Wednesday, November 23, 2016

Engagement Metrics Enhancements

Several of our clients have requested to be able to see the progress of their developers over a period of time to understand how they are progressing and at what rate this is happening. To help to address this we have added some new metrics to allow them to better measure this.  


Team Managers and Company Admins are can now view changes in statistics of developers over a period of time. This can be used to visually track user progress through the management leaderboard or through a CSV extract which can be used for further reporting.


Progress of points and hours spent are shown over a specified period

CSV snapshots can be used to perform analysis on these newly added engagement metrics. Managers can get a view of which users have played the most challenges or who have improved the most over a chosen period of time. This type of reporting can help to identify things such as those who are eligible for rewards and those that have not been spending enough time on the training.

CSV results with additional metrics

By default, these metrics are turned off in the leaderboard. These can be enabled in the company preferences module.


Ability to switch on time metrics in company preferences




Monday, October 31, 2016

Releasing Application Security Fundamentals - secure coding learning resources under CC BY-ND 4.0 for everyone to use

Back in April 2016, we released the OWASP Web App Top 10 (2013) slide packs and in September 2016 the OWASP Mobile Top 10 (2014).  Today, we are making the Application Security Fundamentals slide packs available:


  • Least Privileges
  • Secure by Default
  • Defense in Depth
  • Robust Error Checking
  • Trust No Input
  • Open Design
  • Fail Securely
  • Simplicity / Reuse
  • Logging
  • Data Protection / Privacy

You can find all the slides on the following locations:
We have opted to create very concise and short modules for each topic so everyone can decide themselves whether to use these in a classroom setting and cover several modules, or use them in an online environment and giving developer bite-size things to learn. Each of the slide-packs are covering:
  1. Summary slide of the topic
  2. One or more practical scenario's to better understand the vulnerability concept and root cause
  3. Examples of potential impact
  4. Recommendations on how to avoid writing these vulnerabilities
Here is a sample module on Data Protection & Privacy




Application Security Fundamentals

Least Privileges

Secure by Default

Defense in Depth

Robust Error Checking

Trust No Input
Open Design
Fail Securely
Simplicity / Reuse
Logging

Data Protection / Privacy




At Secure Code Warrior, we want to help not only students and professionals in Australia but also in the rest of the world and we are doing that today by providing teaching material on Secure Coding under "Creative Commons - Attribution-NoDerivatives 4.0 International". This comes down to:
  • Sharing — everyone can copy and redistribute the material in any medium or format
  • for any purpose, even commercially. 

Tuesday, September 20, 2016

Releasing OWASP Mobile Top 10 (2014) - secure coding learning resources under CC BY-ND 4.0 for everyone to use

Back in April 2016, we blogged about releasing the OWASP Web App Top 10 (2013) slide packs and promised making the OWASP Mobile Top 10 (2014) available as well


Well, today we are giving this away for free to everyone. You can find all the slides on the following locations:
We have opted to create very concise and short modules for each topic so everyone can decide themselves whether to use these in a classroom setting and cover several modules, or use them in an online environment and giving developer bite-size things to learn. Each of the slide-packs are covering:
  1. Summary slide of the topic
  2. One or more practical scenario's to better understand the vulnerability concept and root cause
  3. Examples of potential impact
  4. Recommendations on how to avoid writing these vulnerabilities
Here is a sample module on Unintended Data Leakage




OWASP Top 10 - Mobile

The following are currently available which cover the OWASP Top 10 for Mobile Applications

M1-Weak Server Side Controls

M2-Insecure Data Storage

M3-Insufficient 
Transport Layer Protection

M4-Unintended Data Leakage

M5-Poor Authorization and Authentication
M6-Broken Cryptography
M7-Client Side Injection
M8-Security 
Decisions Via Untrusted Input
M9-Improper Session Handling


M10-Lack of Binary Protections




At Secure Code Warrior, we want to help not only students and professionals in Australia but also in the rest of the world and we are doing that today by providing teaching material on Secure Coding under "Creative Commons - Attribution-NoDerivatives 4.0 International". This comes down to:
  • Sharing — everyone can copy and redistribute the material in any medium or format
  • for any purpose, even commercially. 

Monday, August 22, 2016

New Platform Features for August 2016

Another month goes by, another set of new features or improvements we are making. For this month, we have

  1. Improving the "Select the Vulnerability Category" challenges
  2. Administration improvements allowing custom tagging of developers for reporting
  3. Assessment improvements by enabling assessment CSV downloads

More details on these can be found here below.

Select the "Vulnerability Category" improvements 

We have received a lot of feedback from developers on the the "select the vulnerability category" challenges in the platform. Developers found that it was challenging to choose from the long list of vulnerability categories and struggled with identifying the correct terminology for the vulnerability.

To address this, we have changed the structure of the question. Instead of a long list of vulnerability terms to choose from, the developer will be give 4 to 6 options only to choose the correct answer from. This should remove any ambiguity (is this a CSRF problem? Or session management problem? or both?) and make the challenges better to learn about the taxonomy of security vulnerabilities.

Old way to select the vulnerability category from long list of option


New way to select vulnerability category from select number of option

Administration Module - Assigning customer tags to developer for reporting 


Company Administrators can now assign customer Tags to individual developers. Examples could be:
- Country where the developer is located
- Business Unit where the developer resides
- Seniority with the developer group
etc.

These tags can be used later as reporting filters. We're modifying the CSV downloads to include these custom tags. 
Tags are assigned to an individual





Assessment Module - Download results of CSV 

We have added a download to CSV function into the platform which allows managers to download the results of all developers for a particular assessments. This will allow managers to carry out further analysis of these results.


To download the results of an assessment for all developers, click into the assessment and click on "Download CSV"


CSV results of assessment

Thursday, August 4, 2016

Big Four Bank puts 4000 devs through security training


Major Aussie banks on Sydney's Secure Code Warrior

Secure Code Warrior has signed a A$1 million three-year deal with a major Australian Big Four bank to to strengthen the skills of 4000 software developers in secure coding.

Secure Code Warrior will under the arrangement supply demonstrated innovative hands-on training exercises to the bank that will teach developers not only to find vulnerabilities but to identify patches for the respective flaws.

Courses are modelled through a gamification model where points are awarded to participants for selecting correct answers. Tournament mode is the pinnacle of this in which developers compete for the title of most secure coder.

The spend on secure coding by a major Australian tech heavyweight heralds what may be a broader push towards secure developer training across the financial and tech industries.

"Ensuring that application code is written more securely in the first place can significantly reduce the effort to identify and remediate vulnerabilities once applications have been deployed," Secure Code Warrior co-founder Pieter Danhieux says.

"Too often secure code training consists of classroom style sessions which do not scale, fail to engage developers though abstract concepts resulting in low knowledge retention rates, and lack the educational material to show how to remediate vulnerabilities."

This is especially evident in the consistent gold and silver medals awarded each year by The Open Web Application Security Project (OWASP) to SQL injection (SQLi) and cross-site scripting (XSS) vulnerabilities under the top ten web application vulnerabilities project which describes the world's worst web flaws. 

These flaws are basic, yet as prevalent as they are perennial.  In the last year SQLi was responsible for the mega breaches at Ashley-Madison, Mossack-Fonseca, and TalkTalk.

The Australian bank will put its coders through a series of courses that will test their individual ability to write secure code.

Developers will have to identify a series of vulnerabilities and -crucially- analyse multiple patch options in order to pass assessments.

This will have the effect of teaching developers to both find and patch vulnerabilities, a feat that is normally separated into distinct spheres.

Organisations will also be able to put contracting developers through a dedicated assessment mode to maintain a minimum skill level.

Pieter says both organisations and developers are known to focus on features and functions over security.

"This can result in great functional apps built with code that has both glaring and subtle security holes”, Pieter says.

Security teams are largely isolated and bolted on to the development process where they serve, if at all, as a drawbridge that lowers only when teams have accepted or fixed identified vulnerabilities.

"Security must move from a separate team into the developers themselves, especially when using Agile methodologies" Pieter says.

"This is demonstrated by the DevSecOps movement which says that everyone in the development process is responsible for writing in security, not just an isolated team."

Developers can select their preferred language from Java Spring; Java Struts; Java Enterprise; C# .NET WebForms/MVC;  Ruby on Rails;  Android Java;  Objective C, and Python Django.

Return on investment is demonstrated through each developer's skills progression that is viewable within the security training portals.

Managers will be able to observe progress throughout courses and benchmark those skill sets against an expanding list of industry peers.

Secure Code Warrior has landed major household customers across Europe and the US, including major risk-averse financial firms. It counts Sportsbet and Tyro Payments among its multiple household-name Australian customers.


Secure Code Warrior was nominated at AusCERT for Best Security Initiative and Cyber Security Excellence Awards.

Secure Code Warrior demo video at https://youtu.be/xIQEmT6al9Q