Emilio Pinna, director and co-founder of developer security training platform SecureFlag, says this represents a fundamental shift in what security awareness training needs to cover. “Five years ago, industry training taught specific patterns: ‘Don’t do this. Always do that,’” he says. “Today, training should also focus on the underlying principles so developers can evaluate any code, regardless of how it was generated.”
Developers need to recognize when AI-generated code introduces unsafe assumptions, insecure defaults, or integrations that can scale vulnerabilities across systems. And with more security enforcement built into automated engineering pipelines, developers should ideally also be trained to understand what automated gates catch, and what still requires human judgment. “Security awareness in engineering has shifted to a system-level approach rather than focusing on individual vulnerabilities,” Pinna says. “This includes issues such as identity and access control, dependencies, and supply-chain risks.”
Threat modeling as a core competency
This system-level thinking should also elevate the need for greater developer fluency in threat modeling, says Yasar. He notes that threat modeling has historically been difficult for product security and engineering teams to operationalize at scale. One of the longstanding barriers to practical threat modeling was the knowledge required to build effective threat models. Teams struggled to understand enough about the organizational context of how applications were being used, the architecture, and the relevant risks to tie it all together and identify the most relevant potential threats.