Secure coding tournaments are always fun, but when they're at DevSecCon, the vibe is truly special. There is something about mingling with like-minded security geeks that always makes a difference, so it's exciting that our team will be running a Secure Code Warrior tournament at DevSecCon Seattle this year.
At this point, you might be thinking, "What on earth is a secure coding tournament?" At its core, it's a chance for security-aware developers to train, test, and develop their app sec knowledge and skills. We have developed a gamified secure coding platform where developers can train using real-world code snippets, in their preferred languages and frameworks, and solve security challenges that they are likely to face in their day-to-day jobs.
It makes security training engaging and relevant, and the tournament component of the platform is where players can really exercise their competitive spirit. Each correct challenge counts toward a score, and the live leaderboard keeps the energy high. (After all, who doesn't want the glory of the No. 1 spot, and the cool swag that goes along with it?)
As a developer-turned-CTO, I saw firsthand that, in general, security training could be vastly improved for developers. Many newly minted developers come out of vocational training with no security training, often facing it for the first time when on the job. Security training in the workplace can be everything from well-rounded to an unassessed compliance exercise with no measured retention or real benefit (i.e., a big waste of time for both the developer and organization).
The fact that a fairly simple flaw, SQL injection, remains an unsquashed bug after more than 20 years is testament to the fact that exploitable vulnerabilities are still sneaking into software at the code-writing stage.
We can and must do better, and we should start with giving developers the knowledge and tools to be the first line of defense against vulnerable code.
Gamification is a lot more compelling than a textbook or endless, forgettable videos. And the fact that developers can "play" with real-world code examples keeps the training relevant and highly engaging. Adding a tournament ups the ante, gives incentive to keep training, and provides a reward for displaying well-rounded security skills.
So, what can your team expect to take away from a secure coding tournament? Here are five key takeaways for awesome app sec teams.
1. Competition inspires further training
Generally, developers tend to be creative, inquisitive problem solvers who love a challenge. To gamify security training is to speak their language, to allow them to "practice by doing" in an environment they already thrive in. And who doesn't love a little friendly competition?
Excelling in the tournament and scoring more points than one's peers is a goal for many players, and keeps security front-of-mind in a positive way.
[ Special Coverage: DevSecCon Seattle 2019 ]
2. The emergence of security champions
Secure developers are worth their weight in gold; they have the ability to fix common vulnerabilities, leaving the complex issues to those scarce (not to mention expensive) app sec specialists on the ground. As a result, security budgets don't get cannibalized by an endless Groundhog Day scenario of testing, finding, and fixing the same errors over and over.
By running a tournament, you get a sense of not just the general security awareness of the team as a whole, but also the metrics for each developer. There's another powerful by-product, as well: the revelation of the security champions you never knew you had.
Tournaments can uncover those who not only have an aptitude for security, but also actively display a passion for it. These champions are vital in keeping the momentum going and acting as a point of contact between teams, overseeing peers, and upholding best practice policies.
Implementing a solid champion program—one that includes recognition and executive support—is a feather in the cap of the organization, as well as a powerful bullet point for the individual's CV.
3. Improved security awareness and culture
One of the reasons developers resist becoming more security-aware is that it can have quite negative connotations. In a fairly common scenario, they will work extremely hard to deliver beautiful software to a strict deadline, only for an app sec specialist to come along and tell them there are security bugs.
The expensive process of fixing code that is already committed begins, and the developer is left feeling as though someone has come along and called his baby ugly.
By reinforcing security best practices positively, a more collaborative culture can form. If developers can avoid creating pesky vulnerabilities in the first place (and learn how to do it in a fun, competitive, and rewarding environment) then they can feel like part of the solution.
Tournaments can be made as quirky as you like; we have several clients that give tournament events a dress-up theme, blast some music, and get the whole team working with security in a fun way. (Check out IAG Group's Game of Codes tournament for inspiration!)
4. App sec and developers get on the same page
Gamified training and subsequent tournaments help immensely in driving a positive security culture, with app sec and development teams gaining much more insight into each other's day-to-day work.
While they are seemingly at loggerheads with conflicting priorities, if developers are engaged with a security mindset as code is being written, their goals can start to align, and a much more positive relationship can blossom.
5. Get measurable insights into team improvement
Secure Code Warrior's tournament module provides more than just a nice little cap on a measured training commitment: it is a platform from which developers can validate their skills, see how far they have advanced since training commenced, and identify areas that may need improvement.
It takes a village
The competition aspect really acts as a motivator to engage positively with security, using reward and recognition to support the growth of a robust security culture within the team and wider business. Let's change the conversation for the better, together.
Have proficiency in at least one programming language? Join in "The Ultimate Secure Coding Throw Down" at DevSecCon Seattle 2019 on September 17, 2019.
Keep learning
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed fast on the state of app sec testing with TechBeacon's Guide. Plus: Get Gartner's 2021 Magic Quadrant for AST.
Get a handle on the app sec tools landscape with TechBeacon's Guide to Application Security Tools 2021.
Download the free The Forrester Wave for Static Application Security Testing. Plus: Learn how a SAST-DAST combo can boost your security in this Webinar.
Understand the five reasons why API security needs access management.
Learn how to build an app sec strategy for the next decade, and spend a day in the life of an application security developer.
Build a modern app sec foundation with TechBeacon's Guide.