If you ask the average developer, "What is SQL injection and how can you prevent it?" or “What are the current OWASP Top 10 critical web application security risks?” you will probably get a blank stare in return. Developers today have little to no training on how to code web applications securely. At best, they may have taken a single class while in college or picked up ad-hoc secure coding practices from their organization or dev lead. Training developers on how to code securely is sorely lacking at a time when web applications are increasingly under attack from bad actors.
To be frank, most developers are paid to create new features and functionality to meet business needs—security is often an afterthought. Sure, no developer wants to be the person who accidentally creates the next Target breach, but the risk of exploits is usually not top-of-mind.
That's where Checkmarx Codebashing can help. It offers just-in-time, targeted lessons that cover exactly what developers need to know, when they need to know it. Each lesson takes five to eight minutes to complete and can be accessed from the developer's IDE of choice (i.e., Eclipse, JetBrains IntelliJ, Visual Studio, and Visual Studio Code). How many times have you found yourself watching a one-hour training video, and then about 10 minutes into it, you are already checking your email and getting distracted? I am guilty as charged!
A key differentiator for Codebashing, relative to other forms of developer training, is we can pinpoint specific lessons relevant to security vulnerabilities found within a code scan, which removes the “abstraction” aspect and underscores to the developer that “this is a vulnerability we found in your code, and here is a short lesson on how you can fix it and prevent it in future code.” No more watching endless videos or webinars on training that may or may not apply to your specific security issue. The training provided in Codebashing helps developers apply their newly trained skills not just to the vulnerability at hand, but also future coding vulnerabilities, which is a major goal for any AppSec training program.
Let's take a deeper dive into Codebashing and see how it can help developers create secure code.
Figure 1 shows an Eclipse IDE using the Checkmarx plugin. The project highlighted (JavaVulnerableLab) is a standard Java-based project with Checkmarx scan results retrieved in the IDE.
The Checkmarx scan has uncovered 263 Static Application Security Testing (SAST) vulnerabilities, with 123 of those in the High category. In this instance, we are looking at a Reflected XSS All Clients vulnerability found in the xpath_login.jsp file on line 9, as seen in the source code in the upper middle window.
In the lower middle window of Figure 1, highlighted by the red circle, is a link to the Checkmarx Codebashing site. No need for your developers to visit a separate website for training, they can access the training directly within the IDE. This allows developer education and training to embed in the existing developer workflow so it can start even earlier in the software development life cycle (SDLC).
Clicking on the Codebashing link takes you to the Checkmarx Codebashing site shown in Figure 2.
Checkmarx Codebashing provides developer-focused lessons that allow developers to identify and resolve vulnerabilities and security concerns in an environment that simulates the real world. In this case, a course on DOM Cross Site Scripting is presented. Our friends Alice and Bob (click to here to see a fascinating story on the history of this famous couple) will demonstrate how to prevent this type of attack.
Click the “Let’s Play” button to see what’s next!
Figure 3 shows the start of the Codebashing lesson for DOM Cross Site Scripting. As seen on the left, this lesson has 10 interactive steps for the developer to perform. It’s presented in the programming language the developer was using in their IDE (in this case Java, as seen by the red circle in Figure 3), making the training more practical and useful.
One of the unique differentiators of Codebashing is that developers interact with the lessons themselves rather than just watch a pre-recorded video, which reinforces the concepts and ideas behind the lessons. Many traditional training sites have endless videos that users are forced to watch with little to no interaction. These videos can be skipped through (not that I have ever done that of course) and not much is taken from them as they do not engage critical thinking. In contrast, in step 4 of the Codebashing lesson (as seen in Video 1), the user will interact with the video which captures their attention and ensures a better learning environment.
As the user progresses through the lesson, there is a clear path as to what they are supposed to do. Here’s a capture of step 7 showing actual code and the results of malicious input.
Finally, the last step of the lesson shows remediation steps and recommendations to ensure this type of vulnerability isn’t introduced into code in the future, as seen in Figure 5.
At the end of each lesson, there is a “Test Your Knowledge” page with a short one- to two-question quiz, referenced in Figure 6. This quiz also provides challenge points for correct answers that apply to tournaments set up by your Codebashing Administrator. Getting the question right on the first try is always a winner!
The last page in each lesson is a key takeaways page with a comprehensive summary. It provides an overview of the lesson and how to prevent the specific coding vulnerability. It also offers further lessons on additional topics.
In summary, Checkmarx Codebashing is a fun and interactive way to offer developers just-in-time, interactive training on secure coding practices. By implementing a developer education program such as Codebashing—as opposed to Stackoverflow or Google searches—we expect your organization to see a significant increase in productivity.
Ready to give Codebashing a try?
Request a demo, today.