Increasing your organization’s OWASP Top 10 vulnerability awareness is always a good thing. While you can use it as a training guideline within the SCW platform, it doesn’t have to be the defining feature of your whole security training program.
In addition to working on the OWASP Top 10, you can also tailor training programs to focus on the specific weaknesses within your organization. In fact, that’s a path we recommend to help you get the most value out of using the Secure Code Warrior® platform.
There are a few ways to help you do this quickly with the happy side effect of raising development security skills for your own applications.
Tournaments are a major help in building a positive learning experience that facilitates better knowledge retention and excitement for training. They’re not just for the start of your security awareness journey; they can happen regularly to bolster engagement and check in on progress.
Tournaments can help:
- Define any specific company or team vulnerabilities
- Identify security champions within developer groups
- Provide feedback to developers on their strengths and weaknesses
- Form a team-building exercise
- Create a sense of fun and competition to address specific security weaknesses
Generally, challenges will be based on the OWASP Top 10 or company-specific security priorities, if you know them. If you don’t know them yet, tournament results can help determine if there are any patterns that point to company-specific weaknesses, whether it’s based on certain applications or languages. This should give you an idea of where to start building up your training program.
The other good thing about tournaments is that anyone can join in. It doesn’t have to be just the development teams. They’re a great chance to give anyone in your organization a chance to see how much goes into building secure code. Even those with limited code exposure can have a chance to tackle some common vulnerabilities and learn how to deal with them.
Security champions help promote a positive security culture within development teams. Not every company chooses to run a champion program, but we’ve noticed much stronger results for those that do. Just saying.
So, what’s a Security Champion? They are
- Passionate about security
- Keen to share new industry knowledge
- Good communicators
- Interested in building secure coding skills (their own and others)
- Someone that wants to step up and gain recognition
These superstars are already among the ranks of development teams just waiting to be discovered.
Note: If this sounds like you, get in touch with your Team Manager or Administrator to learn how you can make a difference. Be the change you want to see in application security!
Tournaments can also help reveal Champions, giving them the chance to motivate their peers as well as demonstrate their security prowess on the leaderboard.
When you notice particularly strong or security-passionate developers, consider approaching them with the idea of becoming a Security Champion.
They play a valuable role in levelling up secure coding skills by:
- Helping identify vulnerabilities within their teams
- Encouraging peers to participate in tournaments, training, and assessments
- Seeking feedback from teams and reporting back to program leads
- Running mini-tournaments to focus on team-based security priorities
With solid Security Champions in the mix, everyone can look forward to better engagement and overall security positivity at ground level where it matters most.
Gamified interactive training in languages that matter
Developers are busy people constantly under pressure to deliver great, functional solutions. Coding securely, as much as we love it, isn’t often taught about when devs are learning their craft. We’re aiming to shift security awareness one challenge at a time with a competitive, interactive, and fun approach to training.
Some of the most effective learning platforms have gamified aspects with familiar elements like earning points, collect badges, and topping the leaderboard.
Training platforms need to focus on specific skills while encouraging developers to keep learning and showing them how to adopt a secure coding mindset.
- Developers should be able to work in real code and in their own language/frameworks
- Challenges should be short and cover all the vulnerabilities
- Challenges must be constantly expanded and updated so developers can continue to build their skills over time
- Challenges must vary in complexity so they’re engaging for both senior developers and less experienced ones
- Developers and managers should be able to view progress, including which challenges they’ve completed, their strengths and weaknesses, time spent on training and their overall accuracy
The Secure Code Warrior platform includes the OWASP Top 10 which is broken into four sections that focus on the most critical vulnerabilities, to very common ones, along with some more specific breakdowns.
For developers, training is the real key factor that contributes to upskilling. The Mission Control section of the platform has a range of ways to train using different languages and looks at different vulnerability types.