After running a Secure Code Warrior® tournament, or using other code analysis and review tools, the results will show you the gaps in security awareness within your development or application teams.
This is good to know before creating an assessment as you generally want to address the top few weaknesses with tailored training and assessment challenges.
Assessments are also a great way to benchmark secure coding skills and build certification levels for graduates, contractors, new recruits, and internal developers.
This article details how to create an Assessment. You can also watch the video below to see how to do this.
Click the Assessments from the top menu.
If this is your first time, click the Create Assessment button
To begin the tour, click Start Now when the prompt shows up.
If there's already a list of assessments on this page, click the icon to start creating a new one.
Configure your assessment by giving it a name, description and setting an applicable programming language/framework. To easily manage and report on your assessment, it's recommended to decide on a naming convention that includes dates, objectives, goals, or programs.
Give the assessment a name. Ideally, something that’s easy to keep track of or relevant to a particular time of year since you’ll likely be creating a few of these as time goes on.
Now write a short description to let your developers know what the assessment is about and what it’ll cover. Think of this part more like a brief introduction.
Click Advanced Options to configure the assessment to suit your security program objectives
- Scheduling Options - Set completion date and time limit
- For the first assessment after a kick-off tournament, we recommend leaving it open for 3 months. This gives developers time to complete it and also gives you a skill baseline to start working with
- Invitation Options - Choose when invites are sent, if developers can start assessments by themselves, or if they will be allowed to retry an assessment
- Challenge Options - Choose to have a fixed number of challenges, toggle assessment guide for new SCW users
- Pass/Fail Options - Set a minimum score to qualify a pass
Next, select the language/frameworks this assessment will cover.
Tip: As each language/framework may be more or less susceptible to certain vulnerabilities, it's recommended to select only those languages required to maximize the possible challenge and vulnerability options.
All languages in Secure Code Warrior are "OWASP ready." Whenever we release new languages and challenges there’s a template to go with it. However, because each language is unique, they’ll all have different OWASP related materials, so templates may not be available.
With the desired programming languages/ frameworks, applicable assessment templates will be listed. Choose from a pre-built Assessment template or build your own by selecting the vulnerability category, sub-category and difficulty level. You'll still have the option to change things like challenge difficulty and categories.
Here's what a language with a template would look like.
- Depending on the languages chosen for your assessment, there may or may not be a template available.
- The number of challenges available when mixing application types may be reduced.
Create Your Own
Go ahead and click the + Add a Challenge button to start configuring the assessment’s structure
When you’re done, click the Save button to publish the assessment.