diff --git a/doc/security/secure-coding.rst b/doc/security/secure-coding.rst
index fe712eea82c..579622999b4 100644
--- a/doc/security/secure-coding.rst
+++ b/doc/security/secure-coding.rst
@@ -206,6 +206,13 @@ injection, OS injection, classic buffer overflow, cross-site
 scripting, missing authentication, and missing authorization. See the
 `CWE/SANS top 25`_ or `OWASP Top 10`_ for commonly used lists.
 
+A free class from the nonprofit OpenSecurityTraining2 for C/C++ developers
+is available at `OST2_1001`_. It teaches how to prevent, detect, and
+mitigate linear stack/heap buffer overflows, non-linear out of bound writes,
+integer overflows, and other integer issues. The follow-on class, `OST2_1002`_,
+covers uninitialized data access, race conditions, use-after-free, type confusion,
+and information disclosure vulnerabilities.
+
 .. Turn this into something specific. Can we find examples of
    mistakes.  Perhaps an example of things static analysis tool has sent us.
 
@@ -213,6 +220,10 @@ scripting, missing authentication, and missing authorization. See the
 
 .. _OWASP Top 10: https://owasp.org/www-project-top-ten/
 
+.. _OST2_1001: https://ost2.fyi/Vulns1001
+
+.. _OST2_1002: https://ost2.fyi/Vulns1002
+
 Zephyr Security Subcommittee
 ============================