Why gamification is the key to leveling up your software security
AppSec managers, CISOs, CIOs, cybersecurity experts - I've spoken to many of them, working in all kinds of companies all over the world - in the course of my own career in software development and security.
No matter how different their situation, how experienced their team, or how much time passes in this ever-changing digital world, there is one problem that always stays the same: They are rarely able to positively engage their dev team on security. Security is still the dirty word, the source of conflict between teams and the downright pain in the backside of the industry.
However, software security is simply too important for our general mindset to continue down this path. We must work to change the conversation, to make security an integral part of every developer's working life. And I think one of the best ways to do this is by empowering and engaging with developers on security through, for example, gamification.
The current landscape
Developers leave university with very little practical knowledge on delivering secure code, they work in jobs where security training is rarely a priority (and when it is, it is usually part of the mandatory compliance videos around health and safety, which are so dull nobody would ever be moved to care about secure coding). Very often, their first experience with security is an audit or testing bug report that suddenly halts a future release, becoming an instant top-priority disruption of their creative mind. They find themselves at loggerheads with those responsible for security reporting, so "security'becomes synonymous with "criticism'in their mind. Yuck.
It's honestly a real shame that this negative perception of software security is so prevalent. After all, some of the best memories I hold of my career relate to learning about software security. I spent my early hacking days attending conferences, where I would not only get to test my skills (and to be honest, show off a little) against peers, but also have tremendous fun meeting like-minded people who enjoyed breaking software as much as I did.
BruCon, DefCon, BlackHat... these events provided people just like me the ability to engage our skills in friendly competition. While I'd never admit to participating in such antisocial things, some would even showcase their hacking prowess by breaking into the phones of other attendees, displaying their information on the presentation screens for all to see. It became a game, finding these flaws - exploiting and fixing them - in order to make software better. A few years back, I had the privilege to be in front of hundreds of kids in the Middle East, teaching them about cybersecurity. I still remember an eight-year-old girl among my students, who was learning about password brute-forcing and base64 encoding while playing games.
Gamification is used to teach coding skills, too. Educational institutions around the world are utilizing this approach to teach coding to very young children, even up to high school age. Kids as young as four now regularly attend holiday initiatives like CodeCamp, and there is a raft of fantastic online programs that teach kids how to code in Python and other languages. I even bought the amazing screenless coding tool, Cubetto, for my four-year-old daughter.
However, despite all this fun and progress, there's a gap. No-one thought about the possibility of leveraging gamification to train developers how to write secure code.
Well... almost no-one. A few years back, I came to the realization that we needed to make security inspiring again, and really motivate developers to get involved and start playing.
Gamification: The simple way forward.
There is a deep drive inside me to lift up and empower developers with security knowledge, and it is this passion that lead me to create Secure Code Warrior. Software security is so important, and it really can be exciting.
I'm not alone in my thinking.
Gamification can make even the most mundane of tasks more fun, and keeps people engaged enough to want to keep playing, winning and making progress - just look at the way Pok̩mon Go! got even the laziest individual off the couch, outdoors and searching for imaginary creatures, or how FitBit makes it a daily goal for many to hit their step count... a very real sense of disappointment hits if those targets are not met, if streaks are ended and badges not earned.
So, back to security training. We have proven with many clients that gamification is key to really transforming the security culture in their organizations, building bridges between AppSec and dev teams, as well as generally helping them build software of a higher standard.
Right now, security is not the developer's priority. By adding a friendly, competitive, and engaging element to your training methods, you are motivating them to not only "play', but keep returning to earn more points, beat high scores, become more accurate and challenge their fellow team members.
We already know that successful training looks something like this:
- Developers are able to work in real code and in their own languages/frameworks
- Challenges are short and cover all the common security vulnerabilities
- Challenges are constantly expanded and updated so developers can continue to build their skills over time
- Challenges vary in complexity so they are engaging for both senior developers and less experienced ones
- Developers and their managers are able to view progress, including which challenges they have completed, their strengths and weaknesses, the time spent on training and their overall accuracy.
One of our biggest clients showed the true magic of a gamified platform in their rollout, decking out their developers with themed team gear, offering amazing prizes to game winners and really making their tournament a day to remember. They've since offered international competitions, and their whole team is still clocking up serious training hours to this day.
Your own software revolution starts here. The Australian banking industry is leading the way in embracing gamified training in the fight against bad code, in a truly innovative approach that turns traditional (or, boring) training on its head - just check out what our client did with their next-level tournament. Are you ready to Level Up your team with us?
We must work to change the conversation, to make security an integral part of every developer's working life. And I think one of the best ways to do this is by empowering and engaging with developers on security through, for example, gamification.
We must work to change the conversation, to make security an integral part of every developer's working life. And I think one of the best ways to do this is by empowering and engaging with developers on security through, for example, gamification.
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoChief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
AppSec managers, CISOs, CIOs, cybersecurity experts - I've spoken to many of them, working in all kinds of companies all over the world - in the course of my own career in software development and security.
No matter how different their situation, how experienced their team, or how much time passes in this ever-changing digital world, there is one problem that always stays the same: They are rarely able to positively engage their dev team on security. Security is still the dirty word, the source of conflict between teams and the downright pain in the backside of the industry.
However, software security is simply too important for our general mindset to continue down this path. We must work to change the conversation, to make security an integral part of every developer's working life. And I think one of the best ways to do this is by empowering and engaging with developers on security through, for example, gamification.
The current landscape
Developers leave university with very little practical knowledge on delivering secure code, they work in jobs where security training is rarely a priority (and when it is, it is usually part of the mandatory compliance videos around health and safety, which are so dull nobody would ever be moved to care about secure coding). Very often, their first experience with security is an audit or testing bug report that suddenly halts a future release, becoming an instant top-priority disruption of their creative mind. They find themselves at loggerheads with those responsible for security reporting, so "security'becomes synonymous with "criticism'in their mind. Yuck.
It's honestly a real shame that this negative perception of software security is so prevalent. After all, some of the best memories I hold of my career relate to learning about software security. I spent my early hacking days attending conferences, where I would not only get to test my skills (and to be honest, show off a little) against peers, but also have tremendous fun meeting like-minded people who enjoyed breaking software as much as I did.
BruCon, DefCon, BlackHat... these events provided people just like me the ability to engage our skills in friendly competition. While I'd never admit to participating in such antisocial things, some would even showcase their hacking prowess by breaking into the phones of other attendees, displaying their information on the presentation screens for all to see. It became a game, finding these flaws - exploiting and fixing them - in order to make software better. A few years back, I had the privilege to be in front of hundreds of kids in the Middle East, teaching them about cybersecurity. I still remember an eight-year-old girl among my students, who was learning about password brute-forcing and base64 encoding while playing games.
Gamification is used to teach coding skills, too. Educational institutions around the world are utilizing this approach to teach coding to very young children, even up to high school age. Kids as young as four now regularly attend holiday initiatives like CodeCamp, and there is a raft of fantastic online programs that teach kids how to code in Python and other languages. I even bought the amazing screenless coding tool, Cubetto, for my four-year-old daughter.
However, despite all this fun and progress, there's a gap. No-one thought about the possibility of leveraging gamification to train developers how to write secure code.
Well... almost no-one. A few years back, I came to the realization that we needed to make security inspiring again, and really motivate developers to get involved and start playing.
Gamification: The simple way forward.
There is a deep drive inside me to lift up and empower developers with security knowledge, and it is this passion that lead me to create Secure Code Warrior. Software security is so important, and it really can be exciting.
I'm not alone in my thinking.
Gamification can make even the most mundane of tasks more fun, and keeps people engaged enough to want to keep playing, winning and making progress - just look at the way Pok̩mon Go! got even the laziest individual off the couch, outdoors and searching for imaginary creatures, or how FitBit makes it a daily goal for many to hit their step count... a very real sense of disappointment hits if those targets are not met, if streaks are ended and badges not earned.
So, back to security training. We have proven with many clients that gamification is key to really transforming the security culture in their organizations, building bridges between AppSec and dev teams, as well as generally helping them build software of a higher standard.
Right now, security is not the developer's priority. By adding a friendly, competitive, and engaging element to your training methods, you are motivating them to not only "play', but keep returning to earn more points, beat high scores, become more accurate and challenge their fellow team members.
We already know that successful training looks something like this:
- Developers are able to work in real code and in their own languages/frameworks
- Challenges are short and cover all the common security vulnerabilities
- Challenges are constantly expanded and updated so developers can continue to build their skills over time
- Challenges vary in complexity so they are engaging for both senior developers and less experienced ones
- Developers and their managers are able to view progress, including which challenges they have completed, their strengths and weaknesses, the time spent on training and their overall accuracy.
One of our biggest clients showed the true magic of a gamified platform in their rollout, decking out their developers with themed team gear, offering amazing prizes to game winners and really making their tournament a day to remember. They've since offered international competitions, and their whole team is still clocking up serious training hours to this day.
Your own software revolution starts here. The Australian banking industry is leading the way in embracing gamified training in the fight against bad code, in a truly innovative approach that turns traditional (or, boring) training on its head - just check out what our client did with their next-level tournament. Are you ready to Level Up your team with us?
We must work to change the conversation, to make security an integral part of every developer's working life. And I think one of the best ways to do this is by empowering and engaging with developers on security through, for example, gamification.
AppSec managers, CISOs, CIOs, cybersecurity experts - I've spoken to many of them, working in all kinds of companies all over the world - in the course of my own career in software development and security.
No matter how different their situation, how experienced their team, or how much time passes in this ever-changing digital world, there is one problem that always stays the same: They are rarely able to positively engage their dev team on security. Security is still the dirty word, the source of conflict between teams and the downright pain in the backside of the industry.
However, software security is simply too important for our general mindset to continue down this path. We must work to change the conversation, to make security an integral part of every developer's working life. And I think one of the best ways to do this is by empowering and engaging with developers on security through, for example, gamification.
The current landscape
Developers leave university with very little practical knowledge on delivering secure code, they work in jobs where security training is rarely a priority (and when it is, it is usually part of the mandatory compliance videos around health and safety, which are so dull nobody would ever be moved to care about secure coding). Very often, their first experience with security is an audit or testing bug report that suddenly halts a future release, becoming an instant top-priority disruption of their creative mind. They find themselves at loggerheads with those responsible for security reporting, so "security'becomes synonymous with "criticism'in their mind. Yuck.
It's honestly a real shame that this negative perception of software security is so prevalent. After all, some of the best memories I hold of my career relate to learning about software security. I spent my early hacking days attending conferences, where I would not only get to test my skills (and to be honest, show off a little) against peers, but also have tremendous fun meeting like-minded people who enjoyed breaking software as much as I did.
BruCon, DefCon, BlackHat... these events provided people just like me the ability to engage our skills in friendly competition. While I'd never admit to participating in such antisocial things, some would even showcase their hacking prowess by breaking into the phones of other attendees, displaying their information on the presentation screens for all to see. It became a game, finding these flaws - exploiting and fixing them - in order to make software better. A few years back, I had the privilege to be in front of hundreds of kids in the Middle East, teaching them about cybersecurity. I still remember an eight-year-old girl among my students, who was learning about password brute-forcing and base64 encoding while playing games.
Gamification is used to teach coding skills, too. Educational institutions around the world are utilizing this approach to teach coding to very young children, even up to high school age. Kids as young as four now regularly attend holiday initiatives like CodeCamp, and there is a raft of fantastic online programs that teach kids how to code in Python and other languages. I even bought the amazing screenless coding tool, Cubetto, for my four-year-old daughter.
However, despite all this fun and progress, there's a gap. No-one thought about the possibility of leveraging gamification to train developers how to write secure code.
Well... almost no-one. A few years back, I came to the realization that we needed to make security inspiring again, and really motivate developers to get involved and start playing.
Gamification: The simple way forward.
There is a deep drive inside me to lift up and empower developers with security knowledge, and it is this passion that lead me to create Secure Code Warrior. Software security is so important, and it really can be exciting.
I'm not alone in my thinking.
Gamification can make even the most mundane of tasks more fun, and keeps people engaged enough to want to keep playing, winning and making progress - just look at the way Pok̩mon Go! got even the laziest individual off the couch, outdoors and searching for imaginary creatures, or how FitBit makes it a daily goal for many to hit their step count... a very real sense of disappointment hits if those targets are not met, if streaks are ended and badges not earned.
So, back to security training. We have proven with many clients that gamification is key to really transforming the security culture in their organizations, building bridges between AppSec and dev teams, as well as generally helping them build software of a higher standard.
Right now, security is not the developer's priority. By adding a friendly, competitive, and engaging element to your training methods, you are motivating them to not only "play', but keep returning to earn more points, beat high scores, become more accurate and challenge their fellow team members.
We already know that successful training looks something like this:
- Developers are able to work in real code and in their own languages/frameworks
- Challenges are short and cover all the common security vulnerabilities
- Challenges are constantly expanded and updated so developers can continue to build their skills over time
- Challenges vary in complexity so they are engaging for both senior developers and less experienced ones
- Developers and their managers are able to view progress, including which challenges they have completed, their strengths and weaknesses, the time spent on training and their overall accuracy.
One of our biggest clients showed the true magic of a gamified platform in their rollout, decking out their developers with themed team gear, offering amazing prizes to game winners and really making their tournament a day to remember. They've since offered international competitions, and their whole team is still clocking up serious training hours to this day.
Your own software revolution starts here. The Australian banking industry is leading the way in embracing gamified training in the fight against bad code, in a truly innovative approach that turns traditional (or, boring) training on its head - just check out what our client did with their next-level tournament. Are you ready to Level Up your team with us?
We must work to change the conversation, to make security an integral part of every developer's working life. And I think one of the best ways to do this is by empowering and engaging with developers on security through, for example, gamification.
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demoChief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
AppSec managers, CISOs, CIOs, cybersecurity experts - I've spoken to many of them, working in all kinds of companies all over the world - in the course of my own career in software development and security.
No matter how different their situation, how experienced their team, or how much time passes in this ever-changing digital world, there is one problem that always stays the same: They are rarely able to positively engage their dev team on security. Security is still the dirty word, the source of conflict between teams and the downright pain in the backside of the industry.
However, software security is simply too important for our general mindset to continue down this path. We must work to change the conversation, to make security an integral part of every developer's working life. And I think one of the best ways to do this is by empowering and engaging with developers on security through, for example, gamification.
The current landscape
Developers leave university with very little practical knowledge on delivering secure code, they work in jobs where security training is rarely a priority (and when it is, it is usually part of the mandatory compliance videos around health and safety, which are so dull nobody would ever be moved to care about secure coding). Very often, their first experience with security is an audit or testing bug report that suddenly halts a future release, becoming an instant top-priority disruption of their creative mind. They find themselves at loggerheads with those responsible for security reporting, so "security'becomes synonymous with "criticism'in their mind. Yuck.
It's honestly a real shame that this negative perception of software security is so prevalent. After all, some of the best memories I hold of my career relate to learning about software security. I spent my early hacking days attending conferences, where I would not only get to test my skills (and to be honest, show off a little) against peers, but also have tremendous fun meeting like-minded people who enjoyed breaking software as much as I did.
BruCon, DefCon, BlackHat... these events provided people just like me the ability to engage our skills in friendly competition. While I'd never admit to participating in such antisocial things, some would even showcase their hacking prowess by breaking into the phones of other attendees, displaying their information on the presentation screens for all to see. It became a game, finding these flaws - exploiting and fixing them - in order to make software better. A few years back, I had the privilege to be in front of hundreds of kids in the Middle East, teaching them about cybersecurity. I still remember an eight-year-old girl among my students, who was learning about password brute-forcing and base64 encoding while playing games.
Gamification is used to teach coding skills, too. Educational institutions around the world are utilizing this approach to teach coding to very young children, even up to high school age. Kids as young as four now regularly attend holiday initiatives like CodeCamp, and there is a raft of fantastic online programs that teach kids how to code in Python and other languages. I even bought the amazing screenless coding tool, Cubetto, for my four-year-old daughter.
However, despite all this fun and progress, there's a gap. No-one thought about the possibility of leveraging gamification to train developers how to write secure code.
Well... almost no-one. A few years back, I came to the realization that we needed to make security inspiring again, and really motivate developers to get involved and start playing.
Gamification: The simple way forward.
There is a deep drive inside me to lift up and empower developers with security knowledge, and it is this passion that lead me to create Secure Code Warrior. Software security is so important, and it really can be exciting.
I'm not alone in my thinking.
Gamification can make even the most mundane of tasks more fun, and keeps people engaged enough to want to keep playing, winning and making progress - just look at the way Pok̩mon Go! got even the laziest individual off the couch, outdoors and searching for imaginary creatures, or how FitBit makes it a daily goal for many to hit their step count... a very real sense of disappointment hits if those targets are not met, if streaks are ended and badges not earned.
So, back to security training. We have proven with many clients that gamification is key to really transforming the security culture in their organizations, building bridges between AppSec and dev teams, as well as generally helping them build software of a higher standard.
Right now, security is not the developer's priority. By adding a friendly, competitive, and engaging element to your training methods, you are motivating them to not only "play', but keep returning to earn more points, beat high scores, become more accurate and challenge their fellow team members.
We already know that successful training looks something like this:
- Developers are able to work in real code and in their own languages/frameworks
- Challenges are short and cover all the common security vulnerabilities
- Challenges are constantly expanded and updated so developers can continue to build their skills over time
- Challenges vary in complexity so they are engaging for both senior developers and less experienced ones
- Developers and their managers are able to view progress, including which challenges they have completed, their strengths and weaknesses, the time spent on training and their overall accuracy.
One of our biggest clients showed the true magic of a gamified platform in their rollout, decking out their developers with themed team gear, offering amazing prizes to game winners and really making their tournament a day to remember. They've since offered international competitions, and their whole team is still clocking up serious training hours to this day.
Your own software revolution starts here. The Australian banking industry is leading the way in embracing gamified training in the fight against bad code, in a truly innovative approach that turns traditional (or, boring) training on its head - just check out what our client did with their next-level tournament. Are you ready to Level Up your team with us?
We must work to change the conversation, to make security an integral part of every developer's working life. And I think one of the best ways to do this is by empowering and engaging with developers on security through, for example, gamification.
Table of contents
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise
The Secure-by-Design movement is the future of secure software development. Learn about the key elements companies need to keep in mind when they think about a Secure-by-Design initiative.
DigitalOcean Decreases Security Debt with Secure Code Warrior
DigitalOcean's use of Secure Code Warrior training has significantly reduced security debt, allowing teams to focus more on innovation and productivity. The improved security has strengthened their product quality and competitive edge. Looking ahead, the SCW Trust Score will help them further enhance security practices and continue driving innovation.
Resources to get you started
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.
The Benefits of Benchmarking Security Skills for Developers
The growing focus on secure code and Secure-by-Design principles requires developers to be trained in cybersecurity from the start of the SDLC, with tools like Secure Code Warrior’s Trust Score helping measure and improve their progress.
Driving Meaningful Success for Enterprise Secure-by-Design Initiatives
Our latest research paper, Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise is the result of deep analysis of real Secure-by-Design initiatives at the enterprise level, and deriving best practice approaches based on data-driven findings.
Deep Dive: Navigating the Critical CUPS Vulnerability in GNU-Linux Systems
Discover the latest security challenges facing Linux users as we explore recent high-severity vulnerabilities in the Common UNIX Printing System (CUPS). Learn how these issues may lead to potential Remote Code Execution (RCE) and what you can do to protect your systems.