Program Communications

Program Communications

Your secure coding training program is first and foremost about people. To ensure that you – and they – get the most out of it, make sure you establish a clear communication structure. Unambiguous communication in plain language will bring transparency, and eliminate all doubts about the “what”, “why” and “how”. It will bring everyone on the same page with respect to learning goals, pathways and expectations, and positively impact the way developers engage with the program. In the longer term, it will play a role in improving their security maturity and creating a positive security culture across the organization.

All of this is possible if your communication:
  1. Contains the right information
  2. Is sent at the right time
  3. Is delivered to the right people

To make sure this happens, create a communication plan that incorporates the below elements.

1. Communications Channels and Frequency

There are plenty of channels you can use to promote and run your AppSec training program, such as:
  1. Slack/Instant Messaging
  2. Regular team meetings/town halls
  3. Company Intranet
  4. Email
  5. Newsletters

You can use more than one channel for program communications. In fact, you should! But make sure that the messaging is consistent in terms of content, intent, tone, branding elements, etc. Also set a communication frequency so people don’t feel overwhelmed by the number of messages they receive.


2. Key Messages and Templates

What do you want to say in each communiqué? Well, this is determined by the reason for sending the message, which could be:
  1. To announce the launch of the program.
  2. To introduce the training platform.
  3. To send reminders about tournaments or other events.
  4. To announce the winners of a particular tournament.
  5. To celebrate a Herculean performance with a message from company senior management.
  6. To send program updates.
  7. To ask for user feedback (e.g., through a survey).

Once you know what kind of messages you will send, you can create templates for each to minimize administrative hassle and maximize reproducibility. You can also decide which channel you will use for each kind of message. For example, a user-feedback message can be sent via email to individual users, while program or winner announcements can be done on the company Intranet.


3. Senders

Avoid crossing wires and determine from the outset who will send what message. Some messages can go out from platform administrators, while others can go out from team managers. The former are best for platform-related updates for the entire developer community. Manager-led messages should only go out to their teams. Executive and leadership messaging are ideal for conveying messages related to the importance of promoting a security culture. Such “top-down” messages can also be used to introduce the security program, to announce tournament winners and their rewards, and to communicate the organization’s appreciation of developer participation.


Program Communication Templates

We have taken pains to emphasize the importance of communication throughout the secure coding journey, and for good reason. Cultural shifts are as momentous as they are encompassing, and no matter how good a training platform is, if clear communication underpinning the thirst for change isn’t present, a positive outcome will be more difficult to pull off.

Of course, we appreciate that in the lead up to implementing a company-wide program, you’re going to have your hands pretty full!

So, with the above in mind, we have crafted a series of email templates that you can copy paste to save time and spread the word with ease.

Make sure to ask your Customer Success Manager for the Communication Pack, replete with a comprehensive set of templates and editable Posters and Certificates to line the halls on kick-off day.

Introduce SecureFlag to Developers
Dear Colleagues,

Dust off those thinking hats and get ready for a treat because we are commencing a comprehensive training program in which you'll actually enjoy participating. We want to invest in something with measurable benefits for you as individuals and for our company as a whole, and after an extensive search for the right provider, we have joined forces with a company called SecureFlag. Their platform offers hands-on learning through real-world vulnerabilities in a real, fully configured development environment.

Please keep an eye out for the welcome email that will be sent to your email within the week. Once your account is activated, you will receive additional information about a tournament that we are arranging to spur things on in a fun, competitive manner. More on this shortly, but safe to say the winning individual and team will walk away with neat swag as well as bragging rights next to the virtual water cooler.

We appreciate that this will constitute an investment of time, and that time is not your most abundant resource. However, this is an investment that will rapidly pay dividends as you – we – generate higher quality, more securely written code. You will develop seriously good skills as you progress through the program, and we will exceed the company risk requirements courtesy of your newly learnt capacities that in the end, will protect us all. Furthermore, the management team is 100% behind you and this program, and we are ensuring all team leads and department heads are offering the support and time you need to take part in the program.

We strongly encourage you to check out the platform ahead of time so you know what to expect. If you have any questions or concerns, please don't hesitate to contact us.

Introduce SecureFlag to Managers
Dear Colleagues,

It’s not long now until the comprehensive training program we’ve been discussing these last months is finally rolled out for you and your teams to immerse yourselves in. We wanted to invest in something with measurable benefits, something that you could incorporate directly into the work your team is doing and receive immediate results. After an extensive search for the right provider, we joined forces with a company called SecureFlag. Their platform offers hands-on learning through real-world vulnerabilities that have led to recent security breaches in a real, fully configured development environment. Developers will learn how to identify and fix the code of vulnerable applications.

It’s incredibly important for us as an organisation to instil a secure coding mindset within our development teams, and this cultural shift must begin with you, the management and technical leadership. Again, we chose the platform to assist you with this, as it will help you to:

  1. Greatly enhance your team’s secure coding skills.
  2. Improve your team’s efficiency by reducing review/rework time.
  3. The tournaments are a great way for your team to build relationships through friendly rivalry.
  4. You will be able to discover hidden talents, and identify performance requiring remedial action.
  5. Under your guidance, your team will be able to design and pursue a learning path that integrates all of the tools they use in their day to day. This can be highly personalised.

We appreciate that this will constitute an investment of time and that time is not your most abundant resource. However, we are going all in on this program – and as our deployment frontline, you have the executive, human resource, and training committee’s full support. We strongly encourage you to enjoy a couple of sessions on the platform ahead of time so you know what to expect and what may be best to direct which of your team members to. You will be able to access the platform once you receive the activation link, so please keep an eye out for an email concerning this that should arrive within the week.

If you have any questions or concerns, please don’t hesitate to contact us.
Tournament Introduction
Dear Colleagues,

Start preparing your most robust patches, because you’re about to enter the danger zone! To be a little more specific, this is an introductory email that will quickly acquaint you with what to expect in our upcoming Secure Coding Tournament, hosted by our training provider, SecureFlag.

So, what should you expect?

Well, unlike Tournaments from the days of castles and knights (HR warned us against replicating that anyway) our modern version will enable you to compete against one another for coding supremacy!

Time will be tight, and, whilst in friendly/fierce competition with your peers, you will need to identify, exploit, and fix vulnerabilities as they arise over the duration of the Tournament.

The aim of the game is to have fun… and win… but also have fun… but win as well. Whoever does emerge victorious will surely have songs written about them for years to come, recounting the tales of HTTP Headers and death-defying dances with Deserialization… or cool swag, whichever works for you.

Where [TO-BE-ADDED] When [TO-BE-ADDED]

Please make sure you and everyone in your department is signed up – participation is open and the more people who can join the fun, the better!

Please don’t hesitate to contact us if you require any additional information!
Tournament has Started
Dear Colleagues,

As exciting as it is to be receiving this email at this very moment, there is something even more exhilarating happening in parallel – the SecureFlag Tournament! Live! Now!

Your colleagues are in the middle of the fight for code supremacy, so if you haven’t already signed up, make sure you’re logged into your SecureFlag account and browse to the Tournament section on the site.

From here, you should see the current Tournament details in the middle of the screen. Click to join!

Please don’t hesitate to contact us if you require any additional information!
Tournament Winners and Metrics
Dear Combatants,

We trust you have rested after your courageous displays of coding heroism during the recent SecureFlag Tournament. Some of you finished undamaged, some of you lost your keyboards, but all of you seemed to have a fantastic time in friendly competition with peers, which was truly wonderful to witness.

Managing security is an adversarial endeavour by nature; a secure state is one that attackers are constantly seeking to overcome, and your environment doesn’t do you any favours as it continuously shifts the goalposts. New exploits arise daily, implementations fail, colleagues working on code libraries come and they go, and Time to Prod keeps beating the drum… it should be obvious by now that there is, of course, a very practical rationalization behind the application of Secure Coding Tournaments.

Tournaments are the perfect way to test what you’ve learnt throughout your hands-on challenges, pitting you in a (friendly!) adversarial, time- limited environment, so you can learn that crucial skill of ‘staying calm and keep coding’ under pressure. Just as there are drills in the military to prepare troops for the real thing, so too are there Tournaments in cyber!

Practically, these exercises also furnish management with metrics that allow them to direct their resources and support where it’s most needed. The following highlights the areas in which you excelled, and conversely, those areas that you found more challenging.

[VULNERABILITY] – Exceptional [VULNERABILITY] – Very Good

[VULNERABILITY] – Needs Improvement [LANGUAGE] – Exceptional

[LANGUAGE] – Very Good [LANGUAGE] – Needs Improvement

We have already compiled the next set of exercises based on the above. This feedback loop is designed to help you get the most from the training process.

If you have any questions, please don’t hesitate to contact us.
Monthly Progress Updates and Metrics
Dear Colleagues,

Firstly, a heartfelt congratulations for your continued progress! We are immensely proud to be part of your secure-coding journey, and seeing participants grow month by month is why we do what we do.

The following progress report highlights the areas in which you excelled, and conversely, those areas that you found more challenging.

[VULNERABILITY] – Exceptional [VULNERABILITY] – Very Good

[VULNERABILITY] – Needs Improvement

[LANGUAGE] – Exceptional [LANGUAGE] – Very Good [LANGUAGE] – Needs Improvement

The Secure Coding Program is fully integrated, and we have already compiled the next set of exercises based on the above. This feedback loop is designed to help you get the most from the training process.

If you have any questions, please don’t hesitate to contact us.
 

Templates To Nudge Users

User Reminder
Hi Everyone,

This is just a friendly reminder that you have access to SecureFlag's state-of-the-art Secure Coding Training Labs.

SecureFlag labs are the perfect starting point for all aspiring developers seeking training on how to write secure code.

SecureFlag labs provide access to everything you need in a dedicated development environment with the click of a button.

The labs are 100% hands-on, provide real-time feedback, and are tailored to each technology stack's requirements.

The platform teaser(2mins) can be found here: https://www.youtube.com/watch?v=OwpVTDAJgTw

The Secure Coding Program is an initiative the Organisation has undertaken to strengthen our defence while nurturing a culture of secure coding.

Completing your assigned training will help you and your team develop safer code, thus reducing security issues and the time needed to fix them.

Get started with SecureFlag Labs now and start writing secure code today! Login here: www.secureflag.com/login.html
Team Manager Email Reminder: (If they are team manager on SecureFlag)
Hi Everyone,

This is just a friendly reminder that your team members have access to SecureFlag's state-of-the-art Secure Coding Training Labs.

Every developer should be aware of the importance of security.

Using SecureFlag, Developers will learn how to identify and fix the code of vulnerable applications. The labs are 100% hands-on, provide real-time feedback, and are tailored to each technology stack's requirements.

The platform teaser(2mins) can be found here: https://www.youtube.com/watch?v=OwpVTDAJgTw

Help your team build a better foundation of secure coding habits by following up on their training progress, hosting secure coding events such as tournaments, or by simply having a conversation about secure coding.

These simple steps help nurture a healthy cyber savvy culture where teams develop safer code, reduce security issues and increase productivity.

Get in touch with {Program Manager} for any further questions or login by heading over to: www.secureflag.com/login.html
Team Manager Email Reminder: (If they are Not a team manager on SecureFlag)
Info
SecureFlag offers monitoring licences at no cost for Team Managers who want to monitor their team's progress but not run labs.

Hi Everyone,

This is just a friendly reminder that your team members have access to SecureFlag's state-of-the-art Secure Coding Training Labs.

Every developer should be aware of the importance of security.

Using SecureFlag, Developers will learn how to identify and fix the code of vulnerable applications. The labs are 100% hands-on, provide real-time feedback, and are tailored to each technology stack's requirements.

The platform teaser(2mins) can be found here: https://www.youtube.com/watch?v=OwpVTDAJgTw

Help your team build a better foundation of secure coding habits by following up on their training progress, hosting secure coding events such as tournaments, or by simply having a conversation about secure coding.

These simple steps help nurture a healthy cyber savvy culture where teams develop safer code, reduce security issues and increase productivity.

Get in touch with {Program Manager} for any further questions and for a Team Manager account on SecureFlag.
To book sessions with team manager through program manager
Hi Everyone,

It’s incredibly important for us as an organisation to instil a secure coding mindset within our development teams, and this cultural shift must begin with you, the management and technical leadership.

We chose SecureFlag to assist you with this.

To get the ball rolling we are organising a 30min quarterly meeting with the SecureFlag team to kick-off training developers yet to begin their secure coding journey, assigned focused training for seasoned coders and monitor the overall program together.

We appreciate that this will constitute an investment of time and that time is not your most abundant resource. However, we are going all in on this program – and as our deployment frontline, you have the executive, human resource, and training committee’s full support. We strongly encourage you to attend these sessions.

Please let me know which of the below timeslots would work for everyone.
 


    • Related Articles

    • Post Kick-Off Communications

      This article contains a series of email templates that Program Managers can send directly to participants after kickoff. We've found that communications coming directly from the participants' organisations have a greater impact, as participants are ...

    • Email Templates To Engage For a Secure Coding Month

      This article contains a series of email templates that Program Managers can send directly to participants during a Secure Coding Month. We've found that communications coming directly from the participants' organisations have a greater impact, as ...