Confusing Privacy with Security: The Fatal Mistake
On a recent long-haul flight, I took the opportunity to devour a, quite frankly, insane volume of podcast episodes. Keeping up-to-date with so many different series means I am never short of something to listen to, with compelling -- albeit one-sided -- conversation just a touch of my phone screen away.
Eventually, I got to an episode of the true crime podcast, Casefile. This dramatic, no-holds-barred series (complete with an ominously-voiced and nameless host) delved into a topic that fascinates even the most knowledgeable and savvy technologists: the deep web, and the cataclysmic ascension of contraband trade website, Silk Road. Split into two parts, those familiar with the rise and fall of Silk Road would have undoubtedly followed news on the case, but the podcast divulges every little detail, in delicious, edge-of-seat narrative.
The Silk Road: Lessons From The Deep Web Dungeon
If you're not intimate with the ins-and-outs of Silk Road, the TL;DR summary is that a man built a trade website on the deep web, hidden from the prying eyes of the general public and unviewable without the use of special software - the Tor browser, to be exact. The site initially only offered his homegrown magic mushrooms, but, virtually overnight, exploded with vendors offering everything from hardcore drugs to illegal weapons and stolen credit card details. You can get up to speed here. The creator and site admin went by the Princess Bride-inspired pseudonym, Dread Pirate Roberts. He was everyone, he was no-one. All users traded a veritable bounty of illegal goods, and they did it completely anonymously (and in the process, got Bitcoin a reputation as the drug dealer currency of choice; a moniker it is only just beginning to shake).
However, Dread Pirate Roberts'anti-establishment experiment was a beast unto its own. Soon, hitmen were advertising their services. Bad people were doing bad things... and he was intoxicated by his newfound unfathomable wealth. He even tried to utilize the services of an advertised hitman to dispose of a former employee. Long story short, this was one of many knuckle-headed decisions that brought about his undoing. He has been unmasked as Ross Ulbricht and he is currently rotting in a US jail cell, serving a double life sentence plus forty years without the possibility of parole.
But, how was he caught if everything was completely private and anonymous?
Well, to put it bluntly: he was a pretty crappy coder. The Silk Road site itself was like a leaky old barge marooned in the ocean. Considering it was a hub of illegal activity (and all the data behind that activity) it was not secure at all; it was a sitting duck just waiting to be exploited by an opportunistic hacker. To be fair, when you're the mastermind of a huge, illegal drug trafficking business, it's probably not easy to find competent employees who would like to get involved with your operation. He made no secret of his skill-gap, either - he even posted under his real name on Stack Overflow (yep, that's his user account), asking for help to properly configure his site code to connect with Tor using Curl in PHP. He changed his real name to the handle "frosty" less than a minute after posting, but this clearly didn't help... in fact, it probably did further damage: the encryption key on the Silk Road server ended with the substring "frosty@frosty", thus implicating him further once the FBI caught wind of his scent.
Despite such a huge push for privacy, with encrypted messaging, currency and explicit instructions on securing the contraband itself in transit and delivery, the site was not the impenetrable fortress of libertarian fantasia that Ulbricht may have envisioned. Those with the skills (read: programmers employed by the FBI) slowly, but surely, unraveled it to reveal everything... including the identities of thousands of people who transacted on the site. It's possible that those who purchased naughty goods many years ago are still going to get a knock on the door from long arm of the law at some point, like this guy in Germany. Yikes.
The FBI released documentation outlining how they were able to penetrate Silk Road, with the general explanation being that of utilizing an IP address leak. A misconfiguration of the Silk Road login page revealed the IP address and thus the physical location of its servers, without any underhanded hacking required. A rookie error, to be sure, and one which eventually led the FBI straight to Ross Ulbricht.
There is speculation that this flaw - if it did exist - would have been spotted long before this moment in time, by one of the many security professionals monitoring the site. Nik Cubrilovic, an Australian security consultant, claims it simply wasn't there in an interview with WIRED:
"There's no way you can be connected to a Tor site and see the address of a server that's not a Tor node. The way they're trying to make a jury or a judge believe it happened just doesn't make sense technically."
Cubrilovic then goes on to allude that the information may have been obtained by illegal hacking practices. That practice seems to be SQL injection, an unproven rumor that has been discussed as a plausible method of extraction on many sites since.
The legalities surrounding the tactics of the FBI are an entirely separate discussion. The fact the information could be obtained at all is indicative of Silk Road's poor security practices, despite the general user understanding of the site being "private". When privacy is confused with security, the possibility of exposure to vulnerabilities is most certainly increased.
There is also the possibility that the site would still be running (in its original form, anyway; it has been resurrected several times, and there are even larger sites just like it operating right now) if Ross Ulbricht had made the distinction between privacy and security, actively working to ensure both before it grew into a giant heat lamp, attracting every unsavory crook with slightly above-average tech knowledge on the planet. Instead, the private club and all its secrets were revealed the moment someone found a way to open the door.
You're not a drug lord, so why should you care?
The loss of Silk Road and imprisonment of its founder is not a sad, sympathetic tale, but it is a fascinating case study into the nuanced differences between privacy and true, robust site security. There are many legitimate operations that require transactions and information to be private - think digitized medical records, or even the millions of credit card numbers held by a large bank - but if they are not also secured with iron-clad software development, that information could be cherry-picked by an attacker (and, ironically, end up on a site like Silk Road). Privacy does not exist without security.
The good guys, like you, could have software that is vulnerable to SQL injection attacks and other vulnerabilities from the OWASP Top 10, so it is vital that these are prepared for and mitigated efficiently. If developers are trained to code securely from the very start of the process, these flaws won't see the light of day. It is imperative that organizations are focused with a security mindset, and empowering their dev teams to code securely. We can show you how to do it the fun, measurable and gamified way. Are you ready?
When online privacy attempts to exist without security, chaos reigns. Just ask Ross Ulbricht.
Secure Code Warrior makes secure coding a positive and engaging experience for developers as they increase their skills. We guide each coder along their own preferred learning pathway, so that security-skilled developers become the everyday superheroes of our connected world.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demo
Secure Code Warrior makes secure coding a positive and engaging experience for developers as they increase their skills. We guide each coder along their own preferred learning pathway, so that security-skilled developers become the everyday superheroes of our connected world.
Secure Code Warrior builds a culture of security-driven developers by giving them the skills to code securely. Our flagship Agile Learning Platform delivers relevant skills-based pathways, hands-on missions, and contextual tools for developers to rapidly learn, build, and apply their skills to write secure code at speed.
On a recent long-haul flight, I took the opportunity to devour a, quite frankly, insane volume of podcast episodes. Keeping up-to-date with so many different series means I am never short of something to listen to, with compelling -- albeit one-sided -- conversation just a touch of my phone screen away.
Eventually, I got to an episode of the true crime podcast, Casefile. This dramatic, no-holds-barred series (complete with an ominously-voiced and nameless host) delved into a topic that fascinates even the most knowledgeable and savvy technologists: the deep web, and the cataclysmic ascension of contraband trade website, Silk Road. Split into two parts, those familiar with the rise and fall of Silk Road would have undoubtedly followed news on the case, but the podcast divulges every little detail, in delicious, edge-of-seat narrative.
The Silk Road: Lessons From The Deep Web Dungeon
If you're not intimate with the ins-and-outs of Silk Road, the TL;DR summary is that a man built a trade website on the deep web, hidden from the prying eyes of the general public and unviewable without the use of special software - the Tor browser, to be exact. The site initially only offered his homegrown magic mushrooms, but, virtually overnight, exploded with vendors offering everything from hardcore drugs to illegal weapons and stolen credit card details. You can get up to speed here. The creator and site admin went by the Princess Bride-inspired pseudonym, Dread Pirate Roberts. He was everyone, he was no-one. All users traded a veritable bounty of illegal goods, and they did it completely anonymously (and in the process, got Bitcoin a reputation as the drug dealer currency of choice; a moniker it is only just beginning to shake).
However, Dread Pirate Roberts'anti-establishment experiment was a beast unto its own. Soon, hitmen were advertising their services. Bad people were doing bad things... and he was intoxicated by his newfound unfathomable wealth. He even tried to utilize the services of an advertised hitman to dispose of a former employee. Long story short, this was one of many knuckle-headed decisions that brought about his undoing. He has been unmasked as Ross Ulbricht and he is currently rotting in a US jail cell, serving a double life sentence plus forty years without the possibility of parole.
But, how was he caught if everything was completely private and anonymous?
Well, to put it bluntly: he was a pretty crappy coder. The Silk Road site itself was like a leaky old barge marooned in the ocean. Considering it was a hub of illegal activity (and all the data behind that activity) it was not secure at all; it was a sitting duck just waiting to be exploited by an opportunistic hacker. To be fair, when you're the mastermind of a huge, illegal drug trafficking business, it's probably not easy to find competent employees who would like to get involved with your operation. He made no secret of his skill-gap, either - he even posted under his real name on Stack Overflow (yep, that's his user account), asking for help to properly configure his site code to connect with Tor using Curl in PHP. He changed his real name to the handle "frosty" less than a minute after posting, but this clearly didn't help... in fact, it probably did further damage: the encryption key on the Silk Road server ended with the substring "frosty@frosty", thus implicating him further once the FBI caught wind of his scent.
Despite such a huge push for privacy, with encrypted messaging, currency and explicit instructions on securing the contraband itself in transit and delivery, the site was not the impenetrable fortress of libertarian fantasia that Ulbricht may have envisioned. Those with the skills (read: programmers employed by the FBI) slowly, but surely, unraveled it to reveal everything... including the identities of thousands of people who transacted on the site. It's possible that those who purchased naughty goods many years ago are still going to get a knock on the door from long arm of the law at some point, like this guy in Germany. Yikes.
The FBI released documentation outlining how they were able to penetrate Silk Road, with the general explanation being that of utilizing an IP address leak. A misconfiguration of the Silk Road login page revealed the IP address and thus the physical location of its servers, without any underhanded hacking required. A rookie error, to be sure, and one which eventually led the FBI straight to Ross Ulbricht.
There is speculation that this flaw - if it did exist - would have been spotted long before this moment in time, by one of the many security professionals monitoring the site. Nik Cubrilovic, an Australian security consultant, claims it simply wasn't there in an interview with WIRED:
"There's no way you can be connected to a Tor site and see the address of a server that's not a Tor node. The way they're trying to make a jury or a judge believe it happened just doesn't make sense technically."
Cubrilovic then goes on to allude that the information may have been obtained by illegal hacking practices. That practice seems to be SQL injection, an unproven rumor that has been discussed as a plausible method of extraction on many sites since.
The legalities surrounding the tactics of the FBI are an entirely separate discussion. The fact the information could be obtained at all is indicative of Silk Road's poor security practices, despite the general user understanding of the site being "private". When privacy is confused with security, the possibility of exposure to vulnerabilities is most certainly increased.
There is also the possibility that the site would still be running (in its original form, anyway; it has been resurrected several times, and there are even larger sites just like it operating right now) if Ross Ulbricht had made the distinction between privacy and security, actively working to ensure both before it grew into a giant heat lamp, attracting every unsavory crook with slightly above-average tech knowledge on the planet. Instead, the private club and all its secrets were revealed the moment someone found a way to open the door.
You're not a drug lord, so why should you care?
The loss of Silk Road and imprisonment of its founder is not a sad, sympathetic tale, but it is a fascinating case study into the nuanced differences between privacy and true, robust site security. There are many legitimate operations that require transactions and information to be private - think digitized medical records, or even the millions of credit card numbers held by a large bank - but if they are not also secured with iron-clad software development, that information could be cherry-picked by an attacker (and, ironically, end up on a site like Silk Road). Privacy does not exist without security.
The good guys, like you, could have software that is vulnerable to SQL injection attacks and other vulnerabilities from the OWASP Top 10, so it is vital that these are prepared for and mitigated efficiently. If developers are trained to code securely from the very start of the process, these flaws won't see the light of day. It is imperative that organizations are focused with a security mindset, and empowering their dev teams to code securely. We can show you how to do it the fun, measurable and gamified way. Are you ready?
On a recent long-haul flight, I took the opportunity to devour a, quite frankly, insane volume of podcast episodes. Keeping up-to-date with so many different series means I am never short of something to listen to, with compelling -- albeit one-sided -- conversation just a touch of my phone screen away.
Eventually, I got to an episode of the true crime podcast, Casefile. This dramatic, no-holds-barred series (complete with an ominously-voiced and nameless host) delved into a topic that fascinates even the most knowledgeable and savvy technologists: the deep web, and the cataclysmic ascension of contraband trade website, Silk Road. Split into two parts, those familiar with the rise and fall of Silk Road would have undoubtedly followed news on the case, but the podcast divulges every little detail, in delicious, edge-of-seat narrative.
The Silk Road: Lessons From The Deep Web Dungeon
If you're not intimate with the ins-and-outs of Silk Road, the TL;DR summary is that a man built a trade website on the deep web, hidden from the prying eyes of the general public and unviewable without the use of special software - the Tor browser, to be exact. The site initially only offered his homegrown magic mushrooms, but, virtually overnight, exploded with vendors offering everything from hardcore drugs to illegal weapons and stolen credit card details. You can get up to speed here. The creator and site admin went by the Princess Bride-inspired pseudonym, Dread Pirate Roberts. He was everyone, he was no-one. All users traded a veritable bounty of illegal goods, and they did it completely anonymously (and in the process, got Bitcoin a reputation as the drug dealer currency of choice; a moniker it is only just beginning to shake).
However, Dread Pirate Roberts'anti-establishment experiment was a beast unto its own. Soon, hitmen were advertising their services. Bad people were doing bad things... and he was intoxicated by his newfound unfathomable wealth. He even tried to utilize the services of an advertised hitman to dispose of a former employee. Long story short, this was one of many knuckle-headed decisions that brought about his undoing. He has been unmasked as Ross Ulbricht and he is currently rotting in a US jail cell, serving a double life sentence plus forty years without the possibility of parole.
But, how was he caught if everything was completely private and anonymous?
Well, to put it bluntly: he was a pretty crappy coder. The Silk Road site itself was like a leaky old barge marooned in the ocean. Considering it was a hub of illegal activity (and all the data behind that activity) it was not secure at all; it was a sitting duck just waiting to be exploited by an opportunistic hacker. To be fair, when you're the mastermind of a huge, illegal drug trafficking business, it's probably not easy to find competent employees who would like to get involved with your operation. He made no secret of his skill-gap, either - he even posted under his real name on Stack Overflow (yep, that's his user account), asking for help to properly configure his site code to connect with Tor using Curl in PHP. He changed his real name to the handle "frosty" less than a minute after posting, but this clearly didn't help... in fact, it probably did further damage: the encryption key on the Silk Road server ended with the substring "frosty@frosty", thus implicating him further once the FBI caught wind of his scent.
Despite such a huge push for privacy, with encrypted messaging, currency and explicit instructions on securing the contraband itself in transit and delivery, the site was not the impenetrable fortress of libertarian fantasia that Ulbricht may have envisioned. Those with the skills (read: programmers employed by the FBI) slowly, but surely, unraveled it to reveal everything... including the identities of thousands of people who transacted on the site. It's possible that those who purchased naughty goods many years ago are still going to get a knock on the door from long arm of the law at some point, like this guy in Germany. Yikes.
The FBI released documentation outlining how they were able to penetrate Silk Road, with the general explanation being that of utilizing an IP address leak. A misconfiguration of the Silk Road login page revealed the IP address and thus the physical location of its servers, without any underhanded hacking required. A rookie error, to be sure, and one which eventually led the FBI straight to Ross Ulbricht.
There is speculation that this flaw - if it did exist - would have been spotted long before this moment in time, by one of the many security professionals monitoring the site. Nik Cubrilovic, an Australian security consultant, claims it simply wasn't there in an interview with WIRED:
"There's no way you can be connected to a Tor site and see the address of a server that's not a Tor node. The way they're trying to make a jury or a judge believe it happened just doesn't make sense technically."
Cubrilovic then goes on to allude that the information may have been obtained by illegal hacking practices. That practice seems to be SQL injection, an unproven rumor that has been discussed as a plausible method of extraction on many sites since.
The legalities surrounding the tactics of the FBI are an entirely separate discussion. The fact the information could be obtained at all is indicative of Silk Road's poor security practices, despite the general user understanding of the site being "private". When privacy is confused with security, the possibility of exposure to vulnerabilities is most certainly increased.
There is also the possibility that the site would still be running (in its original form, anyway; it has been resurrected several times, and there are even larger sites just like it operating right now) if Ross Ulbricht had made the distinction between privacy and security, actively working to ensure both before it grew into a giant heat lamp, attracting every unsavory crook with slightly above-average tech knowledge on the planet. Instead, the private club and all its secrets were revealed the moment someone found a way to open the door.
You're not a drug lord, so why should you care?
The loss of Silk Road and imprisonment of its founder is not a sad, sympathetic tale, but it is a fascinating case study into the nuanced differences between privacy and true, robust site security. There are many legitimate operations that require transactions and information to be private - think digitized medical records, or even the millions of credit card numbers held by a large bank - but if they are not also secured with iron-clad software development, that information could be cherry-picked by an attacker (and, ironically, end up on a site like Silk Road). Privacy does not exist without security.
The good guys, like you, could have software that is vulnerable to SQL injection attacks and other vulnerabilities from the OWASP Top 10, so it is vital that these are prepared for and mitigated efficiently. If developers are trained to code securely from the very start of the process, these flaws won't see the light of day. It is imperative that organizations are focused with a security mindset, and empowering their dev teams to code securely. We can show you how to do it the fun, measurable and gamified way. Are you ready?
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demo
Secure Code Warrior makes secure coding a positive and engaging experience for developers as they increase their skills. We guide each coder along their own preferred learning pathway, so that security-skilled developers become the everyday superheroes of our connected world.
Secure Code Warrior builds a culture of security-driven developers by giving them the skills to code securely. Our flagship Agile Learning Platform delivers relevant skills-based pathways, hands-on missions, and contextual tools for developers to rapidly learn, build, and apply their skills to write secure code at speed.
On a recent long-haul flight, I took the opportunity to devour a, quite frankly, insane volume of podcast episodes. Keeping up-to-date with so many different series means I am never short of something to listen to, with compelling -- albeit one-sided -- conversation just a touch of my phone screen away.
Eventually, I got to an episode of the true crime podcast, Casefile. This dramatic, no-holds-barred series (complete with an ominously-voiced and nameless host) delved into a topic that fascinates even the most knowledgeable and savvy technologists: the deep web, and the cataclysmic ascension of contraband trade website, Silk Road. Split into two parts, those familiar with the rise and fall of Silk Road would have undoubtedly followed news on the case, but the podcast divulges every little detail, in delicious, edge-of-seat narrative.
The Silk Road: Lessons From The Deep Web Dungeon
If you're not intimate with the ins-and-outs of Silk Road, the TL;DR summary is that a man built a trade website on the deep web, hidden from the prying eyes of the general public and unviewable without the use of special software - the Tor browser, to be exact. The site initially only offered his homegrown magic mushrooms, but, virtually overnight, exploded with vendors offering everything from hardcore drugs to illegal weapons and stolen credit card details. You can get up to speed here. The creator and site admin went by the Princess Bride-inspired pseudonym, Dread Pirate Roberts. He was everyone, he was no-one. All users traded a veritable bounty of illegal goods, and they did it completely anonymously (and in the process, got Bitcoin a reputation as the drug dealer currency of choice; a moniker it is only just beginning to shake).
However, Dread Pirate Roberts'anti-establishment experiment was a beast unto its own. Soon, hitmen were advertising their services. Bad people were doing bad things... and he was intoxicated by his newfound unfathomable wealth. He even tried to utilize the services of an advertised hitman to dispose of a former employee. Long story short, this was one of many knuckle-headed decisions that brought about his undoing. He has been unmasked as Ross Ulbricht and he is currently rotting in a US jail cell, serving a double life sentence plus forty years without the possibility of parole.
But, how was he caught if everything was completely private and anonymous?
Well, to put it bluntly: he was a pretty crappy coder. The Silk Road site itself was like a leaky old barge marooned in the ocean. Considering it was a hub of illegal activity (and all the data behind that activity) it was not secure at all; it was a sitting duck just waiting to be exploited by an opportunistic hacker. To be fair, when you're the mastermind of a huge, illegal drug trafficking business, it's probably not easy to find competent employees who would like to get involved with your operation. He made no secret of his skill-gap, either - he even posted under his real name on Stack Overflow (yep, that's his user account), asking for help to properly configure his site code to connect with Tor using Curl in PHP. He changed his real name to the handle "frosty" less than a minute after posting, but this clearly didn't help... in fact, it probably did further damage: the encryption key on the Silk Road server ended with the substring "frosty@frosty", thus implicating him further once the FBI caught wind of his scent.
Despite such a huge push for privacy, with encrypted messaging, currency and explicit instructions on securing the contraband itself in transit and delivery, the site was not the impenetrable fortress of libertarian fantasia that Ulbricht may have envisioned. Those with the skills (read: programmers employed by the FBI) slowly, but surely, unraveled it to reveal everything... including the identities of thousands of people who transacted on the site. It's possible that those who purchased naughty goods many years ago are still going to get a knock on the door from long arm of the law at some point, like this guy in Germany. Yikes.
The FBI released documentation outlining how they were able to penetrate Silk Road, with the general explanation being that of utilizing an IP address leak. A misconfiguration of the Silk Road login page revealed the IP address and thus the physical location of its servers, without any underhanded hacking required. A rookie error, to be sure, and one which eventually led the FBI straight to Ross Ulbricht.
There is speculation that this flaw - if it did exist - would have been spotted long before this moment in time, by one of the many security professionals monitoring the site. Nik Cubrilovic, an Australian security consultant, claims it simply wasn't there in an interview with WIRED:
"There's no way you can be connected to a Tor site and see the address of a server that's not a Tor node. The way they're trying to make a jury or a judge believe it happened just doesn't make sense technically."
Cubrilovic then goes on to allude that the information may have been obtained by illegal hacking practices. That practice seems to be SQL injection, an unproven rumor that has been discussed as a plausible method of extraction on many sites since.
The legalities surrounding the tactics of the FBI are an entirely separate discussion. The fact the information could be obtained at all is indicative of Silk Road's poor security practices, despite the general user understanding of the site being "private". When privacy is confused with security, the possibility of exposure to vulnerabilities is most certainly increased.
There is also the possibility that the site would still be running (in its original form, anyway; it has been resurrected several times, and there are even larger sites just like it operating right now) if Ross Ulbricht had made the distinction between privacy and security, actively working to ensure both before it grew into a giant heat lamp, attracting every unsavory crook with slightly above-average tech knowledge on the planet. Instead, the private club and all its secrets were revealed the moment someone found a way to open the door.
You're not a drug lord, so why should you care?
The loss of Silk Road and imprisonment of its founder is not a sad, sympathetic tale, but it is a fascinating case study into the nuanced differences between privacy and true, robust site security. There are many legitimate operations that require transactions and information to be private - think digitized medical records, or even the millions of credit card numbers held by a large bank - but if they are not also secured with iron-clad software development, that information could be cherry-picked by an attacker (and, ironically, end up on a site like Silk Road). Privacy does not exist without security.
The good guys, like you, could have software that is vulnerable to SQL injection attacks and other vulnerabilities from the OWASP Top 10, so it is vital that these are prepared for and mitigated efficiently. If developers are trained to code securely from the very start of the process, these flaws won't see the light of day. It is imperative that organizations are focused with a security mindset, and empowering their dev teams to code securely. We can show you how to do it the fun, measurable and gamified way. Are you ready?
Table of contents
Secure Code Warrior makes secure coding a positive and engaging experience for developers as they increase their skills. We guide each coder along their own preferred learning pathway, so that security-skilled developers become the everyday superheroes of our connected world.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise
The Secure-by-Design movement is the future of secure software development. Learn about the key elements companies need to keep in mind when they think about a Secure-by-Design initiative.
DigitalOcean Decreases Security Debt with Secure Code Warrior
DigitalOcean's use of Secure Code Warrior training has significantly reduced security debt, allowing teams to focus more on innovation and productivity. The improved security has strengthened their product quality and competitive edge. Looking ahead, the SCW Trust Score will help them further enhance security practices and continue driving innovation.
Resources to get you started
Trust Score Reveals the Value of Secure-by-Design Upskilling Initiatives
Our research has shown that secure code training works. Trust Score, using an algorithm drawing on more than 20 million learning data points from work by more than 250,000 learners at over 600 organizations, reveals its effectiveness in driving down vulnerabilities and how to make the initiative even more effective.
.png)
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.
The Benefits of Benchmarking Security Skills for Developers
The growing focus on secure code and Secure-by-Design principles requires developers to be trained in cybersecurity from the start of the SDLC, with tools like Secure Code Warrior’s Trust Score helping measure and improve their progress.
Driving Meaningful Success for Enterprise Secure-by-Design Initiatives
Our latest research paper, Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise is the result of deep analysis of real Secure-by-Design initiatives at the enterprise level, and deriving best practice approaches based on data-driven findings.
Developer-driven coding.
Securely.
Contact us today and make software security an intrinsic part of your development process.
