Tuesday, February 7, 2017

Serious Games - how you can use Secure Code Warrior in your organisation

In the past twelve months, we have been closely engaging with our early adopter clients to understand how they are using Secure Code Warrior, what the objectives were they were trying to achieve and how the usage evolved over time. We observed that the type of rollout highly depended on their own objectives, the challenges they were trying to solve and the maturity in cybersecurity and training:

"There is no security culture in our development community"
  • They tried classic CBT training and developers responded: "boring", "not relevant", "too high-level" on most products on the market
  • They organised in classroom training and the quality highly depended on the trainer, the developer's relevant experience in the coding language and the skill level of the developers in the class
They want something which ENGAGES the developers and makes them AWARE about security issues in software development.

"There is awareness but it does not result into less vulnerabilities"
  • They felt that everyone understood the importance of security but it was not always consistently applied in the code and the source code analysers consistently found the same flaws.
They want something which allows the developers to PRACTICE  on different situations and measure the overall SKILL level of the developer community

"There is a trained developer community but we need it formalised to compare internal and suppliers"
  • Suppliers, contractors or new starters did not have the same level of training the internal developers had received. 
  • Company or cultural context requires certificates to be handed out upon achieving objectives
  • A career path or skill progression model was required
They want to formally assess the SKILL level of the developer community and suppliers.

For the above cases, we have built 3 modes into our platform

  • Tournament Mode focusses on making an initial cultural shift and providing awareness. It focusses on the concept of serious games, competition, leaderboards, points, etc and can be achieved in 2 to 4 hours:
    • Competitive: same type and difficulty of challenges are presented to all developers regardless of which language they choose
    • Interactive & Engaging: concept of gamifications (points, leaderboards, etc) make security something fun to learn about

  • Training Mode is made for self-paced learning where the developer can choose his own difficulty or training topics. We have noticed significant improvements for someone playing for 5-10 hours on the platform.
    • Hands-on: all the challenges are hands-on and can be practiced in multiple situations
    • Guidance & Hints: there is help available for developers who have never had a formal background in security vulnerabilities

  • Assessment Mode allows anyone to define the number and type of vulnerabilities and the difficulty of the assessment questions. No help or hints are available for the developer. A passing grade can be configured to allow a custom-branded certificate to be downloaded upon completion.
    • Baseline: developers can be assessed on the OWASP Top 10 or any baseline you want to define in your organisation
    • Evaluation: suppliers or contractors can easily be evaluated if they are skilled in secure coding in a particular language.

No comments:

Post a Comment