Training should be seen as a tool to empower individuals at the organization to make the right decisions.

  • Vulnerable by design runthroughs
  • Collaborate with a brown bag session within the organization
  • Real world examples of internal security incidents
  • Real world examples of external security incidents
  • Capture The Flags(CTFs)


There are plenty of open source vulnerable by design environment available for you to use as a tool to help educate teams within engineering the impact they can have in securing an application. Teaching engineers different bug classes, attack vectors, and methods can help them understand when they should involve security professionals.


CloudGoat is a purposefully vulnerable AWS environment that can help operations teams understand mistakes they might be making and grasp the impact of poor practices within infrastructure.

Juice Shop

Juice Shop is a comprehensive open source web application for practicing application security skills and techniques. It simulates an e-commerce application with a range of features that you can exploit and attack. It can help individuals build their skills and knowledge on how an application can be exploited through real world examples.

Secure Code Training

Providing developers and application security training is a key part of ongoing training you should promote throughout your organization. Here are some resources regarding secure code training.