No matter the organization, or indeed their individual circumstances, there is one problem I have identified time and time again over the course of my career: AppSec managers, CISOs, CIOs and cybersecurity experts all over the world are rarely able to positively engage their dev teams on security best practice and training. It’s a source of conflict between teams and is a literal showstopper in a world where rapid feature development, coding at the speed of culture and innovation is everything.
This is a conversation that we must have to change within our industry. Software security is simply too important to allow such a negative mindset to thrive. Security needs to be front-of-mind, an integral part of every developer’s working life.
Developers and Security: The Current Outlook
Aspiring developers go to university, or a similar educational institution, to learn to code. They want to build software, work with computers and get a job in a relevant field. The educational facility provides the training, gets them building and certifies their skills. And yet, most developers complete their course with very little practical knowledge of how to deliver secure code.
When they find themselves in a job, security training is rarely a priority there, either. All too often, their first experience with security is getting slapped with a bug report or an audit. The security team has alerted them to a problem that stops everything in its tracks. This now top-priority distraction has upset their creative process and plans. They find themselves resentful or even in conflict with those responsible for security reporting, so ‘security’ becomes synonymous with ‘disapproval’ in their mind. No wonder we’re in this position.
It pains me that the perception of software security is so negative. Some of my most treasured career memories relate to growing and learning in this space. I spent much of my early (ethical) hacking days attending conferences, where I would not only get to test my skills (and, to be honest, show off a little) against peers, but also seize the opportunity to network with people just like me who loved breaking software, diving deep into its innermost workings and making it better. It is a tremendous community that
I remember with fondness.
Gamification in software development isn’t brand new. In fact, a few years ago, I had the privilege to be in front of hundreds of kids in the Middle East, teaching them about cybersecurity. An eight-year-old girl was among my students and she was learning about password brute-forcing and base64 encoding while playing games — which can be very powerful tools to inspire children and embrace their creativity and curiosity.
Gamification is being utilized by educational institutions around the world to teach coding to very young children, all the way up to high school age. Kids as young as four now have the opportunity to attend holiday initiatives like CodeCamp, and there are so many fantastic, game-oriented online programs that teach kids how to code in Python and other languages. I even bought the amazing screenless coding tool, Cubetto, for my own four-year-old daughter.
Gamified education has made giant leaps forward for many industries. It’s fun, progressive and truly useful learning in many cases. However, there was a gap. Gamification was not being utilized to teach developers how to write secure code, and I came to the realization that this was the way we could make security inspiring again, motivating developers to get involved and start playing in a space that can be super fun and professionally rewarding if you give it a chance.
Gamification: The ‘Secret Sauce’
It is my mission to lift up and empower developers with security knowledge, and this drive led to the creation of Secure Code Warrior. Software security should be mandatory, and it doesn’t have to be boring. Thankfully, there are many others who share my thoughts on this.
Gamification transforms mundane tasks into exciting objectives. A good game maintains engagement, keeping people hooked on winning and making progress — just look at the way Pokémon Go! motivated even the laziest individual to get off the couch and head outdoors in search of imaginary creatures, or how FitBit makes it a daily goal for many to hit their step count (a very real sense of disappointment strikes if those targets are not met, if streaks are ended and badges not earned).
So, back to security training.
Security is not the developer’s priority right now. However, introducing a friendly, competitive, and engaging element to your training methods could be the left-field, fresh approach you need to unleash their security mindset. You are motivating them to not only ‘play’, but to keep returning to earn more points, beat high scores, become more accurate and challenge their fellow team members.
We already know that successful training has a pattern, and it looks like this:
Developers are able to work in real code and in their own languages/frameworks.
Challenges are short and cover all the common security vulnerabilities.
Challenges are constantly expanded and updated so developers can continue to build their skills over time.
Challenges vary in complexity so they are engaging for both senior developers and less experienced ones.
Developers and their managers are able to view progress, including which challenges they have completed, their strengths and weaknesses, the time spent on training and their overall accuracy.
One of our biggest clients showed the true magic of a gamified platform in their rollout, making a huge effort to embrace the spirit of the platform. They provided their developers with themed team gear, offered amazing prizes to game winners and made their tournament a day to remember. They’ve since offered international competitions and their whole team is still clocking up serious training hours to this day.
Your own software security revolution starts here. Interestingly, the finance industry is leading the way in embracing gamified training in the fight against insecure code — just check out what our client did with their next-level tournament. You could be the next innovator in your industry.
About Pieter Danhieux
Pieter Danhieux is the CEO of Secure Code Warrior, a global security company that makes software development better and more secure. He co-founded the company in 2015, has been building the product, a team of 30 staff globally and 5x revenue growth in 2017.