Secure your code, from the start.

It takes a village: How community spirit creates more secure developers

16th October 2019

The phrase “it takes a village” is an old African proverb, spanning many diverse African cultures, dialects, and geographical locations. While the language used to convey this pearl of wisdom may be different, the sentiment is the same: it takes input from the entire community to create a safe, positive and enlightening environment to raise future generations into well-rounded adults.

This may seem like a long bow to draw, but truly, the developer community has thrived for decades on this very principle. The notion of the anti-social, “lone wolf” geek behind a computer is like most stereotypes: exaggerated and not the best way to learn how we operate. There are developers of all types, from all walks of life, and there has always been a sense of community in everything we do.

Long before the internet became the norm, we were on bulletin boards sharing tips, solving each other’s problems and bickering over best practice (and, certainly on my side of the fence, working hard to break stuff). This sentiment hasn’t changed. The internet is now a different beast, with more trolls under the bridge and a lot more noise, but a quick jump into places like Reddit and Stack Overflow will give you an immediate sense of willingness to help, camaraderie and a wealth of information.

However, one thing we could all help support are those real-world connections to people going through the same thing. There is a new layer of meaning when you interact in the real world, and facilitating an “IRL” community can accelerate knowledge sharing, clarification and expand horizons in wonderful ways.

How does the developer community support security?

Organizations like OWASP are doing incredible work in the security community, with abundant free resources on vulnerabilities, news, and critical alerts. Offline, there are OWASP chapters in cities all over the world, hosting regular events for people to come together, talk security and share tips for making our software safer. It really is awesome, and to me, it’s what the development community is all about.

One thing that these communities, whether online or in-person, help to address is the skills and knowledge gap amongst developers. Many experienced developers are only too happy to pass on information, help someone get started or point them in the right direction (any good Jedi knows they need to help a Padawan every now and then).

So, it’s always a real treat when we get to partner with them to host things like secure coding tournaments. So far, we have supported meetups in Australia, England, India, and the USA, and I hope there are many more to come.

What does an OWASP tournament meetup look like? Check out this video of an OWASP tournament held in London at the iconic BBC studios:

These events certainly assist in building awareness, and this momentum can be utilized within organizations when they support these grassroots initiatives, introduce fully-fledged secure coding training, as well as make a commitment to operating with positive security culture.

How do gamification and tournaments help create more secure developers?

OWASP meetups are built around socializing, sharing knowledge and discussing ideas with a wide range of security-aware individuals. However, for those who are new to security (or don’t yet have an interest in it), these events may go unnoticed.

When organizations play an active role in building security awareness and sparking real interest among the developer cohort, it can have the positive flow-on effect of instilling a lifelong quest for security knowledge within - the kind we need to get everyone more serious about coding securely.

Typical training methods are rarely a huge motivator (think sitting in a classroom while your day job tasks pile up, or trying to stay awake watching endless videos), but igniting a sense of competition, fun and gamifying the process can make learning far less of a chore. Gamified learning methods make technical (and, at times, dry) knowledge far more digestible, breaking it into smaller chunks that are contextual, memorable and encourage repeat learning. Secure Code Warrior was built on a foundation of accessibility, allowing developers to keep adding to their previous learnings step-by-step, in a way that speaks to their creativity and general instinct to solve problems.

Assessments help to keep everyone on track and identifying areas for improvement, but a secure coding tournament can serve as a catalyst for organizational security awareness and positive change, as well as a way for participants to show off their robust skills. After all, when you see a tournament leaderboard updating in real-time, you’re motivated to keep pushing for more points and really show off your security prowess.

What does a successful tournament look like?

The aim of our meetups with OWASP is always intended to invest in the ongoing health of the security community, helping them to promote the concept that learning about security can actually be fun.

Secure coding tournaments are a no-brainer when it comes to engaging developers, helping them to hone and realize their skills in a social environment with like-minded individuals. They assist in breaking down the artificial walls that may exist around the idea of “security”, perhaps from a less-than-pleasant experience in work or education.

A truly great tournament typically consists of the following:

  • A little bit of fanfare around the organization; let people outside of the development teams know what is happening and why
  • An environment free of judgment, supporting developers at all levels
  • A few special perks; order some food and drinks, give it a theme and encourage self-expression
  • Rewards and recognition; us developers love swag, and neat prizes for winners are a bonus: remember, your future security champions might be unearthed during this process
  • A sense of community and camaraderie.

We are becoming a DevSecOps world, and with security finally coming into focus from the very beginning of software development projects, developers need to be engaged early with effective training. They are integral to shielding an organization from vulnerabilities from the moment code is being written, and in a thriving security culture, everyone can rest a little easier.

Pieter is the Co-Founder and CEO of Secure Code Warrior, as well as a principal instructor for the SANS Institute. He also co-founded BruCON, one of the most awesome hacking conferences on the planet.

View Comments