I work as a senior developer at an insurance company in a small department within a fairly large company. In the past, we've done department-wide AppSec training, but I've always been less than pleased with the methodology and the results.<p>The training is a combination of slides and practical exercises delivered and performed in-person and discussed in real time. The instructor has always been very knowledgable, but while the content is somewhat tailored to our environment, they have limited familiarity with our applications and even less with the group's skill level.<p>Problems:<p>- Some employees come in with a good amount of app sec knowledge. Some come in with almost none. Accordingly, the content is too simple for some, while for others, it's like drinking from a firehose. Additionally, the same 2-3 people answer nearly all of the questions, leaving little time for those who need it most to wrestle with the problems themselves.<p>- Many don't recognize that some of the vulnerabilities demonstrated in the course were present in their own applications. I think they have trouble relating the content to their own work.<p>- We spend a fair amount of time on vulnerabilities that aren't as relevant in our typical stack and not enough on those to which we are more susceptible. For instance, CSRF isn't such a big concern for us. On the other hand, I know we have more than a few cases of insecure direct object references. Yet we probably spend as much or more time discussing the former.<p>I've brought these concerns to my manager. He wasn't here for the last training, but he's open to suggestions for improvement and has agreed to connect me with our CISO. I want to take full advantage of this opportunity. I have some ideas in my head, but I'd love to hear from others. Have you participated in a very effective app sec training regimen? What did they cover, and how did they decide what to cover? What was the format?