Monday, August 22, 2016

New Platform Features for August 2016

Another month goes by, another set of new features or improvements we are making. For this month, we have

  1. Improving the "Select the Vulnerability Category" challenges
  2. Administration improvements allowing custom tagging of developers for reporting
  3. Assessment improvements by enabling assessment CSV downloads

More details on these can be found here below.

Select the "Vulnerability Category" improvements 

We have received a lot of feedback from developers on the the "select the vulnerability category" challenges in the platform. Developers found that it was challenging to choose from the long list of vulnerability categories and struggled with identifying the correct terminology for the vulnerability.

To address this, we have changed the structure of the question. Instead of a long list of vulnerability terms to choose from, the developer will be give 4 to 6 options only to choose the correct answer from. This should remove any ambiguity (is this a CSRF problem? Or session management problem? or both?) and make the challenges better to learn about the taxonomy of security vulnerabilities.

Old way to select the vulnerability category from long list of option

New way to select vulnerability category from select number of option

Administration Module - Assigning customer tags to developer for reporting 

Company Administrators can now assign customer Tags to individual developers. Examples could be:
- Country where the developer is located
- Business Unit where the developer resides
- Seniority with the developer group

These tags can be used later as reporting filters. We're modifying the CSV downloads to include these custom tags. 
Tags are assigned to an individual

Assessment Module - Download results of CSV 

We have added a download to CSV function into the platform which allows managers to download the results of all developers for a particular assessments. This will allow managers to carry out further analysis of these results.

To download the results of an assessment for all developers, click into the assessment and click on "Download CSV"

CSV results of assessment

Thursday, August 4, 2016

Big Four Bank puts 4000 devs through security training

Major Aussie banks on Sydney's Secure Code Warrior

Secure Code Warrior has signed a A$1 million three-year deal with a major Australian Big Four bank to to strengthen the skills of 4000 software developers in secure coding.

Secure Code Warrior will under the arrangement supply demonstrated innovative hands-on training exercises to the bank that will teach developers not only to find vulnerabilities but to identify patches for the respective flaws.

Courses are modelled through a gamification model where points are awarded to participants for selecting correct answers. Tournament mode is the pinnacle of this in which developers compete for the title of most secure coder.

The spend on secure coding by a major Australian tech heavyweight heralds what may be a broader push towards secure developer training across the financial and tech industries.

"Ensuring that application code is written more securely in the first place can significantly reduce the effort to identify and remediate vulnerabilities once applications have been deployed," Secure Code Warrior co-founder Pieter Danhieux says.

"Too often secure code training consists of classroom style sessions which do not scale, fail to engage developers though abstract concepts resulting in low knowledge retention rates, and lack the educational material to show how to remediate vulnerabilities."

This is especially evident in the consistent gold and silver medals awarded each year by The Open Web Application Security Project (OWASP) to SQL injection (SQLi) and cross-site scripting (XSS) vulnerabilities under the top ten web application vulnerabilities project which describes the world's worst web flaws. 

These flaws are basic, yet as prevalent as they are perennial.  In the last year SQLi was responsible for the mega breaches at Ashley-Madison, Mossack-Fonseca, and TalkTalk.

The Australian bank will put its coders through a series of courses that will test their individual ability to write secure code.

Developers will have to identify a series of vulnerabilities and -crucially- analyse multiple patch options in order to pass assessments.

This will have the effect of teaching developers to both find and patch vulnerabilities, a feat that is normally separated into distinct spheres.

Organisations will also be able to put contracting developers through a dedicated assessment mode to maintain a minimum skill level.

Pieter says both organisations and developers are known to focus on features and functions over security.

"This can result in great functional apps built with code that has both glaring and subtle security holes”, Pieter says.

Security teams are largely isolated and bolted on to the development process where they serve, if at all, as a drawbridge that lowers only when teams have accepted or fixed identified vulnerabilities.

"Security must move from a separate team into the developers themselves, especially when using Agile methodologies" Pieter says.

"This is demonstrated by the DevSecOps movement which says that everyone in the development process is responsible for writing in security, not just an isolated team."

Developers can select their preferred language from Java Spring; Java Struts; Java Enterprise; C# .NET WebForms/MVC;  Ruby on Rails;  Android Java;  Objective C, and Python Django.

Return on investment is demonstrated through each developer's skills progression that is viewable within the security training portals.

Managers will be able to observe progress throughout courses and benchmark those skill sets against an expanding list of industry peers.

Secure Code Warrior has landed major household customers across Europe and the US, including major risk-averse financial firms. It counts Sportsbet and Tyro Payments among its multiple household-name Australian customers.

Secure Code Warrior was nominated at AusCERT for Best Security Initiative and Cyber Security Excellence Awards.

Secure Code Warrior demo video at