We're excited to announce the launch of our most comprehensive Node.js security training collection yet, covering all 25 of the most critical Common Weakness Enumerations (CWEs) that every Node.js developer needs to know about.

What’s new

CWE Top 25 - Node.js

We've released 25 targeted security courses covering the complete CWE Top 25 list, specifically tailored for Node.js development. With 3 hours and 20 minutes of focused technical content, this learning path gives your development team practical, hands-on knowledge to identify and prevent the most dangerous software weaknesses.

Each 8-minute course is designed to fit into a developer's workflow without disruption, covering:

• Injection vulnerabilities: XSS (CWE-79), SQL Injection (CWE-89), Command Injection (CWE-77, CWE-78), and Code Injection (CWE-94)

• Memory safety issues: Out-of-bounds Read/Write (CWE-125, CWE-787), Use After Free (CWE-416), Buffer Overflow (CWE-119)

• Access control weaknesses: Missing Authorization (CWE-862), Incorrect Authorization (CWE-863), Improper Authentication (CWE-287), Improper Privilege Management (CWE-269)

• Data protection risks: Exposure of Sensitive Information (CWE-200), Deserialization of Untrusted Data (CWE-502), Hard-coded Credentials (CWE-798)

• Request forgery attacks: CSRF (CWE-352), SSRF (CWE-918)

• File security: Path Traversal (CWE-22), Unrestricted File Upload (CWE-434)

• Resource management: Uncontrolled Resource Consumption (CWE-400), Integer Overflow (CWE-190)

• Core security practices: Improper Input Validation (CWE-20), NULL Pointer Dereference (CWE-476), Missing Authentication for Critical Functions (CWE-306)

Française - CWE Node JS (New!)

For the first time, we're introducing French language security training for Node.js developers. The initial release includes 40 minutes of content covering 5 critical CWEs:

• CWE-79: Neutralisation incorrecte des entrées lors de la génération de pages Web (XSS)

• CWE-22: Limitation incorrecte d'un nom de chemin à un répertoire restreint (Path Traversal)

• CWE-190: Dépassement d'entier ou rebouclage

• CWE-400: Consommation de ressources non contrôlée

• CWE-502: Désérialisation de données non fiables

More French courses are in development to complete the full CWE Top 25 coverage.

Why This Matters

These courses are built specifically for developers who need to ship secure code but don't have time for lengthy training programs. Here's what makes them effective:

Developer-Centric Approach

• Written by developers, for developers

• Focused on practical application, not theory

• No security expertise required to get started

Short & Focused

• 8-minute modules that respect your team's time

• Concise explanations that get straight to the point

• Easy to complete during a coffee break or between tasks

Technical & Hands-On

• Real Node.js code examples showing vulnerable patterns

• Practical remediation techniques you can apply immediately

• Covers both JavaScript and native add-on scenarios where applicable

Easy Deployment

Available as learning path templates, group leaders can create and assign these learning paths to their teams with just a few clicks. No need to manually curate courses or build curricula from scratch.

Who Should Take These Courses

• Node.js developers who want to write more secure code

• Development teams adopting secure coding practices

• Engineering leaders building security into their SDLC

• Anyone working with Node.js in production environments

Get Started Today

Ready to level up your team's Node.js security skills? Get in touch with us to get started.

We're excited to announce the launch of SafeStack's comprehensive HIPAA compliance learning path, designed specifically to help healthcare organizations and their business associates meet HIPAA framework security awareness training requirements.

New HIPAA Security Awareness Courses

Developed in partnership with our cybersecurity awareness training partner Mindshift, our HIPAA learning path includes two essential courses, totaling approximately 30 minutes of focused training:

An Introduction to HIPAA (≈15 minutes)

Anyone working in healthcare for a HIPAA compliant organization must understand what HIPAA is about and how it applies to their role. This foundational course covers:

• What HIPAA is and why it matters

• The Privacy Rule

• The Security Rule

• The Breach Notification Rule

• How HIPAA rules may change in emergencies

Security Awareness for HIPAA Compliant Organizations (≈15 minutes)

This practical training is designed for people working in healthcare for a HIPAA compliant organization. The course covers:

• Why and how to protect patient data

• What Protected Health Information (PHI) is

• Proper handling of patient information

• Understanding patient privacy rights

• Best practices for preventing breaches

• Breach reporting procedures

Seamless GRC Integration

We understand that compliance is about more than just training—it's about demonstrating that training to auditors and compliance frameworks. That's why we've integrated our HIPAA learning path with leading Governance, Risk, and Compliance (GRC) platforms.

Automatic Evidence Upload to Drata

Organizations using Drata can now automatically upload evidence of HIPAA training completion through SafeStack's Drata integration. When your team members complete their HIPAA courses in SafeStack, the training records are automatically synchronized with Drata, eliminating manual evidence collection and ensuring your compliance documentation is always up to date.

Automated Vanta Control Completion

For customers using HIPAA-based controls in Vanta, SafeStack automatically marks relevant controls as completed when users finish their HIPAA-related training. This seamless integration means:

• No manual control updates required

• Real-time compliance status in Vanta

• Reduced administrative overhead

• Stronger audit trails

Why HIPAA Training Matters

The HIPAA Security Rule explicitly requires covered entities and business associates to implement a security awareness and training program for all workforce members. Regular security awareness training is not just a best practice—it's a regulatory requirement.

With SafeStack's HIPAA learning path, you can:

• Meet regulatory requirements with comprehensive, up-to-date content

• Save time with automated evidence collection and control management

• Reduce risk by educating your team on proper PHI handling

• Streamline audits with integrated compliance documentation

Get Started Today

The HIPAA compliance learning path is now available to all SafeStack customers with a Security Awareness subscription. Organizations can assign these courses to their workforce and begin building a culture of compliance while automatically satisfying their GRC platform requirements.

Ready to strengthen your HIPAA compliance program? Contact us today!

We're excited to announce a significant improvement to how learners can demonstrate their security training completion in SafeStack.

What's New: Training Transcripts

Based on feedback from our customers, we've introduced a new Transcript feature that provides a comprehensive record of all completed security training. This feature addresses a common need among our customers: providing clear, consolidated evidence of training completion for compliance and audit purposes.

How It Works

Learners can now generate and download a professional PDF transcript that includes:

• A complete list of all courses completed

• Completion dates for each course

• A consolidated view of their entire security training journey

To access your transcript, simply navigate to the Transcript option in the sidebar menu and download your personalized PDF.

What's Changing

As part of this transition, we're streamlining our course completion recognition:

• Secure Development program: We're discontinuing Credly badge generation. After reviewing usage patterns over a long period, we found that the feature wasn't being well utilized.

• Security Awareness program: Course completion certificates will no longer be issued.

Why This Matters

Transcripts offer several advantages over individual certificates or badges:

1. Compliance-Focused: Transcripts are specifically designed to meet audit and compliance requirements, providing a complete training record in a single document.

2. Customer-Driven: This feature was one of the most requested improvements from our customer base.

3. Comprehensive: Rather than managing multiple certificates or badges, users get a single, authoritative record of all their training.

4. Professional Format: PDF transcripts are generally accepted for compliance documentation and professional development records.

Coming Soon

We're already working on the next phase of this feature: team-wide transcript downloads. Group leaders will soon be able to generate transcripts for their entire team, making compliance reporting even easier.

Questions?

We believe this change better serves the needs of both individual learners and organizations using SafeStack for security training. If you have any questions about accessing your transcript or what this means for your training records, please don't hesitate to reach out to our support team.

We're excited to announce the launch of our completely redesigned dashboard, built from the ground up to deliver a more intuitive, powerful, and responsive experience for both learners and group leaders.

👥 Powerful Group Leader Dashboard

Multi-Program Management

Seamlessly switch between Secure Development or Security Awareness with our new unified interface

Comprehensive Team Health Monitoring

• View total team members and security champions at a glance

• Identify learners without recent login activity

• Track expired invitations that need attention

• Monitor learners without assigned learning paths or programs

Advanced Learning Path Management

• Track progress across all team learning paths in real-time

• Identify incomplete team members for each learning path

• Send targeted reminders for overdue learning assignments

Security Champions Recognition

Automatically identify and celebrate high-performing team members who demonstrate exceptional security awareness and learning commitment.

Team Achievement Tracking

• Monitor recent team accomplishments and milestone achievements to keep motivation high and progress visible.

Streamlined Administrative Tools

• Bulk Expired Invite Management: Resend all expired invites with a single click

• Learning Path Reminder System: Send targeted reminders to learners with overdue assignments

• User Health Monitoring: Comprehensive tracking of user engagement and subscription status

🎓 Enhanced Learner Dashboard

Resume Learning Made Effortless

Never lose track of your progress again. The new dashboard automatically identifies and highlights your most recently accessed unfinished course, so you can pick up exactly where you left off.

Visual Progress Tracking

Get instant insights into your learning journey with dynamic progress bars showing completion percentages and course counts across all your learning paths.

Achievement Recognition

Celebrate your wins with our new achievement system that displays recent accomplishments, highlighting courses and learning paths you've completed in the last 30 days.

Smart Priority Guidance

Stay on track with automatic highlighting of urgent learning paths based on due dates, ensuring you never miss important deadlines.

Seamless Support Access

Connect with your group leaders instantly through easy-access contact options built right into your dashboard.

🚀 What This Means for You

This redesign represents our commitment to making security learning more accessible, trackable, and effective for organizations of all sizes. Whether you're an individual learner focused on personal development or a group leader managing team-wide security initiatives, these new dashboards provide the tools and insights you need to succeed.

The new dashboard experience is rolling out now to all SafeStack users. Log in today to explore these powerful new features and take your security learning to the next level.

Questions about the new dashboard? [email protected] is here to help you make the most of these new features

We're excited to announce the release of our OWASP Top 10 2021 - micro courses.

Each micro course:

1. targets a specific vulnerability within the OWASP top 10 2021 list of vulnerabilities

2. should take less than 5 minutes to complete

3. contains a short quiz to test your knowledge

4. is only marked as completed if the quiz is completed successfully

Want to cover the complete OWASP Top 10 2021 within an hour? Add all the micro courses into a learning path easily for your next secure development training exercise.

The following topics are covered in these courses:

1. Broken Access Control

2. Cryptographic Failures

3. Injection

4. Insecure Design

5. Security Misconfiguration

6. Vulnerable and Outdated Components

7. Identification and Authentication Failures

8. Software and Data Integrity Failures

9. Security Logging and Monitoring Failures

10. Server-Side Request Forgery (SSRF)

Check out these new courses today!

We're excited to announce the launch of Bug Buster, SafeStack's newest series of developer-focused security courses designed to tackle the most critical vulnerabilities in modern applications. These short, practical courses—each under 3 minutes—are built for busy developers who want to learn essential security skills without the time commitment of traditional training.

Security Training, Reimagined

Bug Buster courses cut straight to the chase. Each module focuses on a specific vulnerability, shows you exactly what it looks like in real code, and teaches you how to prevent it. No lengthy theory sessions—just practical, actionable knowledge you can apply immediately.

Node.js Collection Now Available

We're launching Bug Buster with five essential courses targeting the most common security vulnerabilities in Node.js applications:

Bug Buster: SQL Injection (in Node.js)

Learn how unvalidated user input can be weaponized to tamper with your database. This module shows you what SQL injection looks like in a Node.js app and how to prevent it using parameterized queries.

Bug Buster: Path Traversal (in Node.js)

Understand how attackers can escape expected directories and access sensitive files. This course walks through a real example in Node.js and shows you how to securely handle file paths and input validation.

Bug Buster: Hardcoded Secrets (in Node.js)

Explore the risks of embedding API keys, passwords, or tokens in your code. This module covers how secrets leak, the impact, and how to use environment variables and secret management tools the right way.

Bug Buster: Cleartext Transmission of Sensitive Information (in Node.js)

Find out how data sent without encryption can be intercepted in transit. This course explains how to identify these risks in Node.js and apply HTTPS, TLS, and secure headers to protect your users.

Bug Buster: Cross-Site Request Forgery (CSRF) (in Node.js)

See how attackers trick browsers into making unwanted requests on behalf of users. This module covers how CSRF works in Node.js applications and the techniques—like tokens and SameSite cookies—that keep your app safe.

What Makes Bug Buster Different

• Ultra-focused: Each course targets one specific vulnerability

• Platform-specific: Real examples using the frameworks and libraries you actually use

• Time-efficient: Learn critical security concepts in under 3 minutes

• Immediately actionable: Walk away with practical techniques you can implement today

More Coming Soon

While we're starting with these five foundational Node.js courses, this is just the beginning of the Bug Buster journey. We're already working on:

• Additional Node.js vulnerabilities: More courses covering even more security risks specific to Node.js applications

• New platforms and languages: Bug Buster courses for additional technology stacks to help developers across the entire ecosystem

The Bug Buster series represents our commitment to making security education accessible, practical, and relevant to the daily challenges developers face. When it comes to security vulnerabilities, every bug you catch before production is a potential breach prevented.

Ready to start squashing bugs? Check out the Bug Buster: Node.js collection today and take the first step toward building more secure applications—with many more learning opportunities on the horizon.

SafeStack Introduces Assessments for Secure Development Training

We're excited to announce a significant enhancement to our Secure Development Training platform! SafeStack has just released comprehensive assessments to help organizations validate learning and measure the effectiveness of their security education programs.

What's New?

Our secure development training now includes optional assessments (quizzes) that test learners' understanding of critical security concepts. These assessments provide a structured way to verify knowledge retention and ensure your team is getting the most from their training experience.

Assessment Features

• Multiple Choice Format: Each assessment consists of 10 carefully crafted multiple-choice questions

• Validation of Learning: Learners must correctly answer 8 or more questions to successfully complete an assessment

• Available Across Modules: Assessments have been implemented across many of our secure development courses

• Flexible Implementation: Assessments are optional by default, giving you control over your learning experience

How It Works

The new assessment feature is designed to be both flexible and effective:

1. Optional by Default: We understand every organization has different training needs, so assessments are optional out of the box

2. Configurable by Group Leaders: Group leaders can choose to make assessments mandatory for their teams, by navigating to Settings → Organization

3. Clear Completion Requirements: If set as mandatory, learners must successfully complete the assessment (scoring at least 80%) to complete the module

Benefits for Your Organization

• Verify Knowledge Transfer: Ensure security concepts aren't just viewed but genuinely understood

• Identify Knowledge Gaps: Pinpoint areas where additional training may be beneficial

• Demonstrate Compliance: Generate evidence of training effectiveness for compliance requirements

• Increase Engagement: Add a motivational element to the learning process with clear goals

Getting Started

These new assessments are available now for most of our courses and all our existing customers. Group leaders can access the assessment configuration settings from their organization settings, to determine whether assessments should be optional or mandatory for their teams.

For more information about how to leverage assessments in your security training program, reach out to our support team at [email protected]

We're committed to continuously improving our platform to make security education more effective and engaging. We look forward to hearing your feedback on this new feature as you incorporate assessments into your secure development training program.

We're excited to announce the release of six new security awareness training courses, further expanding our commitment to making security education accessible and engaging for everyone. In partnership with Mindshift, these courses are designed with a people-first approach, ensuring that complex security concepts are presented in a way that resonates with learners at all levels.

Meet Our New Courses

1. An Introduction to Generative AI

In this 10 minute module, you’ll learn what generative AI means, how to use it safely and tips for how to get the best out of it.

2. Communicating Safely

In this 15 minute course, you will learn how to communicate safely online and offline.

3. Cyber Safe Workspaces and Devices

In this course, you'll learn how to keep information safe by setting up a safe workspace and having secure devices.

4. Cyber Security Essentials

In this course, you'll learn about how you can keep your personal and business information safe.

5. Secure Your Online Accounts

In this 15 minute course, you’ll learn how to keep your online accounts secure by using passphrases, a password manager and turning on multi-factor authentication.

6. Spot the Scams

In this 15 minute course, you’ll learn how to spot the warning signs of scams, and how to respond.

Find all six courses pre-organized in our Awareness Essentials learning path template — designed to help your team get started with effective training quickly.

We’re excited to announce a key update to our learning platform: modules fromsome of our larger courses are now also available as smaller, more focused individual courses. This change is designed to enhance the learning experience by making it easier for learners to complete courses at a more manageable pace.

By breaking down our larger courses, we aim to support learners in achieving their goals without feeling overwhelmed, making their secure development training even more achievable!

What’s New?

• Smaller Course Sizes: Our longer, content-heavy courses are now also available as much smaller, digestible courses. This means learners can absorb information in bite-sized pieces, reducing the pressure of completing extensive modules, all in one go.

• Flexible Learning: With smaller courses

  • Learners can now spread their training over several weeks or months. This flexibility allows them to focus on one module at a time, ensuring better retention and a more manageable workload.

  • Group leaders can add more focused training modules in learning paths, making the learning paths much smaller, more achievable and better customised for your specific training needs.

• Larger Courses Still Available: If you prefer the original format, don’t worry! The larger, comprehensive courses remain available for those who enjoy diving deep into a topic all at once.

• Seamless Progress Tracking: As an added bonus, any progress made in the smaller modules will automatically carry over into the corresponding larger course (and the other way around). This ensures that no effort is lost, and learners can switch between formats without missing a beat. If you have already completed one of these modules in the original course, this completion will be carried over into the smaller course as well.

What courses are now available as smaller courses?

The Finding and Fixing Web Application Security Vulnerabilities course is about 4 hours and 33 minutes long. It contains 13 modules in total.

All its core modules (except for the introduction) are now available as individual courses:

1. Finding and Fixing: Object Access Vulnerabilities

2. Finding and Fixing: Enumeration Vulnerabilities

3. Finding and Fixing: SQL Injection Vulnerabilities

4. Finding and Fixing: Configuration Vulnerabilities

5. Finding and Fixing: Operating System Injection Vulnerabilities

6. Finding and Fixing: Passwords and Authentication

7. Finding and Fixing: Session Vulnerabilities

8. Finding and Fixing: Cross Site Scripting Vulnerabilities (XSS)

9. Finding and Fixing: Using Components with Known Vulnerabilities

10. Finding and Fixing: Path Traversal Vulnerabilities

11. Finding and Fixing: Return of the SQL Injection

12. Finding and Fixing: XML External Entity (XXE) Vulnerabilities

The Finding and Fixing API Security Vulnerabilities course is about 2 hours and 29 minutes long. It contains 10 modules in total.

All its core modules (except for the introduction) are now available as individual courses:

1. Applying Security Concepts to Development and Operations

2. Finding and Fixing: Broken API Authentication Vulnerabilities

3. Finding and Fixing: Broken API Authorisation Vulnerabilities

4. Finding and Fixing: API Data Exposure Vulnerabilities

5. Finding and Fixing: API Resource Limitations Vulnerabilities

6. Finding and Fixing: API Mass Assignment Vulnerabilities

7. Finding and Fixing: API Injection Vulnerabilities

8. Finding and Fixing: API Misconfiguration and Mismanagement Vulnerabilities

9. Transitioning To Microservices or Hybrid Architectures

The Introduction to DevSecOps is about 3 hours and 19 minutes long. It contains 5 modules in total.

All its modules are now available as individual courses:

1. DevSecOps: Culture and Processes

2. DevSecOps: Cloud Security

3. DevSecOps: Securing Source Code and Deployment Pipelines

4. DevSecOps Defence

5. Strategically Growing DevSecOps

This update is all about giving you more control over your learning experience, while still offering the flexibility to choose the format that best suits your needs.