Snyk Learn and the NIST Cybersecurity Framework (CSF)

NIST (National Institute of Standards and Technology) recently released its revamped cybersecurity framework (CSF), aptly called NIST CSF 2.0. The CSF previously had five functions: Identify, Protect, Detect, Respond, and Recover. With 2.0, there is now a sixth: Govern. While Snyk plays an important role in application security and governance, in this blog, we're going to look at the function Snyk Learn plays in CSF 2.0: Protect.

CSF 2.0: Protect

The CSF has a specific category within Protect called Awareness and Training (PR.AT). Many organizations that adopt this voluntary framework will spend their resources fulfilling this category by adopting tools or training for all employees to level up their cybersecurity skills and knowledge. Topics such as strong passwords, phishing attacks, and ransomware will be discussed. Having a baseline of cybersecurity knowledge within an organization will certainly help protect data and privacy. In fact, it has been shown that security awareness training within an organization will reduce successful phishing attacks. 

But rather than focus on end-user attacks, Snyk Learn takes a developer-focused approach to security training. Instead of covering phishing attacks, Snyk Learn covers specialized cybersecurity topics such as SQL injection, cryptography, server-side request forgery (SSRF), and more. These topics are crucial for developers to know in order for them to reach a baseline of current cybersecurity knowledge within their domain. The goal of Snyk Learn is to help developers build security into their applications from the start so there are fewer attack opportunities in production.

Not all employees need to understand cybersecurity from the developer's perspective. A new employee in marketing won’t benefit from training on memory leaks. However, a junior developer who recently graduated with a Computer Science degree may not have the necessary knowledge to prevent insecure code from making its way into production.

Training is a key to security adoption

Developer training should not be overlooked when adopting a cybersecurity framework for your organization. Snyk helps you empower developers with foundational security knowledge on how to avoid common vulnerabilities, so teams can embed security earlier in the SDLC and reduce risk across the business. 

Snyk Learn, our developer-first cybersecurity education platform, is aligned with the NIST National Initiative for Cybersecurity Education (NICE) Framework. We provide a comprehensive and standardized approach to cybersecurity education that equips learners with the knowledge, skills, and abilities required for a successful career in the cybersecurity industry.

Take one of our free, on-demand classes today or settle in and finish an entire learning path this week. Here are some options you may enjoy:

• Security for Developers (16 lessons)

• OWASP Top 10 (10 lessons)

• Cross-site scripting (XSS)

• Directory traversal

• Logging vulnerabilities

• Prompt injection (for LLMs)

Beyond developer security education, the Snyk developer security platform also supports 10+ compliance standards — including NIST, CIS Benchmarks for AWS, Azure, and Google Cloud, SOC 2, PCI-DSS, ISO 27001, HIPAA, and more. Through continuous monitoring across your cloud/IaC environments and ongoing mapping to industry benchmarks and compliance standards, Snyk provides meaningful evidence to help teams prepare for audit and achieve regulatory compliance.