Fix the Flag: Rethinking Secure Code Training with Pedram Hayati

Episode SummaryCTFs are fun, but do they actually make developers write more secure code? In this episode of Secured, Cole Cornford is joined by Pedram Hayati (Founder of SecDim & SecTalks) to explore why most developer security training fails, and how SecDim’s “Fix the Flag” approach is changing the game.From contrived WebGoat-style examples to frameworks that quietly eradicate entire bug classes, Cole and Pedram dive deep into the intersection of AppSec and software engineering. They unpack why developer experience is non-negotiable, why security needs to borrow design patterns from engineering, and how real-world incidents (like GitHub’s mass assignment bug or the Optus breach) make concepts stick far better than acronyms like “XSS” or “SSTI.”This is a technical, opinionated episode for anyone who’s ever struggled to get developers engaged with security.Timestamps01:10 – Why Pedram built SecDim, the problem with pen test reports, and why CTFs don’t train developers04:42 – From “Capture the Flag” to “Fix the Flag”: making training realistic and Git-first06:30 – Training inside developer workflows and why contrived examples fail10:28 – Using modern stacks, AI-tailored labs, and real-world incidents to make concepts stick12:35 – Why security names suck (XSS vs. “content injection”) and the Optus hack as a teaching moment17:37 – Secure design patterns vs. vague slogans, and why secure defaults beat secure by design21:15 – Frameworks like React, Rails, and Angular that kill entire bug classes23:23 – Engineering by-products: reproducibility, immutability, and orthogonality in secure coding30:36 – PHP’s bad reputation, language quirks, and what’s actually most popular in security training today33:41 – Why AppSec pros need to build and deploy apps (not just know vulnerability classes)37:44 – Getting started with SecDim and hands-on secure codingMentioned in this episode:Call for FeedbackThis podcast uses the following third-party services for analysis: Podtrac - https://analytics.podtrac.com/privacy-policy-gdrpSpotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

There are no comments yet.

Please log in to write the first comment.