Adaptive AppSec Learning for Developers: The Advantages that Organisations Just Can't Afford to Ignore

Ever heard of a pilot who flew a real plane after merely reading about it in a manual?

Or a chef in a five star restaurant who served real customers after only reviewing a couple of recipe books?

Or a professional musician who gave a real performance after simply memorizing some musical compositions?

Adaptive Learning

No pilot, chef or musician can develop professional competence – let alone brilliance – by memorising theory or going through classroom training. They need to experience the process of learning through practice to truly internalise the foundation laid down in the necessary textbooks. They need to be guided through the real challenges faced: how to gain control of a plane stalling mid-air; how to slice and dice vegetables in a high speed kitchen and not overcook the crème brûlée; or how to work through overcoming stage fright in front of smaller audiences before playing to a thousand faces in a crowd. Bottomline, they need this hands-on, tangible experience to meet professional challenges in the real world.

This is equally true of software developers who are learning secure coding. To become proficient, they need hands-on practice at every level of their learning journey – from how to identify the most prevalent security issues, to how to remediate them. And to further strengthen their preparation for, and maintain up to date capacity in programming in this fast-moving modern world, they will go much faster and longer with learning that is adaptive.

What is Adaptive Learning?

Simply put, adaptive learning is learning that adapts to the student. As opposed to a broad-based, ‘one-size-fits-all’ approach, adaptive learning is meticulously tailored to the needs and preferences of each individual learner. With adaptive learning, delivered through computer-based technology, developers can access learning modules adapted to their knowledge levels, prior performance, selection of tools, working environment, and preferred ways of learning.

A key aspect of adaptive learning is feedback. The technology uses algorithms to accustom itself to the learner’s needs based on their responses to specific tasks or questions. This feedback loop drives future lessons and enables the learner to continually, and efficiently, improve.

What is Adaptive AppSec Learning?

As the modern threat landscape evolves and expands, it’s absolutely crucial that organisations train their developers in defensive programming methodologies and best practices. Defensive programming is a critical approach wherein a programmer thinks ahead about possible risks in the future and adjusts (read ‘improves’) their code with remediations today. When developers know in advance what to look and test for during the development phase, they’re more likely to spot potential security concerns much earlier. Due to this proactive approach, the number of security defects that can potentially be introduced during the following phases of development can be significantly reduced. At a broader level, defensive programming is a powerful, and proven, way for organisations to stay a few steps ahead of bad actors and ensure their survival even in the face of threats from these entities.

However, these benefits of defensive programming cannot be fully leveraged with a one-size-fits-all, generic AppSec training programme. What developers need to be truly prepared for the security challenges in the real world is defensive programming that is also adaptive and tailored to them as individuals.

The Benefits of Adaptive AppSec Learning Over Traditional AppSec Learning

For as long as software and hardware developers have been around, bad actors and security issues have been around as well. So naturally, AppSec training is not a new phenomenon. However, a lot of organisations are still stuck in the old – aka ‘traditional’ – ways of delivering AppSec training to their developers. This is problematic for many reasons.

First, traditional AppSec training does not take into account developers’ individual skills, background, or experiences. Based on these elements, as well as their specific job role and the technology they work with, every developer has unique AppSec Training needs. Often, a senior developer with several years’ experience is given the same training as a fresh developer with little to no real-world development experience. As a result, the former is unable to improve his skills or broaden his knowledge, while the latter struggles to get through the training that may be above his level of understanding. However, creating a tailored curriculum that delivers powerful learning outcomes while also incorporating these differences is usually difficult and time-consuming, not to mention expensive.

Second, the content in a traditional AppSec training programme is rarely engaging and frequently outdated. Elements like multiple choice question (MCQ) quizzes, slideshows, videos and code examples don’t accurately replicate real-world, current security issues. Moreover, the ‘hands-on’ practice required to effectively deal with today’s technological complexity in the real world is frequently missing in these programmes. Therefore, trainees are unable to effectively approach real security challenges which they often face when they get back on the job.

Adaptive AppSec learning successfully addresses all these problems. Since it adapts to the learner, it can deliver ‘custom’ learning experiences that match an individual developer’s unique needs and objectives through:

  • Individualised content and resources
  • Customised and differentiated learning pathways
  • Updated examples and hands-on practice
  • Real-time feedback

How SecureFlag Delivers Adaptive AppSec Training for Developers

SecureFlag delivers on-demand Adaptive AppSec Learning through individualised ‘learning paths’. These paths align developer’s skills and knowledge to the company’s mission, and are based in training modules that adapt to previous results and goals.

Each module is fully remote and 100% hands-on. No generic videos or multiple choice quizzes – each trainee gets access to learning that is tailored to him/her, and him/her alone.

With SecureFlag’s Adaptive AppSec Learning, developers learn how to identify and remediate the code of vulnerable applications running in a real, fully-configured Integrated Development Environment (IDE). The IDE, which can be easily accessed through a familiar web browser, offers a highly immersive learning environment for enhanced engagement and robust learning.

The platform’s intelligent engine can live-test code changes, instantly displaying to the learner whether the code has been fixed. It also awards points upon exercise completion, ensuring that their motivation levels remain high so they keep learning and improving.

Built-in analytics – which are provided at user, team, and organisation levels – enable managers to view the performance metrics for each developer in the company, gauge their competence, and take remedial actions, if necessary.

Metrics allow a number properties to be measured for each exercise vulnerability category, programming language, and difficulty level:

  • Competency: competence points acquired out of the total number of points available for the exercises performed
  • Accuracy: number of times an exercise is performed before being solved
  • Steps to Solution: average attempts to reach the correct code solution within an exercise
  • Run: number of performed exercises
  • Average Time: average time spent per exercise
  • Total Time: total time spent per exercise


By collecting metrics during every training session, SecureFlag tells you exactly where the risks lie in your development team. For instance, metrics may indicate that some developers are not proficient in defensive programming against SQL injections. To address this issue, SecureFlag automatically shifts the focus of the training to those developers, in that SQLi knowledge are, in order to remediate the issue with maximum efficiency.

With SecureFlag’s Adaptive AppSec Learning, organisations can effortlessly implement iterative and individualised training to fill competence gaps and thus ensure that they have the most skilled and knowledgeable developers in their workforce.

Security starts with the first keystroke - for more information about SecureFlag’s Adaptive AppSec Training programme, talk to an authorised SecureFlag representative today.