Can AppSec Training Really Make Developers Security-Smart?

Explore the effectiveness of AppSec training for developers in this 33-minute OWASP Foundation conference talk. Dive into the results of a yearlong survey of nearly 1,000 software developers, assessing their application security knowledge before and after formal training. Examine the survey methodology, which includes developers from various backgrounds and industries, and discover the surprising findings from a "retest" of a subset of respondents. Learn about the gap between security awareness and prescriptive knowledge, the impact of sample fatigue, and unexpected results from technology companies. Gain insights into how developers learn, the importance of asynchronous learning, and the role of incentives in security training. Understand the implications of these findings for application risk managers and those relying on training as part of their application security strategy.

Introduction
Denim Group
Bruce Schneier
AppSec vs Developer Training
Training is one of those sacred cows
Background on the project
Lack of workforce analytics
Research
Have You Had Any Training
How We Did It
Three Big hypotheses
Sample questions
prescriptive questions
results
gap between awareness and prescriptive
sample fatigue
weird results
technology companies
no prior secure coding
How Developers Learn
Asynchronous Learning
Dont Ignore the Basics
Incentives Matter
Conclusions
Whats next