First, there was a problem. There was a shortage of application security engineers in the international company where I was working with the product security team to build development processes. With only a few AppSec specialists for thousands of developers, it became increasingly difficult to address identified issues as the pace of production accelerated.
During this time, an obvious idea emerged: in addition to implementing automation, we needed to develop and implement a Security Champions training program – to prepare developers within the company to take responsibility for promoting and strengthening the security culture within their teams. In addition, my colleague had already been through this journey at his company and had created an excellent OWASP playbook.
We developed an internal course that used examples from our own processes and issues to teach developers and engineering managers how to properly handle identified issues. We first conducted the training in our local office and later traveled to Kolkata to train our Indian colleagues.
Then came the realization that the program was working and positively impacting development metrics (significantly speeding up the defect triaging). Why not share this experience? We organized and ran the first two-day Security Champion training at the Hack In The Box conference. It was a concentrated mix of practical cases using defect detection tools at various stages of production, an introduction to best practices and understanding the context of their application, with lots of hands-on work. In that moment we had another realization.
Not only do developers want to learn about application security, but there is also a strong interest from information security professionals transitioning from related fields. So the training expanded to include content that bridged both worlds: development and infosec. Ultimately, we created a course as extensive as a full academic semester.
The course became part of the training program for specialists at the National Research Nuclear University, and later became part of the master’s program at the Bauman Moscow State Technical University. Key parts of the course were also included in additional training programs at Skillfactory and other commercial educational platforms.
It’s time to update the Security Champions program, taking into account trends in vulnerability detection and AI-driven automation. And it also needs to be transformed into an intensive program. And it has been updated and transformed. We’ll dive deep into AppSec, build DevSecOps, and learn how to create effective AI prompts.
Now let’s talk numbers:
- 24 weeks: from initial idea to a fully realized course.
- 314 slides and 12 studio recording sessions to deliver high-quality content.
- 8 team members: experts in curriculum development, layout and design, video production, marketing, project coordination, and customer experience.
- The course now serves as the basis for two master’s programmes in information security and is available to students and alumni of Bauman University and National Research Nuclear University MEPhI (Moscow Engineering Physics Institute).
