In fact, the average data breach cost companies $3.5M.
Defensive Solutions Are Not Effective
We have found that when developers understand how an attacker thinks about approaching their application it is much more effective for reducing the number of vulnerabilities than traditional defensive training. Developers learn the common security pitfalls much more quickly and can secure code more effectively.
When security teams are tasked with finding and fixing vulnerabilities without developer support, this leads to a significant gap between developers and the security team.
There is a Gap Between Developers and Security
In many organizations, it doesn’t feel like developers and security are on the same team.
Security understands the risks of deploying vulnerable code, but developers are under extreme pressure to release new features and view security as restrictions or red tape that is slowing them down.
The key to closing this gap is:
- Getting engineers to properly understand risks
- Transitioning security ownership to the engineering team
- Building engineers excitement about security
Setting up Environments for Security Training is Complex
Sure, Virtual Machines (VMs) are available to practice application security techniques. But if you’re a Security Engineer trying to organize training for your company, you have to try to get your entire team set up in an environment where you have access to these VMs, or get them to run the VMs locally. Developers have to set up proxies and other tools, and it ends up being a massive time commitment, just for the setup.
HackEDU’s platform makes it so you can skip the entire environment setup process and jump right into the hands-on training.
Setting Up Internal Security Training Takes a Long Time
We’ve spent thousands of hours building tools and content to train engineering teams.
You can think about us as an extension to your security team. We’ll be the ones dedicated to creating great content on an awesome platform that fits your organization’s needs. We’ll work with you to customize the training to your needs.