GRCWatch
Sign inStart free trial

CIS Control 16.9: Train Developers in Application Security Concepts and Secure Coding

Application vulnerabilities often stem from insecure coding practices rather than infrastructure gaps. CIS Control 16.9 mandates formal security training for all developers at hire and ongoing, establishing a security-first culture in your engineering organization. This foundational control significantly reduces the likelihood of exploitable code reaching production.

What this means

CIS 16.9 requires your organization to provide structured training to every software developer covering secure coding principles, threat modeling, and application security standard practices relevant to their specific development environment and role. Training must occur during onboarding and should include a threat model review of applications as part of the new hire process. The goal is to embed security thinking into the development lifecycle rather than treating it as an afterthought.

How to comply

  1. 1.Develop or procure a mandatory secure coding curriculum tailored to your primary development languages and frameworks
  2. 2.Require all developers to complete application security training within 30 days of hire
  3. 3.Incorporate threat modeling as a hands-on component of developer onboarding
  4. 4.Document training completion and threat modeling exercises for each developer
  5. 5.Update training content annually to address emerging vulnerabilities and new attack vectors
  6. 6.Track attendance and competency assessments to ensure knowledge retention
  7. 7.Establish a security champions program within development teams to reinforce learning

Evidence auditors look for

  • Training records showing all developers completed secure coding coursework with dates and scores
  • Threat modeling documentation completed during onboarding for new hires
  • Curriculum materials covering OWASP Top 10, injection attacks, authentication flaws, and framework-specific security
  • Attendance logs and completion certificates from security training sessions
  • Threat model templates and examples used during onboarding
  • Annual training schedule with updated content addressing newly discovered vulnerabilities
  • Quiz or assessment results demonstrating developer comprehension of secure coding concepts

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates training completion tracking, maintains audit-ready evidence of developer certifications and threat modeling exercises, and flags missing developer onboarding compliance—eliminating manual spreadsheets and ensuring no new hire falls through the cracks.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS 17.1 — Establish and Maintain a Security Awareness ProgramCIS 18.1 — Establish and Maintain a Data Security ProgramCIS 3.13 — Address Unauthorized SoftwareNIST 800-53 SA-3 — System Development Life Cycle