Making Software Security fun with Secure Coding Dojo
About an open source project that helps organizations deliver software security training
Have you ever attended a training presentation on software security? You may have found it a bit interesting, a lot interesting or completely boring. Even if you found it interesting, how much did you retain after the training was over? Or perhaps you have never attended a training on software security at all!
I have delivered many such training sessions where developers crammed into a boardroom, tried to keep awake while receiving a concentrated stream of information about Cross-Site Scripting, SQL Injection and other of the OWASP Top 10.
I’m not ashamed to admit that my presentations did not transform developers into secure coding ninjas over night. I did not have the confidence that they enjoyed or even understood the training material after the presentation was over. And how about those members of the team who were not able to attend the session due to a conflict or vacations? They didn’t receive the information at all.
I don’t believe I am an engaging presenter, but how many of us software security folks actually are?
Yet, educating developers about software security issues is one of the most effective weapons against vulnerabilities. It can start working before they even write the code because they will be aware of the threats they should avoid. So how do we achieve that?
I always felt that people learn by doing and always enjoyed participating in Capture the Flag (CTF) events, where security professionals prove their skills by hacking vulnerable software. OWASP provides several vulnerable websites such as WebGoat, JuiceShop and DevSlop to name a few. However CTFs are primarily aimed at pen-testers and do not ensure a comprehensive learning experience. Many developers drop from the challenges because they find them too complicated or because they need special pen-tester tools that they haven’t used before. In addition I did not find the available vulnerable applications to contain all the software weaknesses that I wanted to teach.
So, with the help of my developer colleagues, I set out to build a software security training platform for developers: the Secure Coding Dojo. This platform would be used to provide detailed information about software weaknesses, attacks and defences. It would arm developers with the knowledge they needed to develop secure code. Participants would practice the attacks just like in a CTF challenge, but the attacks would be easy to conduct. No special tools needed, only a browser. Each attack category would lead to a new level, making the training a fun game and allowing participants to compete with each other. The training curriculum would be based on a complete set of the SANS Top 25 and OWASP Top 10. Best of all, developers could participate in a self-paced manner and complete part of the training as time permitted. The training would be always available and new developers joining the team could take the training as an on-boarding activity.
The project materialized in 2017 and evolved ever since. It is now used at companies and schools, where developers leverage the Dojo to learn about software security.
The Dojo source code is publicly available as an open source GitHub repository under Apache 2.0 License. So anyone: university students, small startups and large corporations can use the Dojo and even modify it and extend it to their liking.
More recently the project was accepted as an OWASP Project which means that it will now get more visibility and support in the application security community and if you want to try it out head out to https://securecodingdojo.owasp.org/
