Developer Tournaments: AppSec's Secret Weapon to Improve Security Culture and Engagement
Imagine crafting something from scratch, wielding your skills and experience with mastery to make a small, but special, mark on the world. Whether alone or part of a team, you place your heart and soul into building something from nothing. You spend hundreds - maybe even thousands - of hours on it, making sure your baby is the best it can be. Upon completion, that wave of accomplishment can feel like a reward all on its own.
Now, imagine a spoilsport comes along and tells you it's not that great. Perhaps they go a step further and tell you that, no, in spite of the energy, time and love you have sacrificed, it's actually not even usable: it's broken. They have, in essence, told you your baby is ugly.
The above scenario is bound to cause some tension; after all, who wants their hard work picked apart and condemned as inadequate? Sadly, for many developers, this can be the reality of their relationship with the AppSec team. A developer has a primary responsibility of building software that is functional, feature-rich and delivered within strict project deadlines. Security is rarely the priority, and can even be seen as a blocker to rapid delivery and innovation. AppSec has the unenviable task of meticulously checking code, pen-testing and then reporting the bad news: the presence of security vulnerabilities in code that is often already committed. It's an expensive process in an environment that is often stretched for resources and time, with the setup bound to cause a rift between two teams that have the same goal, but speak such different languages that they seem at loggerheads.
Don't you think it's time we gave security a makeover? It's as simple as changing the conversation and making everything a little more positive (not to mention fun!) for both sides, especially the development team.
Out of the classroom, into the game arena
With many developers completing vocational training without learning much on coding securely, it is often the case that their first touch-point with security education is upon entering the workforce. Classroom-based training is one oft-used solution, but it takes away precious time from feature delivery (and, let's face it: if the teacher and content are under-stimulating, it can be an easily forgotten waste of time for everyone). There are also video courses, paper-based exams and generic company security policy education... all of which can be so non-specific as to be useless in the day-to-day working lives of the average developer.
Too often, it is treated as a "tick the box and move on'compliance exercise, and too often it has the opposite effect: it just drives a wider rift between AppSec and the dev team. After all, it doesn't appear that conventional training is having the positive effect on security culture and compliance that we as an industry are so desperately seeking. We keep making the same mistakes.
According to the Common Weakness Enumeration (CWE) community, there are more than 700 common software security weaknesses to fight against. Some, like SQL injection, are like cockroaches that haven't been squashed despite their existence for more than twenty years. We know how to fix it; the training is there to empower developers to stop it and so many others, yet pen-testing and manual code review processes continually identify these violations.
Perhaps we've been looking at it all wrong, and we as an industry need to tackle viable education from a different angle... one that harnesses the amazing skills so valued in our developers. They are creative, inquisitive problem-solvers who love a challenge. To gamify security training is to speak their language, to allow them to practice by doing - and who knows, they may just fall in love with security along the way.
A little healthy competition
A core reliance on (rather inaccurate) tools, expensive pen-testing and scarce AppSec specialists is going to plunge us deeper into the security black hole. Too much of our lives and privacy exists online for companies to continue throwing caution to the wind with the virtual fortresses that protect our data. As the digital transformation of our world increases our dependence on software, we need to turn to the superheroes we have had sitting in the office all along: the development team.
Gamified training, in relevant languages and frameworks, is a potent tool for AppSec managers to start transforming security culture within the business. From the training, developers can flex their newly-built security muscles in a fun tournament setting, one that can be as exciting as your imagination can conjure: just take a look at how IAG's "Game of Codes' got everyone talking about security within their organization.
Secure Code Warrior's tournament module provides more than just a nice little cap on a measured training commitment: it is a platform from which each developer can validate their skills, see how far they have advanced since training commenced, as well as identify areas that may need improvement. The competition aspect really acts as a motivator to engage positively with security, using reward and recognition to support the growth of a robust security culture within the team and wider business.
Injecting a little fun into what can be seen as a laborious - if not daunting - task, can go a long way in changing negative mindsets and inspiring continued participation. After all, who doesn't love the glory of scoring more points than their peers in a (healthy) competitive environment?
Champions walk among you
Gamified training and subsequent tournaments help immensely in driving a positive security culture, with AppSec and development teams gaining much more insight into each other's day-to-day work. A secure developer is an asset, fixing common vulnerabilities and leaving the complex issues to those scarce AppSec specialists on the ground. Better relationships grow and thrive, and the precious security budget isn't chewed up fixing a "Groundhog Day'scenario of the same errors over and over.
There's another powerful byproduct, however: the revelation of the security champions you never knew you had. Tournaments can uncover those that not only have an aptitude for security, but actively display a passion for it. These champions are vital in keeping the momentum going and acting as a point of contact between teams, overseeing peers and upholding best practice policies. Implementing a solid champion program, one that includes recognition and executive support, is a feather in the cap of the organization, as well as a powerful inclusion for the individual's CV and future career.
The bottom line? We must demand better outcomes in security testing. Less common errors, more support for those on the front lines. Why not see how a developer tournament can get you there sooner than you think?
Don't you think it's time we gave security a makeover? It's as simple as changing the conversation and making everything a little more positive (not to mention fun!) for both sides, especially the development team.
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoChief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
Imagine crafting something from scratch, wielding your skills and experience with mastery to make a small, but special, mark on the world. Whether alone or part of a team, you place your heart and soul into building something from nothing. You spend hundreds - maybe even thousands - of hours on it, making sure your baby is the best it can be. Upon completion, that wave of accomplishment can feel like a reward all on its own.
Now, imagine a spoilsport comes along and tells you it's not that great. Perhaps they go a step further and tell you that, no, in spite of the energy, time and love you have sacrificed, it's actually not even usable: it's broken. They have, in essence, told you your baby is ugly.
The above scenario is bound to cause some tension; after all, who wants their hard work picked apart and condemned as inadequate? Sadly, for many developers, this can be the reality of their relationship with the AppSec team. A developer has a primary responsibility of building software that is functional, feature-rich and delivered within strict project deadlines. Security is rarely the priority, and can even be seen as a blocker to rapid delivery and innovation. AppSec has the unenviable task of meticulously checking code, pen-testing and then reporting the bad news: the presence of security vulnerabilities in code that is often already committed. It's an expensive process in an environment that is often stretched for resources and time, with the setup bound to cause a rift between two teams that have the same goal, but speak such different languages that they seem at loggerheads.
Don't you think it's time we gave security a makeover? It's as simple as changing the conversation and making everything a little more positive (not to mention fun!) for both sides, especially the development team.
Out of the classroom, into the game arena
With many developers completing vocational training without learning much on coding securely, it is often the case that their first touch-point with security education is upon entering the workforce. Classroom-based training is one oft-used solution, but it takes away precious time from feature delivery (and, let's face it: if the teacher and content are under-stimulating, it can be an easily forgotten waste of time for everyone). There are also video courses, paper-based exams and generic company security policy education... all of which can be so non-specific as to be useless in the day-to-day working lives of the average developer.
Too often, it is treated as a "tick the box and move on'compliance exercise, and too often it has the opposite effect: it just drives a wider rift between AppSec and the dev team. After all, it doesn't appear that conventional training is having the positive effect on security culture and compliance that we as an industry are so desperately seeking. We keep making the same mistakes.
According to the Common Weakness Enumeration (CWE) community, there are more than 700 common software security weaknesses to fight against. Some, like SQL injection, are like cockroaches that haven't been squashed despite their existence for more than twenty years. We know how to fix it; the training is there to empower developers to stop it and so many others, yet pen-testing and manual code review processes continually identify these violations.
Perhaps we've been looking at it all wrong, and we as an industry need to tackle viable education from a different angle... one that harnesses the amazing skills so valued in our developers. They are creative, inquisitive problem-solvers who love a challenge. To gamify security training is to speak their language, to allow them to practice by doing - and who knows, they may just fall in love with security along the way.
A little healthy competition
A core reliance on (rather inaccurate) tools, expensive pen-testing and scarce AppSec specialists is going to plunge us deeper into the security black hole. Too much of our lives and privacy exists online for companies to continue throwing caution to the wind with the virtual fortresses that protect our data. As the digital transformation of our world increases our dependence on software, we need to turn to the superheroes we have had sitting in the office all along: the development team.
Gamified training, in relevant languages and frameworks, is a potent tool for AppSec managers to start transforming security culture within the business. From the training, developers can flex their newly-built security muscles in a fun tournament setting, one that can be as exciting as your imagination can conjure: just take a look at how IAG's "Game of Codes' got everyone talking about security within their organization.
Secure Code Warrior's tournament module provides more than just a nice little cap on a measured training commitment: it is a platform from which each developer can validate their skills, see how far they have advanced since training commenced, as well as identify areas that may need improvement. The competition aspect really acts as a motivator to engage positively with security, using reward and recognition to support the growth of a robust security culture within the team and wider business.
Injecting a little fun into what can be seen as a laborious - if not daunting - task, can go a long way in changing negative mindsets and inspiring continued participation. After all, who doesn't love the glory of scoring more points than their peers in a (healthy) competitive environment?
Champions walk among you
Gamified training and subsequent tournaments help immensely in driving a positive security culture, with AppSec and development teams gaining much more insight into each other's day-to-day work. A secure developer is an asset, fixing common vulnerabilities and leaving the complex issues to those scarce AppSec specialists on the ground. Better relationships grow and thrive, and the precious security budget isn't chewed up fixing a "Groundhog Day'scenario of the same errors over and over.
There's another powerful byproduct, however: the revelation of the security champions you never knew you had. Tournaments can uncover those that not only have an aptitude for security, but actively display a passion for it. These champions are vital in keeping the momentum going and acting as a point of contact between teams, overseeing peers and upholding best practice policies. Implementing a solid champion program, one that includes recognition and executive support, is a feather in the cap of the organization, as well as a powerful inclusion for the individual's CV and future career.
The bottom line? We must demand better outcomes in security testing. Less common errors, more support for those on the front lines. Why not see how a developer tournament can get you there sooner than you think?
Imagine crafting something from scratch, wielding your skills and experience with mastery to make a small, but special, mark on the world. Whether alone or part of a team, you place your heart and soul into building something from nothing. You spend hundreds - maybe even thousands - of hours on it, making sure your baby is the best it can be. Upon completion, that wave of accomplishment can feel like a reward all on its own.
Now, imagine a spoilsport comes along and tells you it's not that great. Perhaps they go a step further and tell you that, no, in spite of the energy, time and love you have sacrificed, it's actually not even usable: it's broken. They have, in essence, told you your baby is ugly.
The above scenario is bound to cause some tension; after all, who wants their hard work picked apart and condemned as inadequate? Sadly, for many developers, this can be the reality of their relationship with the AppSec team. A developer has a primary responsibility of building software that is functional, feature-rich and delivered within strict project deadlines. Security is rarely the priority, and can even be seen as a blocker to rapid delivery and innovation. AppSec has the unenviable task of meticulously checking code, pen-testing and then reporting the bad news: the presence of security vulnerabilities in code that is often already committed. It's an expensive process in an environment that is often stretched for resources and time, with the setup bound to cause a rift between two teams that have the same goal, but speak such different languages that they seem at loggerheads.
Don't you think it's time we gave security a makeover? It's as simple as changing the conversation and making everything a little more positive (not to mention fun!) for both sides, especially the development team.
Out of the classroom, into the game arena
With many developers completing vocational training without learning much on coding securely, it is often the case that their first touch-point with security education is upon entering the workforce. Classroom-based training is one oft-used solution, but it takes away precious time from feature delivery (and, let's face it: if the teacher and content are under-stimulating, it can be an easily forgotten waste of time for everyone). There are also video courses, paper-based exams and generic company security policy education... all of which can be so non-specific as to be useless in the day-to-day working lives of the average developer.
Too often, it is treated as a "tick the box and move on'compliance exercise, and too often it has the opposite effect: it just drives a wider rift between AppSec and the dev team. After all, it doesn't appear that conventional training is having the positive effect on security culture and compliance that we as an industry are so desperately seeking. We keep making the same mistakes.
According to the Common Weakness Enumeration (CWE) community, there are more than 700 common software security weaknesses to fight against. Some, like SQL injection, are like cockroaches that haven't been squashed despite their existence for more than twenty years. We know how to fix it; the training is there to empower developers to stop it and so many others, yet pen-testing and manual code review processes continually identify these violations.
Perhaps we've been looking at it all wrong, and we as an industry need to tackle viable education from a different angle... one that harnesses the amazing skills so valued in our developers. They are creative, inquisitive problem-solvers who love a challenge. To gamify security training is to speak their language, to allow them to practice by doing - and who knows, they may just fall in love with security along the way.
A little healthy competition
A core reliance on (rather inaccurate) tools, expensive pen-testing and scarce AppSec specialists is going to plunge us deeper into the security black hole. Too much of our lives and privacy exists online for companies to continue throwing caution to the wind with the virtual fortresses that protect our data. As the digital transformation of our world increases our dependence on software, we need to turn to the superheroes we have had sitting in the office all along: the development team.
Gamified training, in relevant languages and frameworks, is a potent tool for AppSec managers to start transforming security culture within the business. From the training, developers can flex their newly-built security muscles in a fun tournament setting, one that can be as exciting as your imagination can conjure: just take a look at how IAG's "Game of Codes' got everyone talking about security within their organization.
Secure Code Warrior's tournament module provides more than just a nice little cap on a measured training commitment: it is a platform from which each developer can validate their skills, see how far they have advanced since training commenced, as well as identify areas that may need improvement. The competition aspect really acts as a motivator to engage positively with security, using reward and recognition to support the growth of a robust security culture within the team and wider business.
Injecting a little fun into what can be seen as a laborious - if not daunting - task, can go a long way in changing negative mindsets and inspiring continued participation. After all, who doesn't love the glory of scoring more points than their peers in a (healthy) competitive environment?
Champions walk among you
Gamified training and subsequent tournaments help immensely in driving a positive security culture, with AppSec and development teams gaining much more insight into each other's day-to-day work. A secure developer is an asset, fixing common vulnerabilities and leaving the complex issues to those scarce AppSec specialists on the ground. Better relationships grow and thrive, and the precious security budget isn't chewed up fixing a "Groundhog Day'scenario of the same errors over and over.
There's another powerful byproduct, however: the revelation of the security champions you never knew you had. Tournaments can uncover those that not only have an aptitude for security, but actively display a passion for it. These champions are vital in keeping the momentum going and acting as a point of contact between teams, overseeing peers and upholding best practice policies. Implementing a solid champion program, one that includes recognition and executive support, is a feather in the cap of the organization, as well as a powerful inclusion for the individual's CV and future career.
The bottom line? We must demand better outcomes in security testing. Less common errors, more support for those on the front lines. Why not see how a developer tournament can get you there sooner than you think?
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demoChief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
Imagine crafting something from scratch, wielding your skills and experience with mastery to make a small, but special, mark on the world. Whether alone or part of a team, you place your heart and soul into building something from nothing. You spend hundreds - maybe even thousands - of hours on it, making sure your baby is the best it can be. Upon completion, that wave of accomplishment can feel like a reward all on its own.
Now, imagine a spoilsport comes along and tells you it's not that great. Perhaps they go a step further and tell you that, no, in spite of the energy, time and love you have sacrificed, it's actually not even usable: it's broken. They have, in essence, told you your baby is ugly.
The above scenario is bound to cause some tension; after all, who wants their hard work picked apart and condemned as inadequate? Sadly, for many developers, this can be the reality of their relationship with the AppSec team. A developer has a primary responsibility of building software that is functional, feature-rich and delivered within strict project deadlines. Security is rarely the priority, and can even be seen as a blocker to rapid delivery and innovation. AppSec has the unenviable task of meticulously checking code, pen-testing and then reporting the bad news: the presence of security vulnerabilities in code that is often already committed. It's an expensive process in an environment that is often stretched for resources and time, with the setup bound to cause a rift between two teams that have the same goal, but speak such different languages that they seem at loggerheads.
Don't you think it's time we gave security a makeover? It's as simple as changing the conversation and making everything a little more positive (not to mention fun!) for both sides, especially the development team.
Out of the classroom, into the game arena
With many developers completing vocational training without learning much on coding securely, it is often the case that their first touch-point with security education is upon entering the workforce. Classroom-based training is one oft-used solution, but it takes away precious time from feature delivery (and, let's face it: if the teacher and content are under-stimulating, it can be an easily forgotten waste of time for everyone). There are also video courses, paper-based exams and generic company security policy education... all of which can be so non-specific as to be useless in the day-to-day working lives of the average developer.
Too often, it is treated as a "tick the box and move on'compliance exercise, and too often it has the opposite effect: it just drives a wider rift between AppSec and the dev team. After all, it doesn't appear that conventional training is having the positive effect on security culture and compliance that we as an industry are so desperately seeking. We keep making the same mistakes.
According to the Common Weakness Enumeration (CWE) community, there are more than 700 common software security weaknesses to fight against. Some, like SQL injection, are like cockroaches that haven't been squashed despite their existence for more than twenty years. We know how to fix it; the training is there to empower developers to stop it and so many others, yet pen-testing and manual code review processes continually identify these violations.
Perhaps we've been looking at it all wrong, and we as an industry need to tackle viable education from a different angle... one that harnesses the amazing skills so valued in our developers. They are creative, inquisitive problem-solvers who love a challenge. To gamify security training is to speak their language, to allow them to practice by doing - and who knows, they may just fall in love with security along the way.
A little healthy competition
A core reliance on (rather inaccurate) tools, expensive pen-testing and scarce AppSec specialists is going to plunge us deeper into the security black hole. Too much of our lives and privacy exists online for companies to continue throwing caution to the wind with the virtual fortresses that protect our data. As the digital transformation of our world increases our dependence on software, we need to turn to the superheroes we have had sitting in the office all along: the development team.
Gamified training, in relevant languages and frameworks, is a potent tool for AppSec managers to start transforming security culture within the business. From the training, developers can flex their newly-built security muscles in a fun tournament setting, one that can be as exciting as your imagination can conjure: just take a look at how IAG's "Game of Codes' got everyone talking about security within their organization.
Secure Code Warrior's tournament module provides more than just a nice little cap on a measured training commitment: it is a platform from which each developer can validate their skills, see how far they have advanced since training commenced, as well as identify areas that may need improvement. The competition aspect really acts as a motivator to engage positively with security, using reward and recognition to support the growth of a robust security culture within the team and wider business.
Injecting a little fun into what can be seen as a laborious - if not daunting - task, can go a long way in changing negative mindsets and inspiring continued participation. After all, who doesn't love the glory of scoring more points than their peers in a (healthy) competitive environment?
Champions walk among you
Gamified training and subsequent tournaments help immensely in driving a positive security culture, with AppSec and development teams gaining much more insight into each other's day-to-day work. A secure developer is an asset, fixing common vulnerabilities and leaving the complex issues to those scarce AppSec specialists on the ground. Better relationships grow and thrive, and the precious security budget isn't chewed up fixing a "Groundhog Day'scenario of the same errors over and over.
There's another powerful byproduct, however: the revelation of the security champions you never knew you had. Tournaments can uncover those that not only have an aptitude for security, but actively display a passion for it. These champions are vital in keeping the momentum going and acting as a point of contact between teams, overseeing peers and upholding best practice policies. Implementing a solid champion program, one that includes recognition and executive support, is a feather in the cap of the organization, as well as a powerful inclusion for the individual's CV and future career.
The bottom line? We must demand better outcomes in security testing. Less common errors, more support for those on the front lines. Why not see how a developer tournament can get you there sooner than you think?
Table of contents
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Resources to get you started
10 Key Predictions: Secure Code Warrior on AI & Secure-by-Design’s Influence in 2025
Organizations are facing tough decisions on AI usage to support long-term productivity, sustainability, and security ROI. It’s become clear to us over the last few years that AI will never fully replace the role of the developer. From AI + developer partnerships to the increasing pressures (and confusion) around Secure-by-Design expectations, let’s take a closer look at what we can expect over the next year.
OWASP Top 10 For LLM Applications: What’s New, Changed, and How to Stay Secure
Stay ahead in securing LLM applications with the latest OWASP Top 10 updates. Discover what's new, what’s changed, and how Secure Code Warrior equips you with up-to-date learning resources to mitigate risks in Generative AI.
Trust Score Reveals the Value of Secure-by-Design Upskilling Initiatives
Our research has shown that secure code training works. Trust Score, using an algorithm drawing on more than 20 million learning data points from work by more than 250,000 learners at over 600 organizations, reveals its effectiveness in driving down vulnerabilities and how to make the initiative even more effective.
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.