How a ‘Game of Codes’ is leading IAG Group to a more secure coding future
IAG Group is the name behind many of the leading insurance companies in the Asia-Pacific region, underwriting policies for millions of customers to the tune of approximately AUD $11.4 Billion in premiums per annum. Bianca Wirth is the Corporate Security Education & AwarenessManager for IAG Group. Highly attuned to the need for tight security awareness and practices within the development team, she set about creating a truly innovative, optimum environment in which the team could learn vital secure coding techniques.
ENTER: Game of Codes
The challenge
Developers are often stretched for time, with multiple deliverables and projects on the boil. However, keeping up-to-date with security best practice is of utmost importance to any organisation, let alone one with millions of sensitive customer data profiles to keep safe from hackers. Bianca and her team set clear objectives on the path to making their cybersecurity initiatives more robust. They determined that minimising the attack surface area inIAG-developed applications was the priority, and they would approach this through educating developers to identify and fix critical and high-risk vulnerabilities. Lengthy secure coding training courses certainly exist, but they can be laborious, tedious, and take key staff away from development projects with strict delivery timelines, which creates pressure across the business. The need to up skill the dev team quickly, with minimal impact to workload and operations, became apparent. And with developers across Australia andNew Zealand, each working on systems that weren’t necessarily the same, this was no small feat.
“This year, I made a change to our source code which removed an SQL injection vulnerability. For there cognition of this I give credit to Game of Codes. Even just keeping secure coding top of mind is helpful. The competition is a good way to push people to try their best… because let’s face it, security isn’t everyone’s most enjoyable topic, so this is a good way to get people involved.” R, IAG Developer
The implementation
Bianca strategised the rollout of a gamified training experience, working in conjunction with her team and Secure Code Warrior in the implementation of tournaments and training to promote the skills of their in-house developers. For this, it was essential to set up a sound communication strategy, as well as cater to the different motivations and personalities that staff have in adopting an all-new platform and using it to its full potential:
“We designed a communications plan, consisting of how we’re going to communicate to staff and key stakeholders the need-to-know points, key messages and what incentives we’re giving them to respond to as well. Most people really enjoy the gamified experience. It just depends on their personalities, their motivation and what drives them. So, that’s why we try to cater for a whole different range of motivations for people. For some, they love the prizes, for others the achievement aspect itself is enough of a factor,” she said
Bianca and IAG expertly showcased Secure Code Warrior’s gamified learning platform, transforming their tournament into a fun competition experience heralded as the ‘Game of Codes’, with staff placed into medieval-themed houses (complete with branded player merchandise) going head-to-head in a battle worthy of its HBO-produced namesake.
The tournament has even been taken to the international stage, with an upcoming Australia vs New Zealand match-up soon to launch. This gives IAG the chance to identify the leading security champions across both countries, as well as ensuring teams are up-skilling together.
The result
Game of Codes is, in effect, a specialised training program. Its roll-out as an interactive, fun tournament ensured that staff remained engaged in a variety of ways, but the core practicality of the exercise remained: to give developers the skills required to identify and thwart high-risk vulnerabilities in IAG-developed applications.
By ensuring that both developers and security teams are working with a security-first mindset, as well as being equipped to not just identify, but fix vulnerabilities from the beginning, IAG anticipates seeing a reduction in costly penetration testing exercises and strain on the team that carries them out.
In addition to this vital competency continuing to be developed, Game of Codes also aided in relationship building, injecting a sense of camaraderie and friendly competitiveness between involved teams, while also helping individuals feel more confident in their secure coding abilities when seeing them measured in a point-scoring tournament environment.
Bianca stated that the internal support for the program was immense, with a positive reception from the executive suite. This also led to an ambassador program, where individuals keen to promote the program and champion security within the organisation could get involved:
“It has been fantastic exposure for some developers and an excellent promotion of their skills. They’re getting benefit from that in their own jobs as well which is important to see.”
Far from being ‘just a game’, or simply a more pleasant way for department managers to burn through compliance training, Game of Codes offers a high-retention, engaging solution that turns security novices into security champions quickly, which is essential in minimising the risk of a large-scale breach.
And the ultimate advice, from Bianca herself:
“If you roll out any program and expect people to just use it, it's not going to work. You need to design a program around it where you initiate and motivate changed behaviour. What we built was essentially a developer change management program, focused on security.”
“After going through the training sessions on Game of Codes, I find I am more interested in security and thinking about security when creating automation tests.I am a senior tester in an agile team and these training sessions have motivated me to learn more about security testing and think of it as a possible specialisation.” A, IAG Senior Tester
FAST FACTS
- In addition to gamified learning, IAG is also using Secure Code Warrior as a skill-testing tool in developer recruitment.
- They are in the process of rolling the program out to 100% of their development team, with 55% already active in the system.
- They have developed a key set of internal metrics allowing them to measure the success of the program in minimising risk and reducing costs over time.
IAG Group is the name behind many of the leading insurance companies in the Asia-Pacific region, underwriting policies for millions of customers to the tune of approximately AUD $11.4 Billion in premiums per annum.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoIAG Group is the name behind many of the leading insurance companies in the Asia-Pacific region, underwriting policies for millions of customers to the tune of approximately AUD $11.4 Billion in premiums per annum. Bianca Wirth is the Corporate Security Education & AwarenessManager for IAG Group. Highly attuned to the need for tight security awareness and practices within the development team, she set about creating a truly innovative, optimum environment in which the team could learn vital secure coding techniques.
ENTER: Game of Codes
The challenge
Developers are often stretched for time, with multiple deliverables and projects on the boil. However, keeping up-to-date with security best practice is of utmost importance to any organisation, let alone one with millions of sensitive customer data profiles to keep safe from hackers. Bianca and her team set clear objectives on the path to making their cybersecurity initiatives more robust. They determined that minimising the attack surface area inIAG-developed applications was the priority, and they would approach this through educating developers to identify and fix critical and high-risk vulnerabilities. Lengthy secure coding training courses certainly exist, but they can be laborious, tedious, and take key staff away from development projects with strict delivery timelines, which creates pressure across the business. The need to up skill the dev team quickly, with minimal impact to workload and operations, became apparent. And with developers across Australia andNew Zealand, each working on systems that weren’t necessarily the same, this was no small feat.
“This year, I made a change to our source code which removed an SQL injection vulnerability. For there cognition of this I give credit to Game of Codes. Even just keeping secure coding top of mind is helpful. The competition is a good way to push people to try their best… because let’s face it, security isn’t everyone’s most enjoyable topic, so this is a good way to get people involved.” R, IAG Developer
The implementation
Bianca strategised the rollout of a gamified training experience, working in conjunction with her team and Secure Code Warrior in the implementation of tournaments and training to promote the skills of their in-house developers. For this, it was essential to set up a sound communication strategy, as well as cater to the different motivations and personalities that staff have in adopting an all-new platform and using it to its full potential:
“We designed a communications plan, consisting of how we’re going to communicate to staff and key stakeholders the need-to-know points, key messages and what incentives we’re giving them to respond to as well. Most people really enjoy the gamified experience. It just depends on their personalities, their motivation and what drives them. So, that’s why we try to cater for a whole different range of motivations for people. For some, they love the prizes, for others the achievement aspect itself is enough of a factor,” she said
Bianca and IAG expertly showcased Secure Code Warrior’s gamified learning platform, transforming their tournament into a fun competition experience heralded as the ‘Game of Codes’, with staff placed into medieval-themed houses (complete with branded player merchandise) going head-to-head in a battle worthy of its HBO-produced namesake.
The tournament has even been taken to the international stage, with an upcoming Australia vs New Zealand match-up soon to launch. This gives IAG the chance to identify the leading security champions across both countries, as well as ensuring teams are up-skilling together.
The result
Game of Codes is, in effect, a specialised training program. Its roll-out as an interactive, fun tournament ensured that staff remained engaged in a variety of ways, but the core practicality of the exercise remained: to give developers the skills required to identify and thwart high-risk vulnerabilities in IAG-developed applications.
By ensuring that both developers and security teams are working with a security-first mindset, as well as being equipped to not just identify, but fix vulnerabilities from the beginning, IAG anticipates seeing a reduction in costly penetration testing exercises and strain on the team that carries them out.
In addition to this vital competency continuing to be developed, Game of Codes also aided in relationship building, injecting a sense of camaraderie and friendly competitiveness between involved teams, while also helping individuals feel more confident in their secure coding abilities when seeing them measured in a point-scoring tournament environment.
Bianca stated that the internal support for the program was immense, with a positive reception from the executive suite. This also led to an ambassador program, where individuals keen to promote the program and champion security within the organisation could get involved:
“It has been fantastic exposure for some developers and an excellent promotion of their skills. They’re getting benefit from that in their own jobs as well which is important to see.”
Far from being ‘just a game’, or simply a more pleasant way for department managers to burn through compliance training, Game of Codes offers a high-retention, engaging solution that turns security novices into security champions quickly, which is essential in minimising the risk of a large-scale breach.
And the ultimate advice, from Bianca herself:
“If you roll out any program and expect people to just use it, it's not going to work. You need to design a program around it where you initiate and motivate changed behaviour. What we built was essentially a developer change management program, focused on security.”
“After going through the training sessions on Game of Codes, I find I am more interested in security and thinking about security when creating automation tests.I am a senior tester in an agile team and these training sessions have motivated me to learn more about security testing and think of it as a possible specialisation.” A, IAG Senior Tester
FAST FACTS
- In addition to gamified learning, IAG is also using Secure Code Warrior as a skill-testing tool in developer recruitment.
- They are in the process of rolling the program out to 100% of their development team, with 55% already active in the system.
- They have developed a key set of internal metrics allowing them to measure the success of the program in minimising risk and reducing costs over time.
IAG Group is the name behind many of the leading insurance companies in the Asia-Pacific region, underwriting policies for millions of customers to the tune of approximately AUD $11.4 Billion in premiums per annum. Bianca Wirth is the Corporate Security Education & AwarenessManager for IAG Group. Highly attuned to the need for tight security awareness and practices within the development team, she set about creating a truly innovative, optimum environment in which the team could learn vital secure coding techniques.
ENTER: Game of Codes
The challenge
Developers are often stretched for time, with multiple deliverables and projects on the boil. However, keeping up-to-date with security best practice is of utmost importance to any organisation, let alone one with millions of sensitive customer data profiles to keep safe from hackers. Bianca and her team set clear objectives on the path to making their cybersecurity initiatives more robust. They determined that minimising the attack surface area inIAG-developed applications was the priority, and they would approach this through educating developers to identify and fix critical and high-risk vulnerabilities. Lengthy secure coding training courses certainly exist, but they can be laborious, tedious, and take key staff away from development projects with strict delivery timelines, which creates pressure across the business. The need to up skill the dev team quickly, with minimal impact to workload and operations, became apparent. And with developers across Australia andNew Zealand, each working on systems that weren’t necessarily the same, this was no small feat.
“This year, I made a change to our source code which removed an SQL injection vulnerability. For there cognition of this I give credit to Game of Codes. Even just keeping secure coding top of mind is helpful. The competition is a good way to push people to try their best… because let’s face it, security isn’t everyone’s most enjoyable topic, so this is a good way to get people involved.” R, IAG Developer
The implementation
Bianca strategised the rollout of a gamified training experience, working in conjunction with her team and Secure Code Warrior in the implementation of tournaments and training to promote the skills of their in-house developers. For this, it was essential to set up a sound communication strategy, as well as cater to the different motivations and personalities that staff have in adopting an all-new platform and using it to its full potential:
“We designed a communications plan, consisting of how we’re going to communicate to staff and key stakeholders the need-to-know points, key messages and what incentives we’re giving them to respond to as well. Most people really enjoy the gamified experience. It just depends on their personalities, their motivation and what drives them. So, that’s why we try to cater for a whole different range of motivations for people. For some, they love the prizes, for others the achievement aspect itself is enough of a factor,” she said
Bianca and IAG expertly showcased Secure Code Warrior’s gamified learning platform, transforming their tournament into a fun competition experience heralded as the ‘Game of Codes’, with staff placed into medieval-themed houses (complete with branded player merchandise) going head-to-head in a battle worthy of its HBO-produced namesake.
The tournament has even been taken to the international stage, with an upcoming Australia vs New Zealand match-up soon to launch. This gives IAG the chance to identify the leading security champions across both countries, as well as ensuring teams are up-skilling together.
The result
Game of Codes is, in effect, a specialised training program. Its roll-out as an interactive, fun tournament ensured that staff remained engaged in a variety of ways, but the core practicality of the exercise remained: to give developers the skills required to identify and thwart high-risk vulnerabilities in IAG-developed applications.
By ensuring that both developers and security teams are working with a security-first mindset, as well as being equipped to not just identify, but fix vulnerabilities from the beginning, IAG anticipates seeing a reduction in costly penetration testing exercises and strain on the team that carries them out.
In addition to this vital competency continuing to be developed, Game of Codes also aided in relationship building, injecting a sense of camaraderie and friendly competitiveness between involved teams, while also helping individuals feel more confident in their secure coding abilities when seeing them measured in a point-scoring tournament environment.
Bianca stated that the internal support for the program was immense, with a positive reception from the executive suite. This also led to an ambassador program, where individuals keen to promote the program and champion security within the organisation could get involved:
“It has been fantastic exposure for some developers and an excellent promotion of their skills. They’re getting benefit from that in their own jobs as well which is important to see.”
Far from being ‘just a game’, or simply a more pleasant way for department managers to burn through compliance training, Game of Codes offers a high-retention, engaging solution that turns security novices into security champions quickly, which is essential in minimising the risk of a large-scale breach.
And the ultimate advice, from Bianca herself:
“If you roll out any program and expect people to just use it, it's not going to work. You need to design a program around it where you initiate and motivate changed behaviour. What we built was essentially a developer change management program, focused on security.”
“After going through the training sessions on Game of Codes, I find I am more interested in security and thinking about security when creating automation tests.I am a senior tester in an agile team and these training sessions have motivated me to learn more about security testing and think of it as a possible specialisation.” A, IAG Senior Tester
FAST FACTS
- In addition to gamified learning, IAG is also using Secure Code Warrior as a skill-testing tool in developer recruitment.
- They are in the process of rolling the program out to 100% of their development team, with 55% already active in the system.
- They have developed a key set of internal metrics allowing them to measure the success of the program in minimising risk and reducing costs over time.
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demoIAG Group is the name behind many of the leading insurance companies in the Asia-Pacific region, underwriting policies for millions of customers to the tune of approximately AUD $11.4 Billion in premiums per annum. Bianca Wirth is the Corporate Security Education & AwarenessManager for IAG Group. Highly attuned to the need for tight security awareness and practices within the development team, she set about creating a truly innovative, optimum environment in which the team could learn vital secure coding techniques.
ENTER: Game of Codes
The challenge
Developers are often stretched for time, with multiple deliverables and projects on the boil. However, keeping up-to-date with security best practice is of utmost importance to any organisation, let alone one with millions of sensitive customer data profiles to keep safe from hackers. Bianca and her team set clear objectives on the path to making their cybersecurity initiatives more robust. They determined that minimising the attack surface area inIAG-developed applications was the priority, and they would approach this through educating developers to identify and fix critical and high-risk vulnerabilities. Lengthy secure coding training courses certainly exist, but they can be laborious, tedious, and take key staff away from development projects with strict delivery timelines, which creates pressure across the business. The need to up skill the dev team quickly, with minimal impact to workload and operations, became apparent. And with developers across Australia andNew Zealand, each working on systems that weren’t necessarily the same, this was no small feat.
“This year, I made a change to our source code which removed an SQL injection vulnerability. For there cognition of this I give credit to Game of Codes. Even just keeping secure coding top of mind is helpful. The competition is a good way to push people to try their best… because let’s face it, security isn’t everyone’s most enjoyable topic, so this is a good way to get people involved.” R, IAG Developer
The implementation
Bianca strategised the rollout of a gamified training experience, working in conjunction with her team and Secure Code Warrior in the implementation of tournaments and training to promote the skills of their in-house developers. For this, it was essential to set up a sound communication strategy, as well as cater to the different motivations and personalities that staff have in adopting an all-new platform and using it to its full potential:
“We designed a communications plan, consisting of how we’re going to communicate to staff and key stakeholders the need-to-know points, key messages and what incentives we’re giving them to respond to as well. Most people really enjoy the gamified experience. It just depends on their personalities, their motivation and what drives them. So, that’s why we try to cater for a whole different range of motivations for people. For some, they love the prizes, for others the achievement aspect itself is enough of a factor,” she said
Bianca and IAG expertly showcased Secure Code Warrior’s gamified learning platform, transforming their tournament into a fun competition experience heralded as the ‘Game of Codes’, with staff placed into medieval-themed houses (complete with branded player merchandise) going head-to-head in a battle worthy of its HBO-produced namesake.
The tournament has even been taken to the international stage, with an upcoming Australia vs New Zealand match-up soon to launch. This gives IAG the chance to identify the leading security champions across both countries, as well as ensuring teams are up-skilling together.
The result
Game of Codes is, in effect, a specialised training program. Its roll-out as an interactive, fun tournament ensured that staff remained engaged in a variety of ways, but the core practicality of the exercise remained: to give developers the skills required to identify and thwart high-risk vulnerabilities in IAG-developed applications.
By ensuring that both developers and security teams are working with a security-first mindset, as well as being equipped to not just identify, but fix vulnerabilities from the beginning, IAG anticipates seeing a reduction in costly penetration testing exercises and strain on the team that carries them out.
In addition to this vital competency continuing to be developed, Game of Codes also aided in relationship building, injecting a sense of camaraderie and friendly competitiveness between involved teams, while also helping individuals feel more confident in their secure coding abilities when seeing them measured in a point-scoring tournament environment.
Bianca stated that the internal support for the program was immense, with a positive reception from the executive suite. This also led to an ambassador program, where individuals keen to promote the program and champion security within the organisation could get involved:
“It has been fantastic exposure for some developers and an excellent promotion of their skills. They’re getting benefit from that in their own jobs as well which is important to see.”
Far from being ‘just a game’, or simply a more pleasant way for department managers to burn through compliance training, Game of Codes offers a high-retention, engaging solution that turns security novices into security champions quickly, which is essential in minimising the risk of a large-scale breach.
And the ultimate advice, from Bianca herself:
“If you roll out any program and expect people to just use it, it's not going to work. You need to design a program around it where you initiate and motivate changed behaviour. What we built was essentially a developer change management program, focused on security.”
“After going through the training sessions on Game of Codes, I find I am more interested in security and thinking about security when creating automation tests.I am a senior tester in an agile team and these training sessions have motivated me to learn more about security testing and think of it as a possible specialisation.” A, IAG Senior Tester
FAST FACTS
- In addition to gamified learning, IAG is also using Secure Code Warrior as a skill-testing tool in developer recruitment.
- They are in the process of rolling the program out to 100% of their development team, with 55% already active in the system.
- They have developed a key set of internal metrics allowing them to measure the success of the program in minimising risk and reducing costs over time.
Table of contents
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise
The Secure-by-Design movement is the future of secure software development. Learn about the key elements companies need to keep in mind when they think about a Secure-by-Design initiative.
DigitalOcean Decreases Security Debt with Secure Code Warrior
DigitalOcean's use of Secure Code Warrior training has significantly reduced security debt, allowing teams to focus more on innovation and productivity. The improved security has strengthened their product quality and competitive edge. Looking ahead, the SCW Trust Score will help them further enhance security practices and continue driving innovation.
Resources to get you started
The Benefits of Benchmarking Security Skills for Developers
The growing focus on secure code and Secure-by-Design principles requires developers to be trained in cybersecurity from the start of the SDLC, with tools like Secure Code Warrior’s Trust Score helping measure and improve their progress.
Driving Meaningful Success for Enterprise Secure-by-Design Initiatives
Our latest research paper, Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise is the result of deep analysis of real Secure-by-Design initiatives at the enterprise level, and deriving best practice approaches based on data-driven findings.
Deep Dive: Navigating the Critical CUPS Vulnerability in GNU-Linux Systems
Discover the latest security challenges facing Linux users as we explore recent high-severity vulnerabilities in the Common UNIX Printing System (CUPS). Learn how these issues may lead to potential Remote Code Execution (RCE) and what you can do to protect your systems.
Coders Conquer Security: Share & Learn - Cross-Site Scripting (XSS)
Cross-site scripting (XSS) uses the trust of browsers and ignorance of users to steal data, take over accounts, and deface websites; it's a vulnerability that can get very ugly, very quickly. Let's take a look at how XSS works, what damage can be done, and how to prevent it.