Avatao success story:
Scaling security through workshops

Skyscanner is a leading travel marketplace and metasearch engine, enabling millions of users to search for and book flights, accommodation, and car-hire all over the world. Founded in 2003, Skyscanner has come a long way, evolving into a global brand with more than 1000 employees across the globe. Their mission is to lead the transformation to modern and sustainable travel.

Data security is taken extremely seriously at Skyscanner. At the company, developers needed to learn more about insufficient monitoring, lack of or incomplete input data validation, and the use of libraries with known vulnerabilities. To make sure their data was well protected, Skyscanner security team leaders decided to organize workshops for software engineers and developers. The main goal of these workshops was to raise security awareness, learn about vulnerabilities, and build a mindset that contributed to overall data security. Ultimately, Skyscanner aims to encourage engineers to consider security from the beginning when they are designing new features.
Depending on the target audience, three main types of workshops were implemented: regular onboarding workshops for newcomers (5-15 people), team-focused workshops for groups (15-20 people), workshops for Security Champions (appr. 60 people), and an engineering-wide workshop (open to all engineers, more than 100 people).

By using Avatao, Skyscanner is provided continuous security training for developers, the first pillar of a security-conscious culture. With optional attendance at the workshops, software engineers and security champions were able to find the exercises that best fit their skills. As an example, a 90-minute workshop was scheduled in which content was broken down into four modules focused on four different topics, and with a variable number of exercises (7-17), including tutorials and challenges at different difficulty levels. At the beginning of the workshop, two people explained the basics of the platform, and participants were then encouraged to choose a module to start with, joining other colleagues working on the same exercises in a separate online call. People were even able to continue the exercises after the workshop. The self-guided nature of Avatao’s challenges allowed participants to complete the exercises in whatever way fit their schedule.

The overall reception of Avatao’s training was very positive. Exercises related to recent security breaches, as well as topics such as Java, Python, and web technologies, were the most popular among the participants. The exercises gave developers a great way to improve their security skills. Skyscanner will continue to use Avatao to reinforce their developers’ knowledge against security threats to come. Specifically, Skyscanner plans to set up regular workshops in the future focused on vulnerabilities found in their systems, combined with some theory prior to having the workshop.