Monday, February 20, 2017

Weekly Activity Summary Reports through Email

We have received a lot of feedback from managers on how important it is for them to keep track of user engagement on the Secure Code Warrior platform.

Understanding key metrics and being able to report on these over time using the existing CSV download has proven to be very useful in not only measuring engagement over time but also measuring the progress of users. Using the data available managers can gain useful insights such as the ability to see what effect time spent on the platform has had on the secure coding skills of their developers as well as being able to identify key areas for improvement.

Tracking activity on a regular basis and reporting is something that our clients tell us they do to ensure the success of the platform. To help with this we have created Weekly Activity Reports that Team Managers and Company Admins have the option to receive weekly via email.

The email report provides managers with a snapshot of the activity of users on the Secure Code Warrior over the past week:
  • User Summary - overview of total, invited, enabled and new users who joined.
  • Training Summary - statistics on time spent, top performers and most engaged users in the last 7 days
  • Assessment Training Summary - overview of activity of users invited to complete assessments
Company Admins can enable these weekly activity reports via their preferences is their account settings. 





Weekly Activity Summary Report





Tuesday, February 7, 2017

Serious Games - how you can use Secure Code Warrior in your organisation


In the past twelve months, we have been closely engaging with our early adopter clients to understand how they are using Secure Code Warrior, what the objectives were they were trying to achieve and how the usage evolved over time. We observed that the type of rollout highly depended on their own objectives, the challenges they were trying to solve and the maturity in cybersecurity and training:

"There is no security culture in our development community"
  • They tried classic CBT training and developers responded: "boring", "not relevant", "too high-level" on most products on the market
  • They organised in classroom training and the quality highly depended on the trainer, the developer's relevant experience in the coding language and the skill level of the developers in the class
They want something which ENGAGES the developers and makes them AWARE about security issues in software development.

"There is awareness but it does not result into less vulnerabilities"
  • They felt that everyone understood the importance of security but it was not always consistently applied in the code and the source code analysers consistently found the same flaws.
They want something which allows the developers to PRACTICE  on different situations and measure the overall SKILL level of the developer community

"There is a trained developer community but we need it formalised to compare internal and suppliers"
  • Suppliers, contractors or new starters did not have the same level of training the internal developers had received. 
  • Company or cultural context requires certificates to be handed out upon achieving objectives
  • A career path or skill progression model was required
They want to formally assess the SKILL level of the developer community and suppliers.


Friday, January 27, 2017

Happy 2nd Birthday Secure Code Warrior!

It has been two years now since we made a leap into the unknown and started working on our mission to change the (insecure) behavior of thousands of developers globally
  • 20,000 hours of hands-on exercises have been consumed in the last year by developers located in 62 countries. Every day around 100 users are online improving their secure coding skills because they want to become better and more secure developers.
  • Two of the global banks and two US credit companies are our customers as they understand that moving faster (Agile/DevOps) means automation and more autonomy (also in security architecture and secure coding). Most of them have realised that video training has failed to build skills and classroom training is not scalable or economically efficient for hundreds of developers.
  • We released more than 50 free learning modules on secure coding under Common Creative (allowing any person or company to re-use) and have facilitated free hands-on workshops on secure coding at NDC Sydney, OWASP Melbourne, OWASP BeNeLux, OWASP London, OWASP Delhi, CyberSecurityChallenge Belgium and NULL Singapore.
  • Next to our hands-on Training Mode, we have built Assessment Mode to verify competency and Tournament Mode (in beta) to create the required engagement with developers by gamifying even further. Next to supporting JAVA Spring, JAVA Enterprise an C# MVC, we have added hundreds of challenges for C# MVC, Node.js, Ruby on Rails and Python Django.
We expanded our sales and engineering capabilities and are now present in Boston, London, Sydney, Bangalore and Bali (our engineer with the best life-work-balance).

We also received quite a lot support from early-adopter clients (in Australia, Switzerland, US and Belgium) with lots and lots valuable feedback that have led to all the improvements, content and new features! And a year later, all of them are still our clients.

Last, we have received significant support from CSIRO Data61 (Australia, thanks Daniella), Craig Davies (ex-Atlassian, ACSGN) and an awesome bunch on individuals that have written articles, talked or tweeted about us. Thanks for your support.

We are extremely proud on having achieved all the above in our 2nd year! Toddler years ... bring it on!

Pieter

Wednesday, November 23, 2016

Engagement Metrics Enhancements

Several of our clients have requested to be able to see the progress of their developers over a period of time to understand how they are progressing and at what rate this is happening. To help to address this we have added some new metrics to allow them to better measure this.  


Team Managers and Company Admins are can now view changes in statistics of developers over a period of time. This can be used to visually track user progress through the management leaderboard or through a CSV extract which can be used for further reporting.


Progress of points and hours spent are shown over a specified period

CSV snapshots can be used to perform analysis on these newly added engagement metrics. Managers can get a view of which users have played the most challenges or who have improved the most over a chosen period of time. This type of reporting can help to identify things such as those who are eligible for rewards and those that have not been spending enough time on the training.

CSV results with additional metrics

By default, these metrics are turned off in the leaderboard. These can be enabled in the company preferences module.


Ability to switch on time metrics in company preferences




Monday, October 31, 2016

Releasing Application Security Fundamentals - secure coding learning resources under CC BY-ND 4.0 for everyone to use

Back in April 2016, we released the OWASP Web App Top 10 (2013) slide packs and in September 2016 the OWASP Mobile Top 10 (2014).  Today, we are making the Application Security Fundamentals slide packs available:


  • Least Privileges
  • Secure by Default
  • Defense in Depth
  • Robust Error Checking
  • Trust No Input
  • Open Design
  • Fail Securely
  • Simplicity / Reuse
  • Logging
  • Data Protection / Privacy

You can find all the slides on the following locations:
We have opted to create very concise and short modules for each topic so everyone can decide themselves whether to use these in a classroom setting and cover several modules, or use them in an online environment and giving developer bite-size things to learn. Each of the slide-packs are covering:
  1. Summary slide of the topic
  2. One or more practical scenario's to better understand the vulnerability concept and root cause
  3. Examples of potential impact
  4. Recommendations on how to avoid writing these vulnerabilities
Here is a sample module on Data Protection & Privacy




Application Security Fundamentals

Least Privileges

Secure by Default

Defense in Depth

Robust Error Checking

Trust No Input
Open Design
Fail Securely
Simplicity / Reuse
Logging

Data Protection / Privacy




At Secure Code Warrior, we want to help not only students and professionals in Australia but also in the rest of the world and we are doing that today by providing teaching material on Secure Coding under "Creative Commons - Attribution-NoDerivatives 4.0 International". This comes down to:
  • Sharing — everyone can copy and redistribute the material in any medium or format
  • for any purpose, even commercially. 

Tuesday, September 20, 2016

Releasing OWASP Mobile Top 10 (2014) - secure coding learning resources under CC BY-ND 4.0 for everyone to use

Back in April 2016, we blogged about releasing the OWASP Web App Top 10 (2013) slide packs and promised making the OWASP Mobile Top 10 (2014) available as well


Well, today we are giving this away for free to everyone. You can find all the slides on the following locations:
We have opted to create very concise and short modules for each topic so everyone can decide themselves whether to use these in a classroom setting and cover several modules, or use them in an online environment and giving developer bite-size things to learn. Each of the slide-packs are covering:
  1. Summary slide of the topic
  2. One or more practical scenario's to better understand the vulnerability concept and root cause
  3. Examples of potential impact
  4. Recommendations on how to avoid writing these vulnerabilities
Here is a sample module on Unintended Data Leakage




OWASP Top 10 - Mobile

The following are currently available which cover the OWASP Top 10 for Mobile Applications

M1-Weak Server Side Controls

M2-Insecure Data Storage

M3-Insufficient 
Transport Layer Protection

M4-Unintended Data Leakage

M5-Poor Authorization and Authentication
M6-Broken Cryptography
M7-Client Side Injection
M8-Security 
Decisions Via Untrusted Input
M9-Improper Session Handling


M10-Lack of Binary Protections




At Secure Code Warrior, we want to help not only students and professionals in Australia but also in the rest of the world and we are doing that today by providing teaching material on Secure Coding under "Creative Commons - Attribution-NoDerivatives 4.0 International". This comes down to:
  • Sharing — everyone can copy and redistribute the material in any medium or format
  • for any purpose, even commercially. 

Monday, August 22, 2016

New Platform Features for August 2016

Another month goes by, another set of new features or improvements we are making. For this month, we have

  1. Improving the "Select the Vulnerability Category" challenges
  2. Administration improvements allowing custom tagging of developers for reporting
  3. Assessment improvements by enabling assessment CSV downloads

More details on these can be found here below.

Select the "Vulnerability Category" improvements 

We have received a lot of feedback from developers on the the "select the vulnerability category" challenges in the platform. Developers found that it was challenging to choose from the long list of vulnerability categories and struggled with identifying the correct terminology for the vulnerability.

To address this, we have changed the structure of the question. Instead of a long list of vulnerability terms to choose from, the developer will be give 4 to 6 options only to choose the correct answer from. This should remove any ambiguity (is this a CSRF problem? Or session management problem? or both?) and make the challenges better to learn about the taxonomy of security vulnerabilities.

Old way to select the vulnerability category from long list of option


New way to select vulnerability category from select number of option

Administration Module - Assigning customer tags to developer for reporting 


Company Administrators can now assign customer Tags to individual developers. Examples could be:
- Country where the developer is located
- Business Unit where the developer resides
- Seniority with the developer group
etc.

These tags can be used later as reporting filters. We're modifying the CSV downloads to include these custom tags. 
Tags are assigned to an individual





Assessment Module - Download results of CSV 

We have added a download to CSV function into the platform which allows managers to download the results of all developers for a particular assessments. This will allow managers to carry out further analysis of these results.


To download the results of an assessment for all developers, click into the assessment and click on "Download CSV"


CSV results of assessment