Fixing security-related issues in code is a different kind of problem solving, and we often see developers introducing more problems as they try to fix these issues. I understand this because I was once one of those developers.
When I started to learn how to write functional code, I was asked to write a form that accepts user input. So, I made a form that accepts user input. I later learned that it was not enough for the code to be functional, it also needed to be secure–like adding user input validation. It was learning about this, and the attacks that could occur without this type of validation, that got me thinking about security as a developer. I learned that I didn’t always need to reinvent the wheel, and that I could instead rely on the best practices, approaches, and code from the people and communities that came before me.
It’s because of my own experiences, and helping others through my work on the GitHub Security Lab team, that I created the Secure Code Game. This hands-on secure coding training is now generally available for all GitHub users via GitHub Skills. The Secure Code Game is perfect for developers and students getting started in their coding careers, or anyone who wants to sharpen their secure-coding abilities.
The game assumes a beginner or intermediate-level of knowledge, and gets more challenging as you complete each level. To meet the needs of open source developers and start with two of the most popular languages, the game currently supports learning for Python and C. As you complete the game and provide us with feedback, we’ll be able to understand where to take the game next. We are already planning to welcome community contributions for creating new levels in the future.
The art of secure code
It’s fairly common knowledge that there is a training gap when it comes to secure coding, and there are a few reasons for this. One is that secure code education is not typically a requirement of computer science degrees, even if it is strongly encouraged by some colleges and universities. Another reason is that there may not be enough emphasis on secure coding practices and training within organizations, so developers do not prioritize security while developing code. A third reason is the rapidly-evolving threat landscape, with vulnerabilities constantly evolving. Staying up to date on the latest threats and best practices can be tricky.
Yes, there is the argument that developers don’t necessarily find secure coding all that interesting. Writing code keeps them creative, and fixing security issues in functional code feels like being stuck in the same place without making progress. There’s something inherently satisfying about writing functional code that performs well and solves a problem within the project they are working on or for the products that their organization sells.
However, I would like to offer a perception shift: you cannot have quality code without having secure code, and writing secure code is a different form of problem solving. Hackers and security researchers see themselves as creatives who find problems in code because it takes creative thinking and experimenting to find an issue, exploit it, and understand the impact. Sure, there are hackers with malicious intent, but there are many who view themselves as bringing the art–your code–to the next level. As developers, if we want to ensure that we are shipping high-quality code, we must also learn the basics of the art of secure code.
Gamification for a secure code mindset
Learning secure coding basics isn’t about perfection, but about building an awareness mindset when it comes to reviewing your code for security issues or bugs. GitHub’s hands-on Secure Code Game is purpose-built to help you do just that. It empowers you to learn secure code best practices and theories, and put them into practice while you learn.
Through the game, we provide you with intentionally vulnerable code and ask you to find and fix the problem within it. You have the ability to assess your fix by running the code to understand if it is still functioning correctly but in a safe way. From here, you can then assess your fix against the exploits baked into the vulnerable code. If the pre-written vulnerabilities can no longer be exploited, you are ready to move to the next level. The levels become more difficult to complete as the game progresses. We recommend that you use an application security testing tool like CodeQL to find all of the vulnerabilities in later stages of the game and receive helpful hints on where those problems are and how to fix them.
To get started with the Secure Code Game within GitHub Skills, click here. If you’re interested in contributing to the game, I’d love to hear from you.