This post covers a topic I think many people implement poorly, which is security training targeting developers.
http://www.cgisecurity.com/2015/01/my-experience-with-developer-security-training.html
Regards,
Robert A.
http://www.cgisecurity.com/
http://www.qasec.com/
http://www.webappsec.org/