Teaching Attacker perspective to Developers

Learning by doing is a quite successful education concept. Although software developers are typically not meant to become professional pentesters, it is still a valuable approach to teach them the Attackers Perspective and let them loose on practical hacking exercises or vulnerable applications. Only when they saw something breakbreak something themselves, can they appreciate all the secure coding guidelines as help and not see them as an impediment.


In this working session, we will share our experience with various tools and services used in practical developer security training sessions.


  • How to sell the idea of “breaking” things to developers who typically have constructive mindsets
  • How to integrate exercises into instructor-led training sessions
  • Do you advocate do-it-yourself learning?
  • Share experiences using current online service providers
  • Run-through of open source tools (like WebGoat, Security Shepherd, Juice Shop)
  • Are vendor demo applications (like AltoroMutual) an option?
  • What (if any) tools for pentesting (like ZAP or Burp) do you recommend or use in dev trainings?


  • Recommendation for a eLearning Path guiding developers through various hands-on sessions in an appropriate order (e.g. with increasing difficulty)
  • Best Practices for developer-focused security training
  • Developer training Antipatterns


The target audience for this Working Session is:

  • Developers
  • Instructors

Working materials


see above

Related Working Session(s)

Back to list of all Working Sessions and Tracks

Edit this page here