Developer Security Training Cadence

Annual training. The cadence and content.

Annual training

OWASP Top 10. Common vulnerabilities every engineer should recognise.

Company-specific incidents. Real examples from our history; concrete.

Required; tracked; certified.

Monthly micro-training

Short content: 5-10 minutes per month. Current threats, recent vulnerabilities.

Newsletter or short videos. Doesn't disrupt the work day.

Compounding: monthly exposure keeps security top-of-mind.

Phishing simulations

Quarterly simulated phishing. Engineers identify; failures get additional training.

Don't punish; train. Punishment culture drives reporting underground.

Track click-through rate over time. Trend should improve.

Specialised training

Frontend engineers: XSS, CSRF, CORS.

Backend engineers: SQL injection, SSRF, auth flaws.

Security champions: deeper training; act as in-team resources.