Who Devs Wins

Who devs wins, who doesn’t didn’t.

Who Devs Wins

We had twelve Jade Development Teams go head-to-head in the Jade Secure Coding Tournament on Tuesday. This was both a fun and educational event for many of our Software Developers. The Secure Coding Tournament provided a great opportunity to identify code with security defects, locate and apply secure code mitigations, and have a great time doing it.

We used the Secure Code Warrior (SCW) tournament environment, which is an integrated platform, leader-board and challenge environment. The SCW environment allows participants to select the language and framework from a large collection that they would like to be challenged in.

Languages and Frameworks Available

  • Angular 1 & 2
  • C#
  • C# - MVC
  • C# - Webforms
  • C# - Core
  • Go
  • Java - Enterprise
  • Java - Spring
  • Java - Struts
  • Node.JS - Express
  • PHP Symfony
  • Python - Django
  • Python - Flask
  • React
  • Ruby On Rails
  • Scaala - Play
  • Android - Java
  • Android - Kotlin
  • IOS - Objective C
  • IOS - Swift
  • React Native
  • C
  • C++
  • Cobol
  • Oracle PL/SQL
  • Pseudocode

This was just one initiative to help build security into the Jade culture, and introduce our Security Champions to the entire company.

Evaluated Options

As part of the tournament investigation, I evaluated the following set of offerings:

Tournament

Offering license Description Pros Cons Lang Challenge Type Doc
SCW Proprietary Integrated platform and challenges
  • Covers all mainstream languages
  • Self contained
  • Most of the work done for us
  • Very structured
  • There will be sales pitches
  • Obviously a SCW tournament, not really branded to bespoke
  • Challenges are code snippets, no business context, can not debug
  • No plain JavaScript
  • Very structured
  • Statistics at game end
N/A N/A N/A
CTFd Proprietary Platform
  • No need for hosting
  • Costs a little
  • Not as flexible as open source platforms
N/A N/A N/A
fbctf Free & open
non-commercial
Platform Fully featured Takes some set-up N/A N/A Plenty
OWASP NodeGoat Free & open Challenges Kim is a core contributor ? Web
JS
Node
White box Plenty
Google Gruyere Free (CC) Challenges Beginner level ? Python White & black box Plenty
OWASP Juice Shop Free & open Challenges & optional platform Slick offering ? JS
Node
Express
Angular
Black box Plenty
OWASP Security Shepherd Free & open Challenges & optional platform OWASP flagship ? web Black box Plenty
OWASP WebGoat.net Free & open Challenges ? Unmaintained,
No official tutorials, but some community provided
web
C#
Black box
source available
d1
dvta Free & open Challenges ? Unmaintained,
No official tutorials, but some community provided
Thick client
C#
Black box / white box, not sure but source is available d2
d3
d4
d5
d6
d7
d8

Quiz

Offering Pros Cons
Kim’s Quiz
  • If we’re all co-located, this is ready to role, if not, it’s just a matter of putting into a Google Quiz
  • Have run this before and attendees enjoyed it and learnt quite a bit
  • Trivial to organise
    It’s not coding

    The Event

    We had Tim Aston and Mitchell Mendonca from SCW to run the environment, and they were knowledgeable and excellent at doing so. I had the joy of MCing the event.

    Secure Coding Players

    The tournament schedule looks like this:

    Activity Timing
    Introductions 30 minutes
    Game 1.5 hours
    Prize giving - Outro 30 minutes

    The main reasons we chose SCW for the first Jade secure coding tournament, was because:

    • The large collection of programming languages available
    • Many (hundreds for each language) challenges
    • The platform and challenges were integrated and ready to roll. As SCW calls it: “Tournament in a box
    • Ability to participate in tournament remotely. This was great for our Development Teams in other cities and countries
    • I had seen the SCW tournament run previously at an internal AppSec conference I’d been invited to speak at, and from a spectators point-of-view, it looked amazing and was a very engaging event

    The SCW integrated environment is useful for learning to spot code-only defects and apply countermeasures. There is little in the way of an overall project context with the questions, the context is at a code level.

    Where I think we may be able to do better than the SCW integrated platform is by providing challenges that are more holistic, rather than just multi-choice and tunnel vision (“is it this snippet of code or this other snippet of code”). Often finding security defects in software is not as naively simplistic as: “Is it this line of code that’s defective or this other line?”. Often defects are a combination of code, config, how the solution has been deployed, and a variety of other aspects. In saying that, I still think that the SCW integrated environment is quite a valuable educational tool for spotting code level defects and learning which mitigations to apply.

    The SCW integrated environment would be useful for measuring the progress of how your Developers are improving at spotting code-only defects and applying countermeasures over time, provided you ran this same tournament regularly (say every 6 to 12 months). This is where I see the statistics provided at game end becoming quite valuable. Although… I’m thinking that you could get similar measurability from using a purpose built platform that you can add your own chosen challenges, although this requires that you actually put this together.

    Conclusion

    Overall this initial tournament was a great success, it brought many Developers together in a fun, focussed, application security learning environment. The game-end statistics were useful and should be even more useful if we use the SCW tournament environment again. This was a good step along the journey of establishing a security culture at Jade.

    Avatar
    Kim Carter
    Technologist / Engineer, Information Security Professional

    Technologist / Engineer, Information Security Professional, Entrepreneur and the founder of BinaryMist Ltd. OWASP NZ Chapter Leader. Certified Scrum Master. Facilitator, mentor and motivator of cross functional, self managing teams. With a solid 18 years of commercial industry experience across many domains.

    Related

    Comments

    Be the first to leave a comment.

    Say something

    Your email is used for Gravatar image and reply notifications only.
    Subscribe to new blog posts here.

    Thank you

    Your comment has been submitted and will be published once it has been approved.

    Click here to see the pull request you generated.

    OK