Each year the first of October marks the beginning of International Cybersecurity Month. Initiated as a national program in the United States, it was later adopted by the European Union Agency for Cybersecurity (ENISA) in 2012. In raising awareness for online security, the campaign remains a significant part of the actions designed to implement the provisions of the EU Cybersecurity Act.
This October, Andreas Schneider TX Group CISO decided to pilot an initiative that promotes secure coding habits, and also gives back to the environment - as code can have a direct impact on a company’s CO2 footprint. Previous efforts to collaborate on Security matters have been supported through the Security Guild, which encouraged the exchange between Engineers at TX Group and TX Markets. These efforts continue to strengthen, offering a supportive space for exchange. In our interview with Andreas, he shares the details of the Secure Code Warrior project, which all TX Markets engineers can benefit from - making secure coding habits part of their daily workflow, even beyond Cybersecurity Month this October.
Andreas, could you explain what “Secure Code Warrior” is?
Secure Code Warrior is a Software as Service (SaaS) learning platform. The platform trains developers, along their own preferred learning pathway, to write code more securely. By emphasizing the importance of “shifting security to the left”, we ensure that vulnerabilities can be prevented at the start of development.
What is the idea and what is taking place?
The idea is simple. Using International Cybersecurity Awareness Month this October, we decided to run a campaign in partnership with One Tree One Life - a charity organization that plants and takes care of saplings for five years. For every hour spent on the Secure Code Warrior platform within the month of October, one tree will be donated. We hope that the environmental focus of the campaign incentivises developers to do something good for our planet - and of course, take the time to skill up too.
In TX Group we already run several Bug Bounty programs, where we reward external researchers if they find flaws in our products. Though we use BugBounty programs to catch vulnerabilities that might have slipped through the cracks, there are many effective ways to prevent these vulnerabilities from happening in the first place. When we prioritise security through secure coding practices we can save a lot of money. So the more developers train secure coding practices, the better for the overall security in our group - and our bottom line. On top of the Cybersecurity awareness initiative in October, we will run an additional tournament using Secure Code Warrior. This tournament will run parallel to our internal Hackathon “Hack to the Future” on November 3rd, kicking off the TX Conference on November 4th. Our developers can then compete against each other in a gamified secure code tournament. And, the prize is big! The 10 best developers will win an Oculus Quest 2.
More importantly, after these main events have passed every developer in the TX Group will have access to Secure Code Warrior through a (Single Sign-On) SSO. Developers will be able to find the Logo in their Dashboard and use the program anytime they want.
How did you come up with this concept? What inspired you?
The main issue developers often face is time. Often they don’t have the time to do yet another additional task on top of the many projects, features, or bugs we work on daily.
We have done separate training for years now, but the traditional “school-like” training was never relevant enough. Plus, motivation to engage with the material was often lacking.
There are two main reasons behind this lack of engagement. First, we were never able to find a good time to run the training. Many of our Marketplaces operate within different sprint timelines. And, to be honest, it was also a bit boring.
It became clear we needed a different approach. Following this initial spark, I talked to the founders of Secure Code Warrior and our Bug Bounty Program partner BugCrowd. I asked them how we could successfully motivate our developers. In those conversations, I wanted to learn from their experiences and build on them.
I found out that many other companies follow a carrot and stick approach. We prefer avoiding power games in learning culture. Trial and error are part of the learning cycle and should be encouraged. Especially when it comes to the more negative topic of security, where error often leads to vulnerability in your product. Combining this with a positive and playful mindset makes more sense to me. In short, more carrots - fewer sticks.
With Secure Code Warrior we can teach secure coding practices in all relevant languages used for our products to the developers when they have the time. The platform can also integrate with our security scanning process and our Bug Bounty Programs making it easier to use.
Most security tools are too complicated. With Secure Code Warrior, every time a new bug is found in our existing tools, the software attaches a micro training to the ticket (e.g. in Jira). This makes training short, digestible and relevant. On top of that, every developer is empowered to train. Time and resources are given to improve the quality and security of our code, without any barriers or “sticks”.
What are some common vulnerabilities when writing code?
With our Bug Bounty Programs and the automated scanners, we usually see the following vulnerabilities at the top (always depending on the languages used). These are among the OWASP Top 10 and are found typically in web applications
- Server Security Misconfiguration
- Server-Side Injection
- Unvalidated Redirects and Forwards
- Sensitive Data Exposure
- Broken Authentication and Session Management
- Cross-Site Scripting (XSS)
Secure Code Warrior allows us to create custom, tailored training tackling specific issues in the languages that are used.
What does Secure Code Warrior incentivise in a new and unique way?
If security tools like scanners and Bug Bounty Programs surface a weakness, it always has a negative impact (e.g., the team did it wrong and now the expected feature delivery will be postponed due to bug fixing). A tool that helps us prevent these vulnerabilities from existing in the first place also removes the negative connotation of a bug. Developers can then also run certifications within the platform, which helps them in their careers. Many organizations require security tests for developers that aim to strive toward e.g. senior positions.
There are also other aspects: the Secure Code Warrior training platform does not have a time limit and there are many languages to train with. So, if someone wants to dig deeper into Cobol or Scala security, it’s already part of the package.
Are you expecting any particular results from the project?
Like with Bug Bounty Programs you never know what researchers might find, as a result, you can’t predict how much you will reward them. That is why I honestly don’t know if the idea of planting trees and the tournament will be enough to engage our developers. But, if you’re asking me for a specific result; my hope is that we are able to plant more than 100 trees while having a lot of fun doing it.