Episode Summary

CTFs are fun, but do they actually make developers write more secure code? In this episode of Secured, Cole Cornford is joined by Pedram Hayati (Founder of SecDim & SecTalks) to explore why most developer security training fails, and how SecDim’s “Fix the Flag” approach is changing the game.

From contrived WebGoat-style examples to frameworks that quietly eradicate entire bug classes, Cole and Pedram dive deep into the intersection of AppSec and software engineering. They unpack why developer experience is non-negotiable, why security needs to borrow design patterns from engineering, and how real-world incidents (like GitHub’s mass assignment bug or the Optus breach) make concepts stick far better than acronyms like “XSS” or “SSTI.”

This is a technical, opinionated episode for anyone who’s ever struggled to get developers engaged with security.

Timestamps

01:10 – Why Pedram built SecDim, the problem with pen test reports, and why CTFs don’t train developers

04:42 – From “Capture the Flag” to “Fix the Flag”: making training realistic and Git-first

06:30 – Training inside developer workflows and why contrived examples fail

10:28 – Using modern stacks, AI-tailored labs, and real-world incidents to make concepts stick

12:35 – Why security names suck (XSS vs. “content injection”) and the Optus hack as a teaching moment

17:37 – Secure design patterns vs. vague slogans, and why secure defaults beat secure by design

21:15 – Frameworks like React, Rails, and Angular that kill entire bug classes

23:23 – Engineering by-products: reproducibility, immutability, and orthogonality in secure coding

30:36 – PHP’s bad reputation, language quirks, and what’s actually most popular in security training today

33:41 – Why AppSec pros need to build and deploy apps (not just know vulnerability classes)

37:44 – Getting started with SecDim and hands-on secure coding

Mentioned in this episode:

Call for Feedback