SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Asia

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Software team security champion analyzing shield icon large screen
#
DevOps
#
Application Security
#
DevSecOps

Practical DevSecOps launches hands-on security course

Wed, 21st Jan 2026
Author image
By Mark Tarre, News Chief

Practical DevSecOps has launched a Certified Security Champion course aimed at turning software developers into in-team security advocates as organisations face continuing cybersecurity skills shortages.

The company positioned the programme as an alternative to expanding central security teams in environments where development organisations have grown faster than security staffing. It said security teams often struggle to provide coverage across large numbers of developers and product teams.

The new Certified Security Champion, or CSC, course sits in the market for security training that targets development teams rather than specialist security engineers. Practical DevSecOps said the curriculum uses hands-on exercises and practical assessment.

Mohammed A. Imran, Founder and CEO at Practical DevSecOps, criticised common approaches that rely on theory-heavy training for developers.

"You know what drove me crazy? Security teams would send developers to these expensive trainings, and they'd come back knowing all the theory but couldn't actually fix a single vulnerability in their codebase," said Mohammed A. Imran, Founder and CEO at Practical DevSecOps. "We said strike that. Our champions are actually breaking into applications, exploiting real vulnerabilities, then learning how to fix them and teach their teammates. No PowerPoints."

Course format

Practical DevSecOps said the CSC course includes more than 60 labs and uses vulnerable applications for exercises. It said the programme includes practical exams intended to test applied skills. It also described the training as "tech stack agnostic" and said it can apply across different programming languages.

The company said the programme includes blueprints for setting up and running security champion initiatives inside organisations. It said organisations often struggle to build sustainable champion programmes without an established approach.

Security champion models have become more common as software delivery cycles shorten and security teams aim to shift review and remediation earlier in development. The approach typically designates developers within teams as first points of contact for security questions and as participants in code review and secure development practices.

Talent pressures

Practical DevSecOps referenced a cybersecurity talent shortage and said security coverage does not scale in line with developer headcount. It also pointed to research that it said showed security champion programmes reduced production vulnerabilities and increased remediation speed.

Imran said organisations should not expect security champions to act as replacement security specialists. He described a role focused on translating between security and engineering teams.

"People think security champions need to become mini security experts. That's completely backwards," said Imran. "What you really need is someone who understands how developers think and work, but also gets why the security team keeps freaking out about certain things. They're translators, not specialists. Once companies get this, everything clicks."

Programmeme claims

The company said security champions can influence groups of developers and spread secure coding practices beyond the individuals who take the training. It said a champion typically supports 10 to 15 other developers. It also cited an example from a beta programme participant at a Fortune 500 company and said its vulnerability escape rate fell by 73% over six months.

Practical DevSecOps said it has already delivered training to teams at Accenture, Ford Motors, Adidas, IBM, and Booz Allen Hamilton. It said it works with organisations across sectors and has trained hundreds of teams.

The company also highlighted an advisory board for the security champion effort. It named Mario Platt, VP CISO at LastPass, Erika Voss, SVP & CSO at Blue Yonder, and Cecil Su, BDO Cybersecurity Director.

Delivery options

Practical DevSecOps said the CSC course is available in a self-paced format. It also said it offers an in-house cohort option for teams of 15 or more. The company said participants gain access to a Security Champions community.

Imran said the intended outcome is earlier detection of security issues during day-to-day development work rather than converting developers into security professionals.

"Look, we're not trying to convert developers into security professionals. That's not the point," said Imran. "We're teaching them just enough to spot problems before they blow up. Get one person on every dev team thinking like an attacker, and suddenly security isn't this external thing anymore. It's just part of how you build software."

Practical DevSecOps said it offers vendor-neutral training and certification programmes for IT and security professionals, including areas such as DevOps security, cloud-native security, API security, container security, threat modelling, software supply chain security, and AI security.

Related stories
Proofpoint revamps global partner network for AI era
Fake Olympics shop ads on Meta target fans’ wallets
Data-only extortion surges as remote access abused
Asia-Pacific firms hit tech hurdles scaling agentic AI
Check Point named GigaOm cloud network security leader

Top stories

AI & endpoints reshape global information governance
OT cyber threats shift from spying to disruption in 2025
LockBit 5.0 ransomware targets Windows, Linux, ESXi
Veriff & Data Zoo partner to combat AI identity fraud
CompTIA launches SecAI+ to tackle AI security skills