Major Aussie banks on Sydney's Secure Code Warrior
Secure Code Warrior has signed a A$1 million three-year deal with a major Australian Big Four bank to to strengthen the skills of 4000 software developers in secure coding.
Secure Code Warrior will under the arrangement supply demonstrated innovative hands-on training exercises to the bank that will teach developers not only to find vulnerabilities but to identify patches for the respective flaws.
Courses are modelled through a gamification model where points are awarded to participants for selecting correct answers. Tournament mode is the pinnacle of this in which developers compete for the title of most secure coder.
The spend on secure coding by a major Australian tech heavyweight heralds what may be a broader push towards secure developer training across the financial and tech industries.
"Ensuring that application code is written more securely in the first place can significantly reduce the effort to identify and remediate vulnerabilities once applications have been deployed," Secure Code Warrior co-founder Pieter Danhieux says.
"Too often secure code training consists of classroom style sessions which do not scale, fail to engage developers though abstract concepts resulting in low knowledge retention rates, and lack the educational material to show how to remediate vulnerabilities."
This is especially evident in the consistent gold and silver medals awarded each year by The Open Web Application Security Project (OWASP) to SQL injection (SQLi) and cross-site scripting (XSS) vulnerabilities under the top ten web application vulnerabilities project which describes the world's worst web flaws.
These flaws are basic, yet as prevalent as they are perennial. In the last year SQLi was responsible for the mega breaches at Ashley-Madison, Mossack-Fonseca, and TalkTalk.
The Australian bank will put its coders through a series of courses that will test their individual ability to write secure code.
Developers will have to identify a series of vulnerabilities and -crucially- analyse multiple patch options in order to pass assessments.
This will have the effect of teaching developers to both find and patch vulnerabilities, a feat that is normally separated into distinct spheres.
Organisations will also be able to put contracting developers through a dedicated assessment mode to maintain a minimum skill level.
Pieter says both organisations and developers are known to focus on features and functions over security.
"This can result in great functional apps built with code that has both glaring and subtle security holes”, Pieter says.
Security teams are largely isolated and bolted on to the development process where they serve, if at all, as a drawbridge that lowers only when teams have accepted or fixed identified vulnerabilities.
"Security must move from a separate team into the developers themselves, especially when using Agile methodologies" Pieter says.
"This is demonstrated by the DevSecOps movement which says that everyone in the development process is responsible for writing in security, not just an isolated team."
Developers can select their preferred language from Java Spring; Java Struts; Java Enterprise; C# .NET WebForms/MVC; Ruby on Rails; Android Java; Objective C, and Python Django.
Return on investment is demonstrated through each developer's skills progression that is viewable within the security training portals.
Managers will be able to observe progress throughout courses and benchmark those skill sets against an expanding list of industry peers.
Secure Code Warrior was nominated at AusCERT for Best Security Initiative and Cyber Security Excellence Awards.
Secure Code Warrior demo video at https://youtu.be/xIQEmT6al9Q