We know sometimes training can seem like a chore, but it doesn’t have to be. Especially not when you’re using the Secure Code Warrior® platform. We’ve worked hard to capture the fun aspects of video games (looking cool, completing missions, crushing foes) and combine them with useful, real-world skill-building around secure coding.
Even outstanding security training programs need engagement to truly be valuable to everyone involved. To help with that, we’ve listed some tips and recommendations that we’ve learned over time.
As mentioned in our Engagement Cheat Sheet for Tournaments, branding can help your entire security training program. Cool themes and branding don’t have to be tied to specific events alone.
Having a brand or theme associated with your training program makes it much easier to promote with things like posters and email graphics. The more visible your training program is, the more people will know it’s here to stay.
Hot Tip: If you’ve used a brand or theme for a tournament, try running it through training until the next tournament. At that point, you might want to have developers choose what the next theme will be. This can lead to some interesting and fun ideas that help foster engagement.
Another way to encourage training is by building in a dedicated window each day or week and having team leaders or senior developers promote this 'training time'.
Developers are exceptional at time management, but it can be tough to fit training in with a fast-approaching deadline. Some devs may even feel nervous about being seen training because it can look like they’re not working on their usual projects.
The key to mitigating this kind of situation is to develop a positive culture of support around training. Training and upskilling are good things no one should feel judged for doing. Security Champions can be a big help here since they’re part of the development team and readily available for support.
Note: Click here for more about Security Champions.
If you launched your security training program with a tournament, you would have reviewed the results and noticed what the areas of improvement are. Combining that with the particular vulnerabilities found in your company, you can start to develop a training plan and be able to offer guidance on where developers should get started.
If your teams have only had limited exposure to the Secure Code Warrior platform, consider gathering them together for a training demo. Even if they just congregate in teams or in their office locations, a quick run-through as a group can help facilitate some good questions and answers.
As always, make sure there’s regular communication about the progress of your security training program with updates on how the company is tracking toward meeting security goals. This is great information to share because achieving goals really is a team effort and contributors should feel involved and informed.
- Create a dedicated “Secure Code Warrior Training” communication channel on Slack or Yammer for everyone to share questions, learnings, and feedback
- Have team leads or managers hold weekly or bi-weekly meetups with developers to share best practices, find out what people are struggling with and what’s been helpful
- Leverage team leads and security champions to help build engagement and support
- Set up 1:1’s with Security Champions and Team Managers to tackle business objectives
- Create an internal Wiki or self-service training page
- Encourage developers to talk about their Secure Code Warrior training experience on their social media platforms. Training doesn’t have to be a forbidden topic. Allowing them to share their feedback might even serve as a recruitment tool
As everyone gets familiar with using the platform, there are a number of different ways to keep the momentum rolling as time goes on.
A lot of the focus should be on promoting training as a positive thing. As mentioned above, working with team leaders and security champions to find a dedicated window of training time can make it a lot easier.
- Challenges are designed to be consumed in just 3-5 minutes. Work with team leads to find a way to build this time into day-to-day activities
- Find achievable goals like completing 1-2 challenges every day or 10-12 challenges per week
- Use team communication channels to check-in on how training is going, if there’s any feedback or lingering questions
- Share regular updates on the company or team leaderboard to show off the high scores and encourage some competition
- Recognize and reward developers that consistently make an effort to increase their score
- Encourage developers to train using different languages they’re interested in
- Share or watch the Security Fundamentals & Application Security Weaknesses videos in the Resources tab.
The platform’s hinting system can and should be utilized if there’s any uncertainty around a challenge, especially when trying new languages. While this system is a learning asset, points are still lost if it’s used because that’s part of the platform’s fun gamified aspect.
The hinting system gives a two-part summary of a vulnerability with a 3-5min video and/or short synopsis that covers:
- What the vulnerability is
- How it occurs
- The bad things that happen when it occurs
- How to remediate the vulnerability
Hints are quick and easy to digest in an effort to keep all information useful and relevant. Speaking of useful information, it’s time to talk about metrics and the important role they play in training!
Metrics are available in the platform for admins and developers alike so everyone has a view of at least their own personal statistics.
- Encourage users to check metrics regularly to view their progress and help with self-learning
- Use metrics to form a training plan that focuses on key areas
From the Metrics tab, you can review a spider diagram that features 5 OWASP ready subcategories.
- Authentication and Access Control
- Data handling
- Security configuration
- Sensitive data protection
- Secure dev practices
Note: For Admins, the diagram will be blue. For Developers, the diagram will be yellow.
Take notice of where the spider diagram points to in regards to average strengths and weaknesses. This is an excellent tool that gives developers control over their own security awareness.
Having a view of these numbers leads to knowing which areas should be targeted when playing through training challenges. By being able to choose what to focus on, developers can level up their skills in a way that engages and makes sense to them.
In this way, training isn’t so much structured for developers, it’s structured by them.
This is just a quick sample of something you can try as an engagement exercise where everyone has a bit of fun.
The Theme: Mystery Day
How it Works: First, set a start and end date. This can be anywhere from a week to a month.
Next, pick a random day between those two dates and note it down. If a developer trains on that day, they'll be entered into a raffle for a prize.
As your teams won't know which day this will be (hence the name of the game), encourage them to log in and play at least one challenge per day for a chance at entering the raffle.
Using the platform reporting function, you can isolate the names of those that qualified for the raffle by training on Mystery Day. All that's left to do is randomly select a name from the list and announce the lucky winner!