Developer Tournaments: AppSec’s Secret Weapon to Improve Security Culture and Engagement30th January 2019
Imagine crafting something from scratch, wielding your skills and experience with mastery to make a small, but special, mark on the world. Whether alone or part of a team, you place your heart and soul into building something from nothing. You spend hundreds - maybe even thousands - of hours on it, making sure your baby is the best it can be. Upon completion, that wave of accomplishment can feel like a reward all on its own.
Now, imagine a spoilsport comes along and tells you it’s not that great. Perhaps they go a step further and tell you that, no, in spite of the energy, time and love you have sacrificed, it’s actually not even usable: it’s broken. They have, in essence, told you your baby is ugly.
The above scenario is bound to cause some tension; after all, who wants their hard work picked apart and condemned as inadequate? Sadly, for many developers, this can be the reality of their relationship with the AppSec team. A developer has a primary responsibility of building software that is functional, feature-rich and delivered within strict project deadlines. Security is rarely the priority, and can even be seen as a blocker to rapid delivery and innovation. AppSec has the unenviable task of meticulously checking code, pen-testing and then reporting the bad news: the presence of security vulnerabilities in code that is often already committed. It’s an expensive process in an environment that is often stretched for resources and time, with the setup bound to cause a rift between two teams that have the same goal, but speak such different languages that they seem at loggerheads.
Don’t you think it’s time we gave security a makeover? It’s as simple as changing the conversation and making everything a little more positive (not to mention fun!) for both sides, especially the development team.
Out of the classroom, into the game arena
With many developers completing vocational training without learning much on coding securely, it is often the case that their first touch-point with security education is upon entering the workforce. Classroom-based training is one oft-used solution, but it takes away precious time from feature delivery (and, let’s face it: if the teacher and content are under-stimulating, it can be an easily forgotten waste of time for everyone). There are also video courses, paper-based exams and generic company security policy education… all of which can be so non-specific as to be useless in the day-to-day working lives of the average developer.
Too often, it is treated as a ‘tick the box and move on’ compliance exercise, and too often it has the opposite effect: it just drives a wider rift between AppSec and the dev team. After all, it doesn’t appear that conventional training is having the positive effect on security culture and compliance that we as an industry are so desperately seeking. We keep making the same mistakes.
According to the Common Weakness Enumeration (CWE) community, there are more than 700 common software security weaknesses to fight against. Some, like SQL injection, are like cockroaches that haven’t been squashed despite their existence for more than twenty years. We know how to fix it; the training is there to empower developers to stop it and so many others, yet pen-testing and manual code review processes continually identify these violations.
Perhaps we’ve been looking at it all wrong, and we as an industry need to tackle viable education from a different angle… one that harnesses the amazing skills so valued in our developers. They are creative, inquisitive problem-solvers who love a challenge. To gamify security training is to speak their language, to allow them to 'practice by doing' - and who knows, they may just fall in love with security along the way.
A little healthy competition
A core reliance on (rather inaccurate) tools, expensive pen-testing and scarce AppSec specialists is going to plunge us deeper into the security black hole. Too much of our lives and privacy exists online for companies to continue throwing caution to the wind with the virtual fortresses that protect our data. As the digital transformation of our world increases our dependence on software, we need to turn to the superheroes we have had sitting in the office all along: the development team.
Gamified training, in relevant languages and frameworks, is a potent tool for AppSec managers to start transforming security culture within the business. From the training, developers can flex their newly-built security muscles in a fun tournament setting, one that can be as exciting as your imagination can conjure: just take a look at how IAG’s ‘Game of Codes’ got everyone talking about security within their organization.
Secure Code Warrior’s tournament module provides more than just a nice little cap on a measured training commitment: it is a platform from which each developer can validate their skills, see how far they have advanced since training commenced, as well as identify areas that may need improvement. The competition aspect really acts as a motivator to engage positively with security, using reward and recognition to support the growth of a robust security culture within the team and wider business.
Injecting a little fun into what can be seen as a laborious - if not daunting - task, can go a long way in changing negative mindsets and inspiring continued participation. After all, who doesn’t love the glory of scoring more points than their peers in a (healthy) competitive environment?
Champions walk among you
Gamified training and subsequent tournaments help immensely in driving a positive security culture, with AppSec and development teams gaining much more insight into each other’s day-to-day work. A secure developer is an asset, fixing common vulnerabilities and leaving the complex issues to those scarce AppSec specialists on the ground. Better relationships grow and thrive, and the precious security budget isn’t chewed up fixing a ‘Groundhog Day’ scenario of the same errors over and over.
There’s another powerful byproduct, however: the revelation of the security champions you never knew you had. Tournaments can uncover those that not only have an aptitude for security, but actively display a passion for it. These champions are vital in keeping the momentum going and acting as a point of contact between teams, overseeing peers and upholding best practice policies. Implementing a solid champion program, one that includes recognition and executive support, is a feather in the cap of the organization, as well as a powerful inclusion for the individual’s CV and future career.
The bottom line? We must demand better outcomes in security testing. Less common errors, more support for those on the front lines. Why not see how a developer tournament can get you there sooner than you think?