attacks. Unfortunately, proper training has been lax, owing to inappropriate and ineffective training
methods, a lack of follow-up, and a dearth of qualified mentors. The availability of application security
training is scarce. Even in universities teaching computer science, security is an optional course at best.
Within companies, developers are typically trained in writing secure code through an annual or semi-
annual presentation covering the OWASP Top 10. Such presentations, however, have limited impact
since people are unable to fully internalize and understand the security issues and to avoid the problems
in practice.
The need for interactive learning
Research has shown that with passive learning (reading, hearing, watching) most people only remember
10 - 30% of the content 2 weeks later, whereas they remember close to 90% through active learning, or
doing it yourself [5]. Barring proper training, developers will continue to write insecure code, which can
be costly for a business when vulnerable code gets exploited resulting in a massive data breach.
Companies have the option of organizing an internal seminar with the caveat that it has to be held multiple
times to get full participation as projects, vacations, travelling, and other priorities override people’s
attendance. This involves a lot of planning and requires a budget which results in these seminars being
few and far between, meaning that new employees deliver a lot of code to production before getting any
security training at all. Alternatively, companies send people to external security seminars, which often
results in only a handful of developers attending, leaving the rest without any training.
Why hands-on security training
We learned through our sister company, Syndis, just how important it is for security training to be
interactive. Syndis offered secure coding training in the form of an annual lecture with slides that covers
the OWASP Top 10, but they soon learned that this is not the optimal way to get the message through
and therefore created a more hands-on alternative training tool. That tool turned into Adversary and that’s
how our product and company was born.
We also learned how important it is for those writing code to understand how a hacker thinks. Only by
understanding one’s opponent, can you effectively protect against them. That’s why users of the
Adversary platform complete missions based on real-life hacking scenarios. Their task is to hack into
various virtual websites while at the same time learning about common vulnerabilities such as the
OWASP Top 10 and how to avoid making the same mistakes themselves. We all know that we learn
more when we have fun in the process and our mission is to make security training as fun and therefore
effective as possible.