How Offensive Training Improves Defensive-Only Approaches in Secure Coding Training

Jared Ablon
4 min readMay 28, 2021

Originally posted:

“I used to attack because it was the only thing I knew. Now I attack because I know it works best.”
- Garry Kasparov, chess legend

Chess is an oft-used analogy for cybersecurity because there are many similarities between the two. At their core, they are games of strategy which pit two adversaries against each other in a bid to outdo each other in a duel of intellects. The best chess players do not merely apply pre-meditated tactics to win. Rather, they inhabit their opponents’ minds, study their psyches, and view the world from their antagonists’ viewpoint before they even sit down at the chess board. They build defenses ahead of time to force their opponents’ hand, and think three moves into the future to anticipate counterattacks. The goal, of course? Stay alive.

The same goes for cybersecurity: Anticipating cybercriminals’ moves and building appropriate mechanisms to deal with each one is something that must be done proactively, and is necessary to combat the most sophisticated cybercriminals successfully.

While many secure code training programs ascribe to a defensive-only philosophy of responding to threats as they emerge, at HackEDU we understand the necessity of thinking three steps ahead. That’s why our training philosophy encompasses offensive as well as defensive strategy, to equip developers with the most comprehensive knowledge about code-based attack vectors.

Defensive Training

Defensive training focuses on ways to defend against known threats by prescribing fixes for each type of vulnerability. It is the ‘how’ of secure coding training. Defensive training alone is great for developers who are learning about secure coding for the first time, as it offers them a gentle introduction to secure coding, but it is limited by both the number of examples and corresponding solutions that the designers of the training can develop, and how much developers who take the training are willing to consume. The knowledge scaffolds in a linear progression, and is limited by the quantity of training consumed.

Jared Ablon

Co-founder and CEO of HackEDU. Previously a CISO. 15 years in cybersecurity.