I've spoken to many AppSec managers, CISOs, CIOs and cybersecurity experts working in all kinds of companies all over the world over the course of my own career in software development and security.
No matter how different their situation, how experienced their team, or how much time passes in this ever-changing digital world, there is one problem that always stays the same: They are rarely able to positively engage their dev team on security. Security is still the dirty word, the source of conflict between teams and the downright pain in the backside of the industry.
However, software security is simply too important for our general mindset to continue down this path. We must work to change the conversation, to make security an integral part of every developer’s working life. And I think one of the best ways to do this is by empowering and engaging with developers on security through gamification.
The current landscape
Developers leave university with very little practical knowledge on delivering secure code, they work in jobs where security training is rarely a priority (and when it is, it is usually part of the mandatory compliance videos around health and safety, which are so dull nobody would ever be moved to care about secure coding). Very often, their first experience with security is an audit or testing bug report that suddenly halts a future release, becoming an instant top-priority disruption of their creative mind. They find themselves at loggerheads with those responsible for security reporting, so "security" becomes synonymous with "criticism" in their mind. Yuck.
It's honestly a real shame that this negative perception of software security is so prevalent. After all, some of the best memories I hold of my career relate to learning about software security. I spent my early hacking days attending conferences, where I would not only get to test my skills (and to be honest, show off a little) against peers, but also have tremendous fun meeting like-minded people who enjoyed breaking software as much as I did.
BruCon, DefCon, BlackHat… these events provided people just like me the ability to engage our skills in friendly competition. While I'd never admit to participating in such antisocial things, some would even showcase their hacking prowess by breaking into the phones of other attendees, displaying their information on the presentation screens for all to see. It became a game, finding these flaws - exploiting and fixing them - in order to make software better. A few years back, I had the privilege to be in front of hundreds of kids in the Middle East, teaching them about cybersecurity. I still remember an eight-year-old girl among my students, who was learning about password brute-forcing and base64 encoding while playing games.
Gamification is used to teach coding skills, too. Educational institutions around the world are utilizing this approach to teach coding to very young children, even up to high school age. Kids as young as four now regularly attend holiday initiatives like CodeCamp, and there is a raft of fantastic online programs that teach kids how to code in Python and other languages. I even bought the amazing screenless coding tool, Cubetto, for my four-year-old daughter.
However, despite all this fun and progress, there's a gap. No-one thought about the possibility of leveraging gamification to train developers how to write secure code.
Well... almost no-one. A few years back, I came to the realization that we needed to make security inspiring again, and really motivate developers to get involved and start playing.
Visit Innovation Enterprise's Chief Technology Officer Summit in San Francisco on November 28–29, 2018
Gamification: The simple way forward.
There is a deep drive inside me to lift up and empower developers with security knowledge, and it is this passion that lead me to create Secure Code Warrior. Software security is so important, and it really can be exciting.
I'm not alone in my thinking.
Gamification can make even the most mundane of tasks more fun, and keeps people engaged enough to want to keep playing, winning and making progress - just look at the way Pokémon Go! got even the laziest individual off the couch, outdoors and searching for imaginary creatures, or how FitBit makes it a daily goal for many to hit their step count… a very real sense of disappointment hits if those targets are not met, if streaks are ended and badges not earned.
So, back to security training. We have proven with many clients that gamification is key to really transforming the security culture in their organizations, building bridges between AppSec and dev teams, as well as generally helping them build software of a higher standard.
Right now, security is not the developer’s priority. By adding a friendly, competitive, and engaging element to your training methods, you are motivating them to not only "play", but keep returning to earn more points, beat high scores, become more accurate and challenge their fellow team members.
We already know that successful training looks something like this:
Developers are able to work in real code and in their own languages/frameworks challenges are short and cover all the common security vulnerabilities Challenges are constantly expanded and updated so developers can continue to build their skills over time Challenges vary in complexity so they are engaging for both senior developers and less experienced ones. Developers and their managers are able to view progress, including which challenges they have completed, their strengths and weaknesses, the time spent on training and their overall accuracy. One of our biggest clients showed the true magic of a gamified platform in their rollout, decking out their developers with themed team gear, offering amazing prizes to game winners and really making their tournament a day to remember. They've since offered international competitions, and their whole team is still clocking up serious training hours to this day.
Your own software revolution starts here. The Australian banking industry is leading the way in embracing gamified training in the fight against bad code, in a truly innovative approach that turns traditional (or, boring) training on its head - just check out what our client did with their next-level tournament. Are you ready to "Level Up" your team with us?
We must work to change the conversation, to make security an integral part of every developer's working life. And I think one of the best ways to do this is by empowering and engaging with developers on security through, for example, gamification.