For one reason or another security never really gets the importance it deserves. From talking to folk about security over the years, it’s clear that many stick their head in the sand, cross their fingers and hope for the best; hope however, doesn’t have a great reputation as a solid strategy!
The probability of having a major IT security incident relates not to ‘if’, but ‘when’. As we continue our headlong dive into global connectedness, the risks ahead of us are becoming greater, and the rewards for the criminal fraternity become ever more lucrative. Whereas previously the worst threat to an organisation was reputational damage, now there are quite severe legal consequences if mistakes are made and secure systems are not provided. The European GDPR for example not only imposes fines of up to 4% of an organisation’s global revenue, but also imposes personal liability on individuals dealing in any way with information. This puts developers directly in the line of fire. That’s a scary thought: as developers and IT professionals, we can now be held personally legally responsible for incidents we were involved in and cannot prove our due diligence.
Clearly, there are incentives to making security a core competency in our development teams, and like most other things, ‘doing it early and right’ is far more cost-effective than hammering down the doors when the horse has already bolted. Beyond that, acquiring skills in security is becoming a major differentiator in the jobs marketplace.
How do you teach security?
The key question, of course, is what can be done to change this, what can be done to engage our brains more, and make the hard, not quite so hard.
I once asked my university professor this very question and his answer was, ‘make it fun.’ So how do you learn security? It’s easy: Make it a game and have fun.
I was introduced recently to a seriously cool new developer platform that in my opinion is literally a game changer (and I don’t give that accolade lightly). Secure Code Warrior is an online platform that enables developers to build their security skills using an extremely novel gamification platform. Whereas the traditional approach is documents and videos, the Secure Code Warrior approach is a blended combination of everything. The platform provides learning content in short, easy to absorb chunks, that allows you to interact with live code in a browser-based IDE to test the new secure coding skills you have learned. If it were simply that, like a Katacoda on steroids, it would be fantastic. Well, it’s not only that but a lot more, and it’s awesome!
The skills you learn using Secure Code Warrior cover over 150 types of vulnerabilities, including the OWASP Top 10 – this is very important to note. The Open Web Applications Security Project is a global organisation that has done tremendous work over the years in formalising and promoting best practice in application security. Amongst other things, it provides the OWASP standard that is a baseline of impartial, practical and cost-effective security best practice that can be used to establish a level of confidence in application security both within an organisation, and to external parties (list customers and regulators) to demonstrate a commitment to security. The importance of the alignment to the OWASP standard is that it is non-vendor specific, industry recognised and widely respected, and is not simply learning a single tool. The Secure Code Warrior platform teaches real-world skills, in the coding language of your choice, that is applicable to every industry on every platform, be that Enterprise, Cloud, Mobile or IoT.
The Secure Code Warrior Playground
Using Secure Code Warrior is very direct and to the point: The reason you are there is clear from the time you log-in, with the interface driving the three pillars that are the core of how the system works, ‘learn, practice, demonstrate’.
If you have never learned using gamification before, you are in for a real treat. The general theme is that you watch a short summary video that gives you the fundamentals of a concept, following this you are invited to explore a browser-based development console, where you examine the code presented to you in the context of the concept you have just learned.
This is not your usual screenshots or slides, you are completely immersed into a functioning development environment. It’s not all hard graft however – in the early stages, you get comfortable with things by comparing different code options and deciding which is the right one. If you get stuck, there are of course hints in place, but if you are like me, you’ll prefer to go back to the video to see if you’ve missed anything rather than give in to the easy route; regardless of developer pride, there’s help on hand if you need it.
As you progress you are brought through different security problems, with everything always aligned back to OWASP standards and best practice. It doesn’t end when you have passed through general training at different levels with flying colours. The devious folk at Secure Code Warrior up the ante and invite you into the war-room to be at the frontline of a simulated cyber-attack. Here you must find code unrealities, defend your code and beat away dastardly hackers. Believe me, it’s serious fun.
Game-playing tends not to be a singleton sport, and even if you are playing in a cave against the machine you are in competition trying to beat the AI and your own score. Secure Code Warrior recognises the benefit of challenge and both peer competition and recognition, so you get the compete against others in your organisation and progress up the leaderboard to greatness.
Core learning is segmented into several groups, starting with general application security concepts, web app security 101, then getting more specific and looking at what needs to be done in the mobile and web space to be aware of different types of weaknesses and vulnerabilities.
Each group comprehensively covers the key areas that lead to security incidents, starting with implementing and being able to identify and remediate the concept of least privilege, secure error checking, logging and more. It’s not only about code of course, and the learning also covers the important aspects of security you need to know in relation to data protection.
Learn in the Language of your choice
One of the problems I see with security training for developers is that it tends to be very generic – that’s all well and good, but at the end of the day we write our code in a multitude of different languages, to say nothing of the various frameworks we use in Enterprise, Mobile and the Web. Secure Code Warrior is not restricted to generic Pseudocode and has extremely comprehensive coverage of a wide range of languages. The range includes the ones you would expect like C#, Java, Python and PHP, platform-specific examples like Objective-C and Swift, as well as critical legacy languages such as COBOL. No laughing matter since COBOL is still widely used in the finance sector and runs more critical systems than you can imagine!
Your mission, should you choose to accept it…
Once you have learned the skills you need, you can get stuck into coding missions, and these are seriously fun. Mission control provides with you an overview of the challenge ahead. Active missions are listed that tell you the kind of mission, for example, sensitive data exposure or XSS injection, and both the skill and security maturity level needed to complete the mission.
Hackers and cybercrime does not respect national boundaries – you could be attacked equally by someone operating out of a café down the road, as a rogue actor from one of the professionally organised cybercrime groups. Reflecting real-life, the mission control interface reflects reality and gives every nation a bite of the hacker pie.
Before you commence a mission, you are given a briefing and expected outcome (in other words, from an education viewpoint, the lesson objective and expected outcome).
Missions are carried out inside a web-based IDE – if you’ve used any code editor ever, you’ll be comfortable with this one. An important point to make here is that being presented with interactivity laid out in this way is by design, not accident. As developers, we work in a certain way, we expect our code syntax to be colour coded, we expect to see line numbers in the gutter, and we expect to be able to navigate through our file structure using familiar IDE patterns. By seeing our code in familiar surroundings, we are cognitively far more likely to engage strongly with the material being presented.
Follow the leader
One of the key features of gamification is enabling peer encouragement and recognition. Every action you take inside the Secure Code Warrior platform gains you points, and these accumulate to push you up the leaderboard rankings. Some folk are not comfortable with this, and that’s OK; they don’t have to use their own name, and in fact, by default users are anonymised. The aim of the game here is not to name and shame, it’s to help people know how they are stacking up against their peers.
One of the things that is important to know as we proceed in gaining new skills, is how are we improving against the required baseline, where are we clear; and critically, where do we need to focus to improve our weaknesses. By comparing the results of our mission and assessment progress, the application provides a very clear map that illustrates where your strengths and weaknesses lie.
Secure Code Tournaments
In addition to keeping score of how you progress as normal, there is also another level of excitement that can be brought to the table. The system allows organisations to host ‘secure coding tournaments’, where multiple developers work at the same time to stop ongoing large-scale attacks on the virtual system. Some organisations with offices in different locations have held live tournaments, with not only individual developers, but also offices and teams competing against each other in real-time.
If you work hard at something, it’s good to get some recognition. Secure Code Warrior allows the user to have their secure coding achievements public or private, and uniquely, to display their expertise on their LinkedIn profile page.
Learning about security is no longer optional
In the bad old days, everything was siloed. We had a department to look after IT operations, another for security, another for database server management. Those days, for better or worse, are behind us, and as a community and progressive modern organisations, we strive towards continuous improvement and team-based ownership.
It is no longer acceptable to point the finger of blame after the fact – it is incumbent on every organisation to ensure that they embed security as a foundational core competency of the organisation and make it an important part of the regular culture.
At the start of this article, I said that it is accepted that a security incident was not ‘if’ but ‘when’. By empowering your developers as the first line of defence, you are giving your organisation the very best possible chance of pushing that ‘when’ out as far as possible. In addition, even when the dreaded day happens, you can rest easy knowing that you really have done your very best, and critically, can prove it to both the powers that be, and your customers.
Secure Code Warrior represents seriously good value. If you hold the purse-strings, give it a try and make your developers happy – if you’re a developer, tell the boss how to make you happy by letting you try it out!
In the Internet era, we cannot afford NOT to invest in security; empower your developers to make everyone a hero, and sleep easy.