Who Devs Wins

Who devs wins, who doesn’t didn’t.

We had twelve Jade Development Teams go head-to-head in the Jade Secure Coding Tournament on Tuesday. This was both a fun and educational event for many of our Software Developers. The Secure Coding Tournament provided a great opportunity to identify code with security defects, locate and apply secure code mitigations, and have a great time doing it.

We used the Secure Code Warrior (SCW) tournament environment, which is an integrated platform, leader-board and challenge environment. The SCW environment allows participants to select the language and framework from a large collection that they would like to be challenged in.

Languages and Frameworks Available

• Angular 1 & 2
• C#
• C# - MVC
• C# - Webforms
• C# - Core
• Go
• Java - Enterprise
• Java - Spring
• Java - Struts
• Node.JS - Express
• PHP Symfony
• Python - Django
• Python - Flask
• React
• Ruby On Rails
• Scaala - Play
• Android - Java
• Android - Kotlin
• IOS - Objective C
• IOS - Swift
• React Native
• C
• C++
• Cobol
• Oracle PL/SQL
• Pseudocode

This was just one initiative to help build security into the Jade culture, and introduce our Security Champions to the entire company.

Evaluated Options

As part of the tournament investigation, I evaluated the following set of offerings:

Tournament

Quiz

The Event

We had Tim Aston and Mitchell Mendonca from SCW to run the environment, and they were knowledgeable and excellent at doing so. I had the joy of MCing the event.

The tournament schedule looks like this:

The main reasons we chose SCW for the first Jade secure coding tournament, was because:

• The large collection of programming languages available
• Many (hundreds for each language) challenges
• The platform and challenges were integrated and ready to roll. As SCW calls it: “Tournament in a box”
• Ability to participate in tournament remotely. This was great for our Development Teams in other cities and countries
• I had seen the SCW tournament run previously at an internal AppSec conference I’d been invited to speak at, and from a spectators point-of-view, it looked amazing and was a very engaging event

The SCW integrated environment is useful for learning to spot code-only defects and apply countermeasures. There is little in the way of an overall project context with the questions, the context is at a code level.

Where I think we may be able to do better than the SCW integrated platform is by providing challenges that are more holistic, rather than just multi-choice and tunnel vision (“is it this snippet of code or this other snippet of code”). Often finding security defects in software is not as naively simplistic as: “Is it this line of code that’s defective or this other line?”. Often defects are a combination of code, config, how the solution has been deployed, and a variety of other aspects. In saying that, I still think that the SCW integrated environment is quite a valuable educational tool for spotting code level defects and learning which mitigations to apply.

The SCW integrated environment would be useful for measuring the progress of how your Developers are improving at spotting code-only defects and applying countermeasures over time, provided you ran this same tournament regularly (say every 6 to 12 months). This is where I see the statistics provided at game end becoming quite valuable. Although… I’m thinking that you could get similar measurability from using a purpose built platform that you can add your own chosen challenges, although this requires that you actually put this together.

Conclusion

Overall this initial tournament was a great success, it brought many Developers together in a fun, focussed, application security learning environment. The game-end statistics were useful and should be even more useful if we use the SCW tournament environment again. This was a good step along the journey of establishing a security culture at Jade.