Agile learning platforms: ROI of developer-driven security

In a fast-evolving software landscape developers now bear the responsibility for secure-by-design products. In this joint report from Secure Code Warrior and Accenture, we explore the challenges around traditional security training and the opportunity costs of disrupting developer workflows. Enter an agile learning platform for secure code, which reduces vulnerabilities by half while enhancing productivity. 

In this whitepaper, our experts at Secure Code Warrior and Accenture unpack: 

• How to calculate the ROI of agile learning with factors like licensing, salaries, and remediation time. 
• Learn how Accenture integrates Secure Code Warrior, transforming secure code training and emphasizing the value of developer education.
• Secure Code Warrior users experience a 148% boost in developer productivity, reduced vulnerability counts, and accelerated release cycles, making proactive security financially viable.

‍

What is Devlympics?

Devlympics is an annual global tournament hosted by Secure Code Warrior on its agile learning platform to test the secure code skills of developers.

During the 24-hour tournament, developers from around the world competed in offensive and defensive coding challenges in their choice of programming languages. Developers had the opportunity to compete against their peers across a range of skills and duke it out to gain points and rise to the top of the leaderboard.

In this report, you’ll get an overview of the Devlympics 2023 results, as well as a deep dive into the strengths and opportunities highlighted by hundreds of developers across the challenges played. Plus, we’ve highlighted trends for each industry, language, and common CWEs (Common Weakness Enumerations) tackled by developers to help take your secure code learning to the next level.

What developers say about Devlympics and Secure Code Warrior

“Secure Code Warrior is a great platform to compete with other participants and improve your skills.”

“Secure Code Warrior takes an interactive, code-review like approach” 

“Secure Code Warrior is one of the best platforms that trains you through interesting competition.”

“Exciting, thrilling, and I loved it!” 

Developers love Secure Code Warrior

We surveyed over 200 participants after the event, and the numbers show that developers love the competition.

Developer engagement

Developer participation in Devlympics continues to grow year over year, with over 1000 developers playing in the 2023 tournament. Devlympics attracted attention from across the world, from security professionals and developers across multiple industries and programming disciplines. With double the engagement from last year, we are noting a trend in developers becoming more keen on learning how to code securely. By growing a community of security-skilled developers, Devlympics continues to highlight the value of developers as your first line of defense in protecting your code from vulnerabilities.

‍

Industries present at Devlympics

Secure code is important for all industries, but for some particular sectors, it is absolutely mission-critical. Industries like Banking & Financial Services and Technology held the top spots for the number of developers participating. This showcases the importance of these industries’ continued focus and emphasis on secure code.

‍

Languages played by industry

Different industries utilize a variety of programming languages - of which there were 6 different categories (Web, Mobile, Front-End, API, and Cloud, and Mashup) with over 30 different languages available. These were some of the languages we noted were trending for different industries.

‍

Can’t stop, won’t stop

Players in Devlympics spent on average almost 3 hours on the platform - resulting in a total of 4,152 hours of total gameplay.

Some developers at the very top of the leaderboard took it to the next level. The top 20 players with the most play time averaged 14 hours playing in the tournament. Now that’s dedication!

‍

Full stack developers

In Devlympics, 41% of developers played in at least 2 different languages, with almost a quarter playing in 3+ languages.

According to Stack Overflow, developers who commit production code in 2 or more languages are considered full stack developers.

Does your training program ensure developers are trained in all the technologies they commit code in? With over 63 different languages and frameworks offered, the Secure Code Warrior platform has got you covered.

‍

‍

Tech stack trends

Secure code is of prime importance in code that is publicly accessible.

Across all industries, developers played using Web or API languages.

Java Spring and Docker Basic took the top spots as the most played individual languages in the tournament.

‍

‍

‍

Community of security champions

The best of the best competed in this year’s Devlympics - the majority of whom are already Secure Code Warrior customers - and the results reflect this! Across all industries, Devlympics players performed much better than the industry benchmark Secure Code Warrior has noted for Assessments on its platform.

As we continue to build our community of dedicated developer security champions on the Secure Code Warrior platform, we expect these numbers to keep getting more promising every year!

Key vulnerabilities - Web & API

Developers who participated in Devlympics exhibited good skill levels in the OWASP Top 10 categories for Injection Flaws and Vulnerable Third-Party Components. We are optimistic that we will eventually see these vulnerabilities drop from the OWASP Top 10 lists over time.

Mass Assignment is still a major issue. Developer skill level was one of the lower for this particular vulnerability. Given the lack of automated tooling and testing in this space, this is a real cause of concern and should be closely monitored. More education in this space will also help alleviate pressure from security teams dealing with this particular vulnerability.

‍

‍

CWE top 25 most dangerous software weaknesses

Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list provides developers with an annual list of the most common and impactful software weaknesses today.

#1 CWE-787 Memory Corruption, #9 CWE-352 Cross-site Request Forgery, and #10 CWE-434 File Upload were lowest accuracy scores during Devlympics. 

Injection-related vulnerabilities such as #3 SWE-89 SQL Injection, #5 CWE-78 OS Command Injection, and #8 CWE-22 Path Traversal were some of the best-scoring CWEs during Devlympics. We expect these vulnerabilities to lower in the pecking order out of the industry lists like the CWE Top 25 or OWASP Top 10 as developers’ skills improve.

‍

Weakness in order

‍

Conclusion

The 2023 Devlympics demonstrates that developers around the world engage and learn while participating in the tournament. The impact will be felt beyond just the pride they feel from competing, but the real-world scenarios make it easy to retain their knowledge and go from practice to application.

Secure Code Warrior is the industry-leading secure code agile learning platform that empowers developers to build the skills they need to write secure code.

With Secure Code Warrior, you can run your own tournament like Devlympics for your development teams. Bring your team together for a fun, gamified competition where they will learn all about locating, identifying, and fixing software vulnerabilities.

‍

Join the growing community

Our vision is to inspire a global community of security-skilled developers to embrace a preventative, secure coding culture. Our focus is to strengthen security resilience by minimizing the occurrence of attacks, threats, and risks, so that you can drive change, innovate, and accelerate. We believe that coaching and mentoring is an integral part of joining our developer community!

Register for Devlympics 2024 and follow us on X to stay up to date on all announcements.

‍

‍

TL;DR

Sage is a British multinational enterprise software company that provides businesses with software and services that are simple and easy to use for Payroll, HR, and Finance. As of 2017, it is the UK's second largest technology company, the world's third-largest supplier of enterprise resource planning software, and the largest supplier to small businesses - with over 6 million customers worldwide.

Situation 

Before working with Secure Code Warrior, Sage began outlining their Security Champion Network for approximately 10 years. Despite the robust network of security-focused developers, training was sporadic and not structured to focus on risk reduction. 

Sage recognized that it was important to spend time building relationships and embedding security over a period of time with a flexible approach. Sage’s program tied its goals to risk reduction and the material impact of that program. When piloting the program with certain business units, they focused on how to measure risk reduction and replay it back to the business to win developer and senior leadership’s buy-in. 

Action

Mads Howard, People-Centered Security Lead at Sage, worked with developers to understand the personas of security champions. She met with developers in each business unit and conducted interviews with them to understand what motivates them, how they like to learn, and what limitations they see in their work. She and her team worked to build relationships with developers and their team leads, and emphasized the importance of being flexible in their approach.

Mads emphasizes a relationship building approach,

“We spent a lot of time building relationships with dev. team leaders, engineering team leaders, and product managers- the people that control the time spent on education during sprint cycles.”

According to Mads, it also boiled down to scaling out their security champions network,

“The security champion network has been seen as a key control of that program. So in order for products to move through this program, we had to really take seriously the role of having somebody as a security champion and also provide them with solid security training.” 

The Global Security Teams goal at Sage was to implement a Security Control Program that took into consideration the learning needs of developers in a complex technology environment and choose a partner that worked alongside their existing security tooling to aid in vulnerability management. 

It was important that education was seen as an important aspect of a mature security control program. They focused on measuring risk reduction through: 

• Risk Score Improvement
• Vulnerability Age Reduction in vulnerability backlog
• Resolution Time
• No closed vulnerabilities v. open vulnerabilities
• Number of issues per line of Sage written code (not third party)

For Mads,

"The next phase for Sage as a business is to demonstrate that upskilling through a secure coding program that is embedded in developer workflows delivers measurable risk reduction."

Results

Mads emphasized the importance of the partnership and guidance Secure Code Warrior provided her and her team,

“I honestly would say that we would not have been able to get this far and build out a kind of a program that has this level of maturity in terms of different layers or dev team across different technologies without the support of Secure Code Warrior.” 

Once Mads and her team completed their interviews and won developer buy-in, she began to implement Secure Code Warrior to be part of a wider security culture program. 

The results, according to Mads, is,

“Sage has 200 plus security champions now enrolled in the program, and if a security champion is dedicating 3.5 hours a week (or 10% of their time) to skills building, they can advocate for a secure coding program, they can advocate for continuous training, and they can advocate for the value it gives them.” 

With senior leader buy-in and measurable goals around risk reduction - Mads was able to begin to measure success around not only the number of people on a platform and the hours played, but time to fix vulnerabilities, vulnerability age, and then comparing with the new features that have been built for customers to give a holistic viewpoint on vulnerability reduction. For one team the impact felt was enormous - with an 82% reduction in mean time to fix a vulnerability. 

However, what mattered more, Howard added, was the unquantifiable - the engagement, the commitment, and the willingness of teams to be involved in the program.

Key Takeaways

The Sage experience underlines the relevance of well-planned and executed security training, the importance of a flexible, integrated approach - a lesson worth learning for any organization aiming for a robust, secure coding program. According to Mads, it’s important to remember that working with developers, not against them, is the key to implementing a successful security control program and embedding security into the company’s culture. 

• Creating a Security Culture doesn’t happen overnight. It’s important to spend time building relationships and embedding security over a period of time, and dedicating resources to do so. 
• Tie everything back to risk reduction and focus on what the material impact is of a secure coding program.
• Focus on how you can measure that risk reduction to replay it back to the business so the program is seen as impactful and successful by both developers and senior leadership alike. 

For developers looking to be security champions, she and her team also offered this advice: 

• Build a network around you of people who are interested in security and get involved in conferences and talks. Spend time learning about the topics that interest you. 
• Keep in mind an organization’s culture isn’t going to change overnight, and it will take time to develop and mature. 

‍

Video transcript

Traditional secure code education makes your developers yawn. Right?

With secure code warriors agile learning approach, developers learn quick with short micro bursts of highly relevant just in time education.

Coding labs, our simulated IDE learning experience, changes the game With coding labs, your developers learn by doing within a fully interactive IDE environment that runs in browser.

Developers write code and fix real world vulnerabilities.

Coding labs automatically prompts them with real time contextual feedback, they needed. This practical learning approach inside the simulated IDE keeps them engaged and is much more relevant to their daily work. The result measurable productivity gains in terms of reducing risk, avoiding costly rework, and fixing vulnerabilities faster.

Coding labs is significantly different to other security education options. It doesn't require developers to spin up new virtual machines.

It provides hands on education with the UI that developers know and love.

It moves the developers forward with suggested code snippets and step by step answers tailored to address the developer's mistakes.

And it saves developers from ineffective classroom and compliance oriented occasion. That's why secure code warrior customers see two to three times measurable productivity gains in terms of reducing risk, avoiding costly rework, and fixing vulnerabilities, faster.

Book a demo to see coding labs in action today.

‍

Video transcript

Keeping your application secure gets harder and more expensive every day. Security breaches are more prevalent and costlier than ever before, regulatory compliance continues to be complex, and the traditional approach to secure code learning fails to engage your developers or reduce your risk profile.

Secure code warrior is the agile learning platform for secure code education with the industry's deepest, most up to date security content.

Just as agile delivery practices revolutionized software development by breaking work into small layered sprints, Secure code warrior incorporates agile learning principles into secure code education so developers can internalize and use new skills faster.

Our platform delivers microbursts of learning content directly embedded in the developer's workflow.

Learning experiences are integrated inside the developer's developers toolkit right at the point of need inside GitHub, Jira, and more.

Using an agile learning approach, SCW offers developers multiple learning pathway whether it be through instructional guidelines, video, hands on challenges, or in our in browser ID E learning experience coding labs. Interactive tournaments and leaderboards build excitement and engagement in the developer community, promoting a security first learning culture, With secure code warrior and our agile learning approach, your developers will internalize new skills faster and more effective because they learn by doing in the context of real everyday work within the dev tools they already use every day, with out interrupting their flow.

That's why secure code warrior customers see two to three times business gains across multiple dimensions.

Secure code warrior is the leader in secure code education and the only platform built on agile learning principles. Book a demo and learn more today.

Background

Netskope, a global SASE leader, helps organizations apply zero trust principles and AI/ML innovations to protect data and defend against cyber threats. Fast and easy to use, the Netskope platform provides optimized access and real-time security for people, devices, and data anywhere they go. Netskope helps customers reduce risk, accelerate performance, and get unrivaled visibility into any cloud, web, and private application activity. Thousands of customers trust Netskope and its powerful NewEdge network to address evolving threats, new risks, technology shifts, organizational and network changes, and new regulatory requirements.

Situation

The speed of innovation in cloud computing and A.I. has greatly accelerated the software development lifecycle. James Robinson - CISO at Netskope - recognized that the way of doing training for developers by meeting compliance objectives with videos about secure development in only a handful of languages was not sustainable in today’s market. Their rapid adoption and rapid change in his organization created a challenge in keeping Netskope developers up to speed on new languages and technologies, but also keeping them skilled at security.

Netskope attempted to create more custom connections to broaden the languages and coverage developers received, but the engagement was still very low and soon, the training began to challenge to productivity. James wanted to shift their approach so that developers were excited about the subject through more hands-on learning approaches.

Action

Training that was done annually, or available ad-hoc, didn’t holistically address the variety of SAST Tools, infrastructure as code scanners, and could be integrated into the CI and CD security steps at Netskope. Netskope needed to be able to integrate developers’ participation in security into the analysis and testing process. That provided a baseline for secure development education that supplemented their compliance requirements.

Shift left

As Netskope began discussing “shift left”, it begged the question - what does shift left actually mean? How far does one need to shift? Leadership made the decision to change the name internally to “self-service adoption”. What this did, in principle, was empower developers to be proactive about their secure code education. In working with Secure Code Warrior, they built a program that made security content visible and accessible to developers so they wouldn’t wander to unvetted solutions.

Actionability and value

The customizable content and a myriad of hands-on learning activities from Secure Code Warrior also opened the floor for more open, productive conversations between security and developer teams. When developers began realizing value, outside of just achieving compliance, they became more engaged and intrigued about security. It also opened up the opportunity to look at critical and recurring vulnerabilities in order to create more educational content to supplement their program.

Results

After rolling out their program, Netskope was diligent in collecting feedback from developers to ensure they were getting the most value from the platform. The results were overwhelmingly positive.

According to James Robinson, CISO at Netskope:

Our developer team, thanks in large part to Secure Code Warrior’s platform, has successfully shifted left by embracing a more enticing, self-service learning approach that gets learning pathways into the developers’ hands sooner. More importantly, we feel we’re getting a better return on investment with our developer educational training efforts because of higher participation and the fact that these efforts no longer feel like they’re a check-the-box, compliance mandated activity. The byproduct of all of this is that we’re enabling our developers to be security champions.”

Key takeaways

• ‍Organizations that do not invest in a strong application security team allow for more risk to be introduced through their code. This ultimately wastes both time and money fixing vulnerabilities and addressing security issues.‍
• Take advantage of a program that helps save time with just a couple of key-learnings every month through relevant content, rather than a hour-long compliance oriented annual training. The time saved through educating developers will manifest in the reduction of rework needed to fix vulnerabilities that shouldn’t have been introduced in the first place.‍
• There is a new mandate to code cloud solutions at scale. Years ago, there was an expectation to get developers fully invested in securing code through one programming language. That is no longer the case in today’s high-tech marketplace. You need to pick multiple languages that align best to the cloud infrastructure and applications a company wants to build out and pursue.

Situation

Before Workday implemented agile learning with Secure Code Warrior, they were utilizing in-house courses that comprised of recordings of PowerPoint presentations that covered OWASP top 10 vulnerabilities with some pseudocode examples. Alex Uda, Program Manager for security developer training, realized this wasn’t helping his team and the security team at large to achieve their goals of improving Workday’s overall security posture. Because developers were quickly becoming unengaged in their training, they decided to begin soliciting their feedback and noted that there were two items that continued to come up:

1. The need for more hands-on type of training 
2. The need for more language-specific content
   

Action 

In working with developers, Alex and his team identified two main priorities in winning developer buy-in to create an engaging, successful secure code learning program.

Clarity and simplicity 

Most developers do not arrive at their jobs with knowledge of security. Anything that is frustrating or time-consuming will lead developers to stray towards workarounds and hacks. What Workday noted about SCW is that it allowed developers to have a clear sense of the process, own it, and integrate it into their workflows.

Actionability and value 

Developers, first and foremost, want to be able to action something that is affecting the codebase/lifecycle, and action it fast. To do so, developers need to be educated on how to do so. If you want a developer to be interested in something like security, highlighting the value of these topics.

In terms of structuring the program, Alex and his team first gathered feedback on the platform from a pilot group of security champions and worked with their customer success manager to implement their suggestions. Alex and the team then looked at their SAST tools and different metrics on the number of incidents and security events to assess what the highest risks are in their current environment, and what is happening across the industry. They initially focused on the OWASP top 10 and the most common, high-risk vulnerabilities at Workday
‍

“By giving developers that learning and that agency, SCW made it so that we were able to make active improvements to our software security. It’s not all about writing code, it’s also about growth opportunities and career opportunities. Workday’s support for the security program exists because it’s an area where the entire company is aligned, so developers were allowed that time for learning and development. Taking two hours a week to do some learning over a period of time helps to build that muscle memory with consistency.”
‍

Results

Traditionally, it’s easy to think of security at the end stage of the development process. Working with the security team, developers at Workday now see security as an important component of the development cycle. They can action security items quickly and earlier in the SDLC, which has been the biggest impact of that program. For one team based in Dublin, their developers went from 4662 security issues - which averaged almost 31.08 issues a day - down to 0 in a period of around 18 months.

Alex described the growth of the program as, “a snowball effect after we began with top-of-mind security champions. As we socialized the program and its benefits to leadership and continued to increase our membership we saw almost a natural growth due to word of mouth. From a training perspective, our goal is to give our developers the necessary skills to develop code securely. This is especially critical as Workday continues to grow."

Key takeaways

According to Alex, “In order to successfully scale security it’s imperative that our developers have a security mindset to help identify security risks during the design phase of their software development. This fits in our shift left initiative to empower our developers to help save time, money, and some heartache. The better job we do in secure code learning, the fewer vulnerabilities we see from our scans and pentest results.”

For developers, it’s important to have fun when learning about security 
SCW is great at showing how exciting it can be. If you are getting involved in security learning, embrace it fully. Consider it as a part of your development process and a part of your career growth.

‍Encourage developers to reach out to the team if they are curious about security
Have a conversation, and start that collaboration.‍

Security as a black box or as a bolt-on to your project is archaic and ultimately does a disservice to your software
Embracing security as part of the development process - the same way we embrace TDD, agile, and linting - will improve the flow and increase the quality of software being delivered to customers.

‍

Compliance is a result of good security, not vice versa. If developers are actively learning and applying the concepts to their daily work - security will grow holistically within the culture of the company.

Learn how Netskope leveraged the flexibility of Secure Code Warrior’s content and interactive, hands-on approach to learning to create a programmatic approach to developer-driven security, while also meeting compliance requirements for their industry.

To kick off Cybersecurity awareness month, this webinar will cover:

• Netskope’s key business drivers and how they built a business case for SCW and agile secure code learning
• What actions were taken to get the program off the ground, and what were their goals
• How to partner with developers and measure their engagement as a success factor
• How Netskope’s Warrior program doubled participation in SCW's training over two years

The concept of “shifting left” has been part of the cybersecurity industry discourse since the early 2000s. First rising to prominence as part of evolving Agile, followed by DevOps, development methodologies, the looming threat of large-scale cyberattacks necessitated a defense strategy as the world’s digital footprint grew.

Still, approaching twenty years after the “shift left” movement promised to revolutionize secure software delivery, we still face a deluge of insecure code, low levels of organizational security awareness, and subsequent cybercrime that escalates in volume and potency year-on-year. By 2025, it is estimated that cyberattacks will cost the world $10.5 trillion USD annually.

An ever-widening cybersecurity skills chasm has ensured we have been low on experienced security personnel for quite some time, and despite being a critical pain point for most security leaders and CISOs, we simply cannot afford to wait patiently for a miracle change in circumstance. The current approach is flawed, and we need to revitalize and utilize the resources we have right in front of us, and truly, relief is possible in the form of security-skilled developers.

In this white paper, security expert and Secure Code Warrior CTO & Co-Founder Matias Madou, Ph.D. will discuss:

• The six pillars you need to roll out effective security education and enablement for your development cohort.
• Lessons learned from ten executives implementing security programs at the enterprise level.
• Common pitfalls to avoid on your road to success.

‍