Security Experts:

Connect with us

Hi, what are you looking for?


Training & Awareness

SAFECode Launches Free Software Security Training Courses

Non-profit organization SAFECode unveiled a series of new training modules to help enterprises train software developers in-house to write secure code.

Non-profit organization SAFECode unveiled a series of new training modules to help enterprises train software developers in-house to write secure code.

The free software security training program from the Software Assurance Forum for Excellence in Code (SAFECode) will help developers learn security principles and methods to write more secure applications, the organization said Tuesday. SAFECode’s training modules are not intended to compete with certification programs offered by organizations such as ISC2, but will address gaps in security engineering knowledge among software developers, SAFECode said.

“The lack of security engineering awareness and education among the software engineering workforce can be a significant obstacle to organizations working to implement software security programs,” Howard A. Schmidt, executive director of SAFECode and former White House cyber-security coordinator, said in a statement.

Software Security TrainingRecent reports from WhiteHat Security, Cenzic, and Veracode highlighted the challenge organizations face developing secure applications. Cenzi’s 2013 Application Vulnerability Trends Report found that 99 percent of applications one or more vulnerabilities, and the median number of vulnerabilities was 13. Veracode’s recent State of Software Security report found that 87 percent of applications did not meet OWASP Top 10 compliance on the first try.

Many of those same applications also fail the SANS Top 25 and frequently do not comply with internal policies, Veracode found. Many of the flaws were well-known issues, such as SQL injection and cross-site scripting. WhiteHat Security earlier this month reported that information leakage errors were identified in 55 percent of Websites analyzed by the company’s Sentinel platform. Content spoofing vulnerabilities were found in 33 percent of the sites, and 53 percent had cross-site scripting errors, WhiteHat said in the report.

“Security training is most effective when aligned to an organization’s unique culture and security development process,” but “not every organization has the resources required to develop custom training,” Schmidt said.

On launch, SAFECode’s training courses cover only introductory level topics, such as preventing SQL injection and avoiding cross-site request forgery, but the organization plans to include additional courses on an ongoing basis. The catalog will eventually offer security engineering training courses for all levels. SAFECode will also include resources such as advice on how to implement training programs.

The courses will be delivered via on-demand Webcasts and are designed to be used as building blocks for enterprises interested in creating an in-house training program. Enterprises will also be able to pick and choose the modules relevant to their development environment, Schmidt said. Enterprises can also use SAFECode’s courses to either supplement an existing training program, or build a brand-new one from scratch.

SAFECode’s program is based on training materials used internally at Adobe Systems as part of its software security program. A team of technical contributors from companies which are members of SAFECode reviewed the materials donated by Adobe and added additional elements to ensure the program could be applied across a broad range of development environments.

Brad Arkin, Adobe’s new chief security officer, has been a frequent proponent of increasing the cost of development for malware authors. Adobe’s development team have focused on implementing multiple defensive mechanisms and making sure common software weaknesses are not in Adobe’s code, Arkin told SecurityWeek in an earlier interview. Software will never be perfect, and it isn’t possible to find and fix all bugs, Arkin said.

Adobe’s focus is to address common weaknesses and implement defensive mechanisms that can slow down attackers to increase the chances of detecting the attack in progress, Arkin said. All of these layers of defense drives up the costs for the exploit authors by making it harder to craft an attack, he added.

Visit for more information about the free courses.

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.