Finally, Application Security Training for Developers, by Devs


Developers are busy. Ain’t nobody got time for “security training” which will likely involve a cartoon man wearing sunglasses and a hat, skulking around doing nefarious-looking things with computers.

Devs have code to write and jobs to keep. Unless it makes them better at their actual career, why bother?

If they absolutely must take mandatory training, odds are high they’ll launch the program and leave it running in the background while they go about their day job.

Apparently one or two devs might be doing this because 83% of apps contain a security flaw.

Application Security Training for Developers

Kontra, by Thrive DX takes a different approach; it’s application security training for developers, by developers.

Gyan Chawdhary was one of those jaded devs who couldn’t be bothered. But being a developer himself, he understood there was a way to reach the dev community and impart actual value.

From the ground up, he instilled five core principles within Kontra to make security application training relevant and useful to developers.

1. Make it Better, Make it Believable

Some version of “this is cheesy,” “we already know this” and “not a thing that would happen in real life” have been overheard somewhere during security awareness training.

While most employees understand they are the weak link cyber-wise, not every employee knows what to do with this information. They have heard lots of fear mongering, but far fewer solutions.

Tell them what they don’t already know. Communicate something of value. Instead of sowing fear, uncertainty and doubt, practice empathy and understanding for the position they are in. Show vision for what they are likely to encounter. 

In other words, make your security awareness training believable and inspired by real-life attacks. Use actual web pages they are likely to run across in your examples.

SQL injection attacks don’t happen on login pages, but they might happen in checkout pages. They are even more likely to happen in random, semi-arcane places.

Use these as your examples, so that your audience knows that you know what you’re talking about. Teach them to identify, disable, and quarantine attacks before they become expensive problems.

For example, ThriveDX recently acquired Kontra which provides application security training aimed squarely at developers.

Whereas normally developers find bugs and report them, Kontra instead teaches them how to identify and fix security vulnerabilities and other bugs in real time, saving four or more weeks on the next rev.

2. Practice Radical Candor

Acknowledge up front that security training is nobody’s first choice in time management. We get it.

At the same time, people generally agree that having jobs is a good thing. If a company falls victim to ransomware, one person’s carelessness could end up costing dozens of people their careers, if not the business itself.

So of course, security awareness training is going to be mandatory. Let’s make the most of it, shall we? 

3. One Size Does Not Fit All

Not all employees are equal. Some are more likely to be attacked than others.

Specifically, people with privileged access to sensitive data are much likelier to be targeted. Your training should account for these human heightened risks by separating them off from the group and walking them through more intensive training, preparing them for likely scenarios they might encounter. 

4. Tighten It Up

Why spend 20 minutes making a point you can convey in five? Developers are usually the smartest people in the room so don’t underestimate them.

Approach training like it’s not their first day with a computer and an internet connection. By now most folks have a general understanding of what threats await them after making bonehead decisions online. What they do not have a lot of is time.

Gyan Chawdhary is founder and CEO of Kontra, which he calls Application Security Training by developers, for developers.

“Nobody has time for security training…least of all, developers,” said Chawdhary. “That’s why one of our key differentiators is that every part of our training runs five minutes, max.” 

5. Tell a Story

In addition to showing an attack and how to fix it, include a narrative. Tell an interactive story of real-life attacks.

Many devs are curious as to how attackers found this bug in the first place.

  • What tools did they use?
  • What code were they looking for?
  • How did this security vulnerability come to be discovered?


Kontra shows them this back story and walks them through the steps from the perspective of a cybercriminal. It shows them a hacker’s tricks. Square that circle, and good code follows. 

6. Scale your content by integrating with other LMS software

All too often both security awareness training and application security training are standalone courses sitting outside of a company’s Learning Management Software (LMS). This effectively means you can assign training without enforcing any compliance.

If developers are writing code while AppSec Training runs in the background, how would you know, and what could you even do about it? 

The other problem is many times security training will force companies to adopt their LMS systems, in order to give the companies visibility into employee compliance. This presents several problems.

First of all, why would a developer want to login to yet another system in addition to their own LMS to complete training? This also gets at the fact that many enterprise LMS systems are much more sophisticated and complex than anything offered by cybersecurity training.

While an organization might gain some enforcement and compliance capabilities, they’ll more than lose in overall functionality. 

Summary: Application Security Training for Developers, by Developers

Application security is important. Developers’ time is valuable. Why not combine these two realities into one useful training?

Unlike other AppSec programs, Kontra’s application security training for developers is jam-packed with challenging but yet teachable real-life scenarios that will integrate security best practices into your code from the bottom-up.  It’s a win-win for all parties.

For more information on ThriveDX’s enterprise security training programs, please visit us at

Digital Skills Training and EdTech Solutions | ThriveDX

Gyan Chawdhary is the Founder and CEO of Kontra Application Security (acquired by ThriveDX’s Enterprise Division). Previously, Gyan founded and invented Codebashing, the industry’s first interactive application security training solution, which was acquired by Checkmarx in 2018.

Protect Your Organization from Phishing


Explore More Resources

With cyber threats increasing daily, entry-level cybersecurity roles can be critical to maintaining enterprise
Elevate cybersecurity education: explore Cybersecurity Apprenticeship Program for hands-on learning and job opportunities.
A diverse and inclusive team is important for identifying risks and vulnerabilities and developing
Addressing the cybersecurity industry's diversity and skills gap - tackle both issues simultaneously and

Your Trusted Source for Cyber Education

Sign up for ThriveDX's quarterly newsletter to receive information on the latest cybersecurity trends, expert takes, security news, and free resources.

Let’s Talk

Download Syllabus

Apprenticeship Program

Apprenticeship Program

Let’s Talk

This is the heading

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Get Your Free Trial

Access our Free OWASP Top 10 for Web

Enter your information below to join our referral program and gain FREE access for 14 days

Follow the steps below to get FREE access to our OWASP top 10 for Web course for 14 days

  1. Simply copy the LinkedIn message below
  2. Post the message on your LinkedIn profile
  3. We will contact you as soon as possible on LinkedIn and send you an invite to access our OWASP Top 10 for Web course


Make sure you confirm the tag @ThriveDX Enterprise after pasting the text below in your LinkedIn to avoid delays in getting access to the course.

Ready to Share?

Take me to now >

Contact ThriveDX Partnerships

[forminator_form id=”10629″]
Skip to content