Assessments are a proven way to test competency for a heightened sense of security awareness. In this mode, it’s less about gamification and more about establishing a baseline for where developers sit when they start using the platform, as well as recognizing the progress made throughout the Secure Code Warrior® learning journey.
Assessments are made up of a series of challenges, much like training or tournaments, and they’re fairly straightforward to both build and participate in.
Generally, once an assessment is available and invites are sent to participants, it must be completed by a certain date and within a specified time period.
During assessments, there are no:
- Hints given
- Points earned toward training scores
- Retries available (unless configured by an Admin)
This means there are no take-backs on the answers chosen; they’re either right or wrong. After choosing an answer, the platform will indicate if it’s correct or not and offer feedback much like in training mode because assessments are still a learning opportunity and knowledge is power!
While there is a scoring mechanic associated with assessments, it’s not visible to those taking one. Assessments also have a few other things at play that help determine the final outcome, all of which can be pre-selected including:
- Difficulty level
- Vulnerability category
- Vulnerability subcategory
Assessments aren’t meant to be big, scary events or affect performance reviews; they’re meant to be another tool that helps everyone recognize how much their overall security awareness has increased, while also uncovering new or different ways to keep improving.
When to Have Assessments
Assessments are can be created at any point, though there are a few reasons you might want to create one and they tend to align with different parts of the journey with Secure Code Warrior.
- Baseline assessments
- Other training program assessments
Baseline assessments are based on the key security weaknesses in an organization. Generally, these are first discovered by examining the results of a Secure Code Warrior tournament. Tournament challenges cover a lot of vulnerabilities and are intended to help narrow down areas of weakness.
We recommend addressing the top 3 weaknesses in a baseline assessment shortly after a tournament.
- Post tournament assessment
- 3-4 months of focused key weakness training
- Second assessment completed
- Use the results to determine a minimum skill baseline
For a baseline assessment, it's ideal to have a relatively short completion window (2-3 months) so you can start determining a training program around the areas that need attention. The baseline assessment should be successfully completed by all developers within your organization.
This process can be repeated for the weaknesses that follow your top 3 as well so you can address the top 10 in your organization over time, for example.
Once you've established the baseline assessment, it should be refreshed periodically (ex. annually) to ensure it remains current.
Along the way, there will be other assessment opportunities ranging from:
- PCI Compliance
- Certification level increase
Some of these assessments would be dependent on the size and requirements of your organization. You may want to hold regular assessments for certain teams or projects. You may also want to create specific ones for contractors or junior developers. Assessments associated with a change in certification level may be best as invite-only if they're targeting certain individuals.
For all your assessment-related needs, we’ve gathered a helpful list of articles you can check out.