Fix the Flag: Rethinking Secure Code Training with Pedram Hayati

Episode Summary

CTFs are fun, but do they actually make developers write more secure code? In this episode of Secured, Cole Cornford is joined by Pedram Hayati (Founder of SecDim & SecTalks) to explore why most developer security training fails, and how SecDim’s “Fix the Flag” approach is changing the game.

From contrived WebGoat-style examples to frameworks that quietly eradicate entire bug classes, Cole and Pedram dive deep into the intersection of AppSec and software engineering. They unpack why developer experience is non-negotiable, why security needs to borrow design patterns from engineering, and how real-world incidents (like GitHub’s mass assignment bug or the Optus breach) make concepts stick far better than acronyms like “XSS” or “SSTI.”

This is a technical, opinionated episode for anyone who’s ever struggled to get developers engaged with security.

Timestamps

01:10 – Why Pedram built SecDim, the problem with pen test reports, and why CTFs don’t train developers

04:42 – From “Capture the Flag” to “Fix the Flag”: making training realistic and Git-first

06:30 – Training inside developer workflows and why contrived examples fail

10:28 – Using modern stacks, AI-tailored labs, and real-world incidents to make concepts stick

12:35 – Why security names suck (XSS vs. “content injection”) and the Optus hack as a teaching moment

17:37 – Secure design patterns vs. vague slogans, and why secure defaults beat secure by design

21:15 – Frameworks like React, Rails, and Angular that kill entire bug classes

23:23 – Engineering by-products: reproducibility, immutability, and orthogonality in secure coding

30:36 – PHP’s bad reputation, language quirks, and what’s actually most popular in security training today

33:41 – Why AppSec pros need to build and deploy apps (not just know vulnerability classes)

37:44 – Getting started with SecDim and hands-on secure coding

Mentioned in this episode:

Call for Feedback

This podcast uses the following third-party services for analysis:

Podtrac - https://analytics.podtrac.com/privacy-policy-gdrp
Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/