It all started …

For many years, we did lots of penetration testing (white-box or black-box) across medium size startups to Fortune 500 enterprises. We realised often that our pen-test reports do not solve these firms security problems. In fact their biggest security problem was not related to the design nor implementation of their programs. The root cause was something else.

A wrong culture and approach to security that did not encourage their engineering teams to actively look into eliminating security bugs. Instead they saw the security bug reports as an additional burden to deal with.

We changed our approach

We worked with our customers to solve these issues. We first listen to their concerns from the product owner to software testers.

We soon found out how much we, the security crowd, did not understand engineers and that there is a big gap between what we push for and what they care about. We worked to get this addressed through security awareness sessions, internal hack-your-software and Capture The Flag events.

Our training courses emerged

We put together real pen-test findings into a training course. Examples were taken from the programs that developers themselves had developed. We did not make another security course to turn every developer into a hacker! Instead we designed a course that teaches defensive design-patterns and security principles.

Our course talked the developer's language and gave them first-hand experience to see the severity of security vulnerabilities within their own program.

We had amazing results

We received excellent feedback. Developers were able to use their learnings in their day-to-day work. They loved the fact that our course helped them to develop a better designed software and security is implicitly taken care of. ❤️

The cultural transformation was awesome. Almost after each training courses, the internal security team received notification of security bugs discovered and patched by their engineers!