Welcome to Secure Code Warrior® and thank you for being part of something awesome.
Using the Secure Code Warrior training platform means putting security at the forefront of all your coding solutions. It’s a huge step toward building relevant skills and security awareness that can change the way development teams think about what it means to code securely.
When it comes to learning about secure coding, reading guides and watching videos can only take you so far. The real benefit is in hands-on training, which is exactly what the Secure Code Warrior platform provides. It’s interactive, informative, and also fun which definitely helps.
Designed to look and feel like a real coding environment, the Secure Code Warrior platform uses a gamified approach to learning. Leveling up the point score in the platform means leveling up secure coding skills in real life.
For some developers, this might be their first opportunity to really focus on building these skills and for others, it may be a new take on a subject they’ve examined before. Whichever the case may be, applying the knowledge and experience gained in the platform to everyday coding life is a big step toward delivering secure code from the start of (and throughout) any project.
Below, we’ve detailed our typical approach to a training program rollout journey and how the different phases of the program tie together. First, take a look at the summary, then read on to see a breakdown of the individual phases.
It may not be the same for every organization, so use it as a general guide to get the ball rolling. Now for the detailed breakdown we mentioned earlier.
Every journey starts somewhere. With Secure Code Warrior, it begins with awareness. By now, you know you’d like to change or implement a security training program at your organization by partnering with us.
You may already have some business goals or objectives, but if you’re just getting started, consider some of these:
Positive Business Outcomes
Raise security awareness
Reduce risk and security threats by building a security-aware culture
Sustainable learning and training
Elevate employee capabilities and job satisfaction
Strengthen organization standards
Sustainable career development
Increase employability and brand loyalty
Quality talent acquisition
Attract and retain excellent talent
Meeting compliance standards
Typically, to begin raising awareness in your development groups, the first step is hosting a Secure Code Warrior tournament to kick-off your new or refreshed security training program.
Tournaments, with their exciting, interactive, and competitive approach, help introduce the platform dynamics and design. They also start putting security at the front of everyone’s mind and can encourage a better user onboarding experience to your training program.
Reviewing the results and metrics from a tournament makes it possible to start identifying key weaknesses in your development community. These results also provide incredibly valuable feedback to developers about their own security strengths and weaknesses so they know exactly what their training should focus on.
Tournaments are also an opportunity to start identifying Security Champions, which we’ll discuss a little more below.
After your first tournament, you may want to consider creating an assessment that’s based on the areas of weakness revealed by the tournament results. This can help start the process of defining a minimum skill baseline.
At this point, we'd also recommend creating a course using the Courses feature of the platform. Using Courses, you can create language:framework-specific learning pathways designed to offer training based on key weaknesses identified by tournaments, assessments, or even external tools. This can be used as a training opportunity in the lead-up to an assessment as well.
To learn more about Courses, check out this article.
Using the results from tournaments and assessments, along with those found with pen-testing and static code analysis tools, will help define your own list of key weaknesses that are specific to your organization or development group.
This information will let you fine-tune your security training program along with future tournaments and assessments to address and remediate the key weaknesses that regularly affect your organization.
During this phase, you should guide training efforts to focus on the ability to identify and fix the 3 most critical key weaknesses from your organization’s list.
Building on the previous phase, after clearly defining your organization’s top 3 weaknesses and creating Courses to provide training focused on remediating them, it’s time to establish a company baseline using a targeted assessment.
This newly established baseline becomes the security skill standard to maintain for existing developers and new ones that come into the organization, so all developers should be able to pass this ‘baseline assessment’.
Note: It’s important to note that assessments aren’t meant to be ‘tests’ in the traditional sense. They’re part of the platform’s learning tools designed to help developers keep track of their own progress while also serving as a way for management to identify growth and upskilling opportunities for their teams.
After successfully passing the baseline assessment, developers can be ‘certified’ to recognize their achievement. Speaking of certification, that’s our next rollout topic!
Even though the subject of a certification program comes along a bit later in the rollout journey, it’s important to start considering how it will look before you get here.
Once your developers pass the baseline assessment, they can be certified as having completed their standard requirements. You can get creative with naming conventions, but we’ll just go with “Level 1” for this article.
The idea behind a certification program is about defining a repeatable learning path for your organization’s newly “Level 1 Certified” or “Baseline Certified” developers to follow. It encourages developers to keep using the platform to build their skills while giving them the ability to set personal goals for what level they’d like to reach and what steps are needed to get there.
Having a Security Champion program is completely optional, but we’ve seen much better results from training programs that utilize them. If you do run a champion program, make sure goals and expectations are clearly defined.
Once up and running, a champion program should run alongside your overall security training program as an added function that contributes to its success.
For more info information about Security Champions, check out this article.
Security Champions don’t need to be the most senior developer or have the highest point scores, they do need to be approachable and enthusiastic about training. Working right at ground level, they support and encourage their developer community.
As mentioned previously, in the lead up to tournaments, you should already be noticing some likely candidates. Think about putting a call out for any developers interested in filling the role. This will ensure candidates are fully engaged and ready to be available for support.
The number of champions can vary depending on your organization size and requirements, but a solid network of Security Champions will help promote the shift towards a positive security culture within development teams and take your training program to the next level.
Coming full circle back to tournaments, it’s important to note they shouldn’t be viewed as a ‘kick-off only’ event. In fact, we recommend creating a tournament program or schedule where they occur at regular or key intervals that align with your business objectives.
Just like a Security Champion program, your tournament program should also be running alongside all training efforts for the duration of your overall security training program as another driver of success.
Hosting periodic tournaments gives more developers the chance to participate. As they start building up tournament experience and earning more points in training, you can start making tournaments more challenging. (Providing less completion time or hints.)
Tournament playoffs are a popular way to build an ongoing tournament program, with our busiest clients finding higher ongoing training engagement across their development teams.
Note: For information on running tournament playoffs, click here.
We know that was a lot of information to take in, so we’ve broken down a lot of the components involved in separate articles to offer more clarification. (And they’re not as long as this one. Mostly…)