Photo of Timely team outside


Helping Timely build secure applications from design to delivery

Timely needed secure development training to help them reduce their application risk and give their customers the highest quality digital product possible.

As firm believers in cyber security being a shared responsibility, Timely appreciates how SafeStack Academy helps them build secure development practices into their software development lifecycle, from initial design all the way through to product delivery.

“Providing high-quality security training to our product teams is a cornerstone of our overall plan for creating a more secure product and software delivery lifecycle, and SafeStack Academy meets our needs perfectly.”

Camille Marsigny
Information Security Lead, Timely

Founded in Dunedin, New Zealand in 2011, Timely provides powerful online booking and business management software to about 20,000 businesses in the beauty industry around the world.

Their team of over 100 remote workers is spread across the globe, with offices in New Zealand, Australia, and the United Kingdom. 

Timely’s product teams include about 30 developers and quality assurance testers, who are all enrolled in SafeStack Academy’s Secure Development programme and are working their way through all the available content. Timely’s product owners also get access to SafeStack Academy courses so they can improve their cyber security knowledge.

Prioritising trust and application security

In 2019, Timely was growing steadily, and it was time for them to bring payment services into their software. Understandably, making sure customers could trust Timely was — and still is — a high priority.

As an organisation using Agile methodologies, Timely’s developers were delivering code several times a day, and they needed to be sure security was built into their app from the start. A key part of this was their people having the confidence to do their own threat assessments, as well as understanding and properly implementing security requirements.

Our main driver for training our teams in secure development is the need to deliver secure code. Security should be the responsibility of all teams — not only the security team — and it needs to be considered from design to delivery.

Camille Marsigny, Information Security Lead

Before Timely signed up for SafeStack Academy, they’d worked with our advisory team (now operating as SafeAdvisory) to improve Timely’s security governance. Following on from this, Timely wanted to boost their product security and their team’s overall level of cyber security knowledge.

When SafeStack Academy launched in 2020, Timely joined as an early customer and have seen great results since then.

The right combination of secure development content

Timely needed courses that covered high-level security principles and concepts, as well as more in-depth content with concrete examples of implementation.

With its combination of these elements as well as hands-on labs where learners can test their knowledge, SafeStack Academy’s Secure Development programme has proven to be the perfect fit for Timely.

Camille notes that SafeStack Academy’s systems-level approach to secure development means the courses cover a wide range of security concepts, and says they appreciate the monthly seminars and regular course releases.

SafeStack Academy’s labs were a great way to reinforce key security concepts. They were fun, too!

Elwyn Benson, Front End Development Lead

Having joined in the early days of SafeStack Academy, the Timely team has also enjoyed seeing new features and content become available. They mention the clarity of course content and using the labs as a way to apply the concepts they learn as particular highlights of their learning experience so far.

Incentivising training with friendly competition and support

Because this was the first security training programme Timely had introduced, they wanted to do everything they could to make it a success. 

They set up a challenge between their product teams, with the winning team (who won a session at an escape room) being the first one to have all their developers and testers complete three of the foundational courses:

Timely also supported their learners by running a workshop to help people solve the labs and develop their understanding of concepts if needed. 

The combination of these initiatives has made the uptake and completion rates for the Secure Development programme something Timely can be proud of. All their developers and testers have now completed the three courses mentioned above, and these courses are also built into onboarding training for new hires in these roles.

Measuring cyber security success

At the same time as Timely rolled out SafeStack Academy training, they also began using an automated risk assessment that product teams run during refinement sessions for each of their work items.

One of the main requirements of having security training in place was to help Timely’s product teams understand what the risk assessment was telling them, as well as the security requirements it was generating.

Between the training and the risk assessment, Timely has found its product teams are now more aware of their impact on application security and they’ve developed new and improved security habits.

We’re definitely catching more vulnerabilities before delivery now, which means we’re reducing application risks.

Camille Marsigny, Information Security Lead

As Timely continually improves its software delivery lifecycle, they’ll keep training their developers and testers through SafeStack Academy, with the potential to enrol more of their team as well.

We’re thrilled to help Timely strengthen the security of their product and we look forward to seeing what improvements they’ll make next.

Try SafeStack Academy

Find out more about our programmes and start your 14 day trial today.