We're excited to announce the launch of Bug Buster, SafeStack's newest series of developer-focused security courses designed to tackle the most critical vulnerabilities in modern applications. These short, practical courses—each under 3 minutes—are built for busy developers who want to learn essential security skills without the time commitment of traditional training.

Security Training, Reimagined

Bug Buster courses cut straight to the chase. Each module focuses on a specific vulnerability, shows you exactly what it looks like in real code, and teaches you how to prevent it. No lengthy theory sessions—just practical, actionable knowledge you can apply immediately.

Node.js Collection Now Available

We're launching Bug Buster with five essential courses targeting the most common security vulnerabilities in Node.js applications:

Bug Buster: SQL Injection (in Node.js)

Learn how unvalidated user input can be weaponized to tamper with your database. This module shows you what SQL injection looks like in a Node.js app and how to prevent it using parameterized queries.

Bug Buster: Path Traversal (in Node.js)

Understand how attackers can escape expected directories and access sensitive files. This course walks through a real example in Node.js and shows you how to securely handle file paths and input validation.

Bug Buster: Hardcoded Secrets (in Node.js)

Explore the risks of embedding API keys, passwords, or tokens in your code. This module covers how secrets leak, the impact, and how to use environment variables and secret management tools the right way.

Bug Buster: Cleartext Transmission of Sensitive Information (in Node.js)

Find out how data sent without encryption can be intercepted in transit. This course explains how to identify these risks in Node.js and apply HTTPS, TLS, and secure headers to protect your users.

Bug Buster: Cross-Site Request Forgery (CSRF) (in Node.js)

See how attackers trick browsers into making unwanted requests on behalf of users. This module covers how CSRF works in Node.js applications and the techniques—like tokens and SameSite cookies—that keep your app safe.

What Makes Bug Buster Different

• Ultra-focused: Each course targets one specific vulnerability

• Platform-specific: Real examples using the frameworks and libraries you actually use

• Time-efficient: Learn critical security concepts in under 3 minutes

• Immediately actionable: Walk away with practical techniques you can implement today

More Coming Soon

While we're starting with these five foundational Node.js courses, this is just the beginning of the Bug Buster journey. We're already working on:

• Additional Node.js vulnerabilities: More courses covering even more security risks specific to Node.js applications

• New platforms and languages: Bug Buster courses for additional technology stacks to help developers across the entire ecosystem

The Bug Buster series represents our commitment to making security education accessible, practical, and relevant to the daily challenges developers face. When it comes to security vulnerabilities, every bug you catch before production is a potential breach prevented.

Ready to start squashing bugs? Check out the Bug Buster: Node.js collection today and take the first step toward building more secure applications—with many more learning opportunities on the horizon.

SafeStack Introduces Assessments for Secure Development Training

We're excited to announce a significant enhancement to our Secure Development Training platform! SafeStack has just released comprehensive assessments to help organizations validate learning and measure the effectiveness of their security education programs.

What's New?

Our secure development training now includes optional assessments (quizzes) that test learners' understanding of critical security concepts. These assessments provide a structured way to verify knowledge retention and ensure your team is getting the most from their training experience.

Assessment Features

• Multiple Choice Format: Each assessment consists of 10 carefully crafted multiple-choice questions

• Validation of Learning: Learners must correctly answer 8 or more questions to successfully complete an assessment

• Available Across Modules: Assessments have been implemented across many of our secure development courses

• Flexible Implementation: Assessments are optional by default, giving you control over your learning experience

How It Works

The new assessment feature is designed to be both flexible and effective:

1. Optional by Default: We understand every organization has different training needs, so assessments are optional out of the box

2. Configurable by Group Leaders: Group leaders can choose to make assessments mandatory for their teams, by navigating to Settings → Organization

3. Clear Completion Requirements: If set as mandatory, learners must successfully complete the assessment (scoring at least 80%) to complete the module

Benefits for Your Organization

• Verify Knowledge Transfer: Ensure security concepts aren't just viewed but genuinely understood

• Identify Knowledge Gaps: Pinpoint areas where additional training may be beneficial

• Demonstrate Compliance: Generate evidence of training effectiveness for compliance requirements

• Increase Engagement: Add a motivational element to the learning process with clear goals

Getting Started

These new assessments are available now for most of our courses and all our existing customers. Group leaders can access the assessment configuration settings from their organization settings, to determine whether assessments should be optional or mandatory for their teams.

For more information about how to leverage assessments in your security training program, reach out to our support team at [email protected]

We're committed to continuously improving our platform to make security education more effective and engaging. We look forward to hearing your feedback on this new feature as you incorporate assessments into your secure development training program.

We're excited to announce the release of six new security awareness training courses, further expanding our commitment to making security education accessible and engaging for everyone. In partnership with Mindshift, these courses are designed with a people-first approach, ensuring that complex security concepts are presented in a way that resonates with learners at all levels.

Meet Our New Courses

1. An Introduction to Generative AI

In this 10 minute module, you’ll learn what generative AI means, how to use it safely and tips for how to get the best out of it.

2. Communicating Safely

In this 15 minute course, you will learn how to communicate safely online and offline.

3. Cyber Safe Workspaces and Devices

In this course, you'll learn how to keep information safe by setting up a safe workspace and having secure devices.

4. Cyber Security Essentials

In this course, you'll learn about how you can keep your personal and business information safe.

5. Secure Your Online Accounts

In this 15 minute course, you’ll learn how to keep your online accounts secure by using passphrases, a password manager and turning on multi-factor authentication.

6. Spot the Scams

In this 15 minute course, you’ll learn how to spot the warning signs of scams, and how to respond.

Find all six courses pre-organized in our Awareness Essentials learning path template — designed to help your team get started with effective training quickly.

We’re excited to announce a key update to our learning platform: modules fromsome of our larger courses are now also available as smaller, more focused individual courses. This change is designed to enhance the learning experience by making it easier for learners to complete courses at a more manageable pace.

By breaking down our larger courses, we aim to support learners in achieving their goals without feeling overwhelmed, making their secure development training even more achievable!

What’s New?

• Smaller Course Sizes: Our longer, content-heavy courses are now also available as much smaller, digestible courses. This means learners can absorb information in bite-sized pieces, reducing the pressure of completing extensive modules, all in one go.

• Flexible Learning: With smaller courses

  • Learners can now spread their training over several weeks or months. This flexibility allows them to focus on one module at a time, ensuring better retention and a more manageable workload.

  • Group leaders can add more focused training modules in learning paths, making the learning paths much smaller, more achievable and better customised for your specific training needs.

• Larger Courses Still Available: If you prefer the original format, don’t worry! The larger, comprehensive courses remain available for those who enjoy diving deep into a topic all at once.

• Seamless Progress Tracking: As an added bonus, any progress made in the smaller modules will automatically carry over into the corresponding larger course (and the other way around). This ensures that no effort is lost, and learners can switch between formats without missing a beat. If you have already completed one of these modules in the original course, this completion will be carried over into the smaller course as well.

What courses are now available as smaller courses?

The Finding and Fixing Web Application Security Vulnerabilities course is about 4 hours and 33 minutes long. It contains 13 modules in total.

All its core modules (except for the introduction) are now available as individual courses:

1. Finding and Fixing: Object Access Vulnerabilities

2. Finding and Fixing: Enumeration Vulnerabilities

3. Finding and Fixing: SQL Injection Vulnerabilities

4. Finding and Fixing: Configuration Vulnerabilities

5. Finding and Fixing: Operating System Injection Vulnerabilities

6. Finding and Fixing: Passwords and Authentication

7. Finding and Fixing: Session Vulnerabilities

8. Finding and Fixing: Cross Site Scripting Vulnerabilities (XSS)

9. Finding and Fixing: Using Components with Known Vulnerabilities

10. Finding and Fixing: Path Traversal Vulnerabilities

11. Finding and Fixing: Return of the SQL Injection

12. Finding and Fixing: XML External Entity (XXE) Vulnerabilities

The Finding and Fixing API Security Vulnerabilities course is about 2 hours and 29 minutes long. It contains 10 modules in total.

All its core modules (except for the introduction) are now available as individual courses:

1. Applying Security Concepts to Development and Operations

2. Finding and Fixing: Broken API Authentication Vulnerabilities

3. Finding and Fixing: Broken API Authorisation Vulnerabilities

4. Finding and Fixing: API Data Exposure Vulnerabilities

5. Finding and Fixing: API Resource Limitations Vulnerabilities

6. Finding and Fixing: API Mass Assignment Vulnerabilities

7. Finding and Fixing: API Injection Vulnerabilities

8. Finding and Fixing: API Misconfiguration and Mismanagement Vulnerabilities

9. Transitioning To Microservices or Hybrid Architectures

The Introduction to DevSecOps is about 3 hours and 19 minutes long. It contains 5 modules in total.

All its modules are now available as individual courses:

1. DevSecOps: Culture and Processes

2. DevSecOps: Cloud Security

3. DevSecOps: Securing Source Code and Deployment Pipelines

4. DevSecOps Defence

5. Strategically Growing DevSecOps

This update is all about giving you more control over your learning experience, while still offering the flexibility to choose the format that best suits your needs.

Drata is a security and compliance automation platform that continuously monitors and collects evidence of a company's security controls. Security training provided by SafeStack forms an integral part of a robust compliance and security control strategy.

We are happy to announce our new Drata integration functionality, allowing customers to automatically upload completion evidence of their learners’ security training, from SafeStack, into Drata.

Just pick the learning paths you want to track when setting up the integration and you’re good to go! When users complete their learning paths, an evidence PDF will be generated and uploaded to Drata automatically, marking their own security training as completed within Drata.

This removes the hassle of uploading evidence manually for your team and keeps compliance information in Drata up to date.

If your organization is using, or planning to use Drata to automate compliance related tasks, check out our Drata integration today.

We’ve just released the new Learning Path Statistics report to help our group leaders analyze learning path engagement, participation and completion over time.

This new report contains 3 types of graphs, each designed to highlight key pieces of information that help you better understand the effectiveness of your learning paths and security training.

Graph 1: Learning Path Course engagement

This graph highlights the engagement of your learning path at the course level. It can help answer questions like:

1. What courses are being fully completed by my learners?

2. What courses are being started but not completed by my learners?

3. What courses are not being started at all by my learners?

4. What courses are most engaging, and which ones are my learners not too interested in?

Graph 2: Learning Path Engagement

This pie chart compares the percentage of your learners that have not yet started, started and completed your learning path as a whole. This can help group leaders visualize learning path engagement easily. Over time, one would want the red slice to reduce in size and the green slice to increase in size.

Graph 3: Learning Path completion over time

This graph plots the cumulative percentage of users that have completed the learning path, over time. This is really useful to understand how quickly your team is ramping up with their training and how much training there is still left to be done, before you hit the learning path due date (if there is one).

Other functionality

Graph toolbar

The graph toolbar (top right of every graph) can be used to download the graph in the PNG or SVG format. You can also download the raw data behind the graph, by downloading using the CSV format option.

For time series graphs (like the Learning Path completion over time graph), you can also zoom in/out or drag and select a specific time range you want to explore within the whole period.

Reports page

We’ve made minor changes to the Reports page to separate individual reports from group reports much more clearly.

More interesting changes ahead

In the future, we plan to add more functionality to these reports to take them a step further, making it easy for group leaders to communicate with their learners about their training. But we will have more on that later!

We hope you enjoy the new changes in SafeStack and are always open to feedback, suggestions or concerns.

SafeStack Seminars are an easy way to engage your application security champions on a regular basis. With seminars, your team can keep updated with new threats and secure development best practices in our interactive sessions with expert coaches.

More than 30 seminars have occurred since SafeStack was launched, covering a wide range of topics, including threat modeling, AI, DevOps, SAST and so on. Every topic is sourced from our community and customer suggestions, so they are guaranteed to be timely, relevant, and focused on current and emerging secure development best practices.

A feature requested by many customers is the ability to add seminars into learning paths, allowing security champions to craft outcome focused training programs, along with high quality, interactive, bite-sized training for specific topics covered in our seminars.

From today, all our past seminars are available as courses on the platform! They can be added to learning paths, just like any other course. Further, reports will indicate whether a learner has completed watching a seminar or not, from this point onwards, providing much more visibility about seminar related training to group leaders.

We will continue to host live seminars based on customer suggestions and our roadmap. You will still be able to register for live seminar sessions from the platform. Once a live seminar has finished, it will be available as a course on the platform, so that your team can watch it at a later date.

Our support team is available via email at [email protected] to answer any questions you may have about this change.

Summary

In order to provide a more streamlined login experience for our users, SafeStack will update its authentication domain name from learn-safestack-io.au.auth0.com to auth.learn.safestack.io on February 10, 2024 (Saturday) as part of scheduled maintenance of its authentication systems.

If you use Single Sign On to log into SafeStack, you may need to make minor changes in the SafeStack client configuration set up with your identity provider. These changes are outlined below.

How does this affect you?

Your login experience will be similar to what it is now, this is simply an update of the domain name that we use for our authentication system. Your existing credentials to log into SafeStack will continue to work as they do now and there will be no change to your training data in SafeStack.

If Single Sign On has not been configured for your organization

After you enter your email address on the login page, instead of being redirected to https://learn-safestack-io.au.auth0.com/ you will be redirected to https://auth.learn.safestack.io/.

If you use a password manager to save your credentials, you may need to find your existing credentials to log into SafeStack by searching for safestack in your password manager. Upon successful login, your password manager may prompt you to add or update your SafeStack credentials (since the authentication website URL will be different).

Our forgot password functionality will continue to work, in case you need to reset your password.

If Single Sign On has been configured for your organization

You may need to update the Redirect URI’s configured for use with the SafeStack client in your identity provider (IdP). Before February 9 2024, both the following redirect URI’s must exist in your configuration:

1. https://learn-safestack-io.au.auth0.com/login/callback

2. https://auth.learn.safestack.io/login/callback

You can make these changes right away without affecting your organization’s access to SafeStack.

Azure AD / Entra ID

If you use Azure AD / Entra ID as your IdP, the redirect URI’s can be configured as per Step 1.8 here

Google Workspace

If you use Google Workspace as your IdP, the redirect URI’s can be configured as per Step 1.6 here

Okta

If you use Okta as your IdP, the redirect URI’s can be configured as per Step 4 here

Once this configuration is in place, you will be able to log into SafeStack as usual from our login page.

Help and Support

Our support team is available via email at [email protected] for assistance with this change, to answer any questions or if you face any issues.

If you require your learners to re-do their SafeStack training again, such as for a start-of-year rollover, Group Leaders can now reset their progress data so that all learning paths, courses, quizzes, labs, and reporting show as incomplete.

Resetting progress can be done across your entire organization from the Organization page, or for the learners and courses within a specific Learning Path from the Learning Paths page.

Some key points to note:

• Learners will retain any badges and achievements they’ve previously earned.

• Historical data will not be available from the Reports section. We recommend downloading and archiving any reports per your organization's compliance and data retention policies before resetting progress data.