Secure Coding Dojo

Making Software Security Training Fun

TM
GLOBAL APPSEC DC
About me
• Security Architect and R&D Security
Leader at Trend Micro

• Passionate about software security

• OWASP Ottawa Chapter Co-Lead Paul Ionescu

@pentesq
• OWASP Secure Coding Dojo Project Lead

OWASP GLOBAL APPSEC - DC

Why Software Security Training Matters?
• Awareness - Get development on your side

• Prevention - Works before the code is written

• Coverage – Empower development teams to conduct security activities

• Visibility – Can't know everything that is being built, but your development
advocates will let you know when they need your help

• Software Security Training is the first and most important step in the
AppSec journey

OWASP GLOBAL APPSEC - DC

Quiz Time!

The 3 ways of DevOps are: Systems Thinking, Amplify Feedback Loops

and _____________

a) Implement A/B Testing

b) Site Reliability Engineering
c) Integrated Project Management
d) Culture of Continual Experimentation and Learning

OWASP GLOBAL APPSEC - DC

 Software Security Learning is
fundamental to the 3rd Way of
DevSecOps

OWASP GLOBAL APPSEC - DC

Challenges Teaching Software Security
• Presentations can be boring and the information
does not persist after the training is over Cross-Site
Scripting is …
bla bla bla …
• What if someone was sick, missed the SQL Injection …
training…will they really watch the recording?
How about new hires? How about remote teams?
• Do you ever find yourself drifting into your e-mail while
watching a recording?

• Engaging presenters can be very effective but not

all security people are engaging presenters
Robin Higgins / pixabay

• Difficult to collect metrics and understand

organization coverage from a presentation

OWASP GLOBAL APPSEC - DC

Gamification of Training
Can you find
the Cross-Site
• Developers love puzzles and games Scripting in this
code?

• Games stimulate the mind, removing

boredom

• Competitions drive increased adoption

• Learn by doing. If the participants conduct a

Cross-Site Scripting attack they understand it Robin Higgins / pixabay
better.

OWASP GLOBAL APPSEC - DC

Can you find the Cross-Site Scripting?

Taken from one of the Dojo challenges

OWASP GLOBAL APPSEC - DC

Capture the Flag
• Capture the Flag (CTF) - events where security professionals prove their skills
by hacking vulnerable systems

• OWASP vulnerable software/CTF projects –Dev Slop, Juice Shop, Security

Shepherd, Web Goat

• CTFs are great for AppSec professionals and pen-testers, not a good fit for
development
• Developers that enjoy CTFs, < 30% of the organization
• In some CTFs not everyone gets the same experience, participants join teams and each
picks a different challenge
• CTFs focus on challenge difficulty, not on teaching concepts. You may have a CTF with 10
challenges but three different XSS levels, four different authentication levels, and three
more injection levels. Does not cover all software security flaws

OWASP GLOBAL APPSEC - DC

Requirements
• Provide detailed information about software weaknesses, attacks and
defenses.
• Practice the attacks just like in a CTF challenge, but the attacks would be
easy to conduct
• No special tools needed, only a browser
• Comprehensive training curriculum based on SANS Top 25 and OWASP Top
10
• Self-paced, complete one lesson at a time, based on availability
• Always available, new developers joining the team could take the training
as an on-boarding activity
• Leaderboard, the training would be a game. Multiple levels, awards,
badges.

OWASP GLOBAL APPSEC - DC

Welcome to Secure Coding School!
• Inspired from Karate
• Started in 2017
• Open Source, Apache 2 License
• 3 Different Learning Modules
• Black Belt (2017)
• Second Degree Black Belt (2018)
• Security Code Review Master
(2019)
• 34 lessons

OWASP GLOBAL APPSEC - DC

Training Material
• Black Belt
• This module is based on the SANS Top 25 - Most Dangerous Software Flaws. Lessons
are entry level difficulty aimed at introducing the concepts of vulnerability, exploit
and software defense.

• Second Degree Black Belt

• CTF like module, based on OWASP Top 10 (v2017). Participants take down the cloud
applications used in a worldwide malware campaign.

• Security Code Review Master

• Developers learn to apply security elements to code review.

OWASP GLOBAL APPSEC - DC

Training Syllabus – Black Belt ([Link])
SANS 25 OWASP Top OWASP Top PCI-DSS
Challenge Name PCI-DSS Req. 6 Challenge Name SANS 25 CWE(s)
CWE(s) 10 2017 10 2017 Req. 6
Yellow Belt : Missing Authentication for Critical
CWE 306 A2 6.5.10, 6.5.8 Blue Belt : Unrestricted Upload of File with Dangerous Type CWE 434 N/A 6.5.8
Function

Yellow Belt : Reliance on Untrusted Inputs in a

CWE 807 A2; A5 6.5.10. 6.5.8 Blue Belt : Improper Restriction of XML External Entity
Security Decision CWE 611 A4 6.5.1
Reference ('XXE')
Yellow Belt : Missing Authorization CWE 862 A5 6.5.10
Orange Belt : Missing Encryption of Sensitive Blue Belt : Improper Limitation of a Pathname to a
CWE 311 A3 6.5.3, 6.5.4 CWE 22 A5 6.5.8
Data Restricted Directory ('Path Traversal')
Orange Belt : Use of a Broken or Risky
CWE 327 A3 6.5.3, 6.5.4
Cryptographic Algorithm Brown Belt : Incorrect Authorization CWE 863 A5 6.5.4
Orange Belt : Use of a One-Way Hash without a
CWE 759 A3 6.5.3, 6.5.4
Salt Brown Belt : Improper Neutralization of Special Elements
CWE 307; CWE 78; CWE 250;
Green Belt : Password Guessing Attack A2 6.5.10 used in an OS Command ('OS Command Injection') and A1 6.5.1
CWE 798 CWE 732
related flaws
Green Belt : Integer Overflow or Wraparound CWE 190 N/A N/A

Green Belt : Download of Code Without Brown Belt : Improper Neutralization of Special Elements
CWE 494 N/A N/A CWE 89 A1 6.5.1, 6.5.5
Integrity Check used in an SQL Command ('SQL Injection')
Purple Belt : URL Redirection to Untrusted Site
CWE 601 N/A N/A
('Open Redirect')
Black Belt : Buffer Copy without Checking Size of Input
CWE 120; CWE 676 N/A 6.5.2
('Classic Buffer Overflow') and related flaws
Purple Belt : Improper Neutralization of Input
CWE 79; CWE
During Web Page Generation ('Cross-site A7 6.5.7
829
Scripting') and related flaws Black Belt : Use of Externally-Controlled Format String CWE 134 N/A N/A

All of the All of the

Purple Belt : Cross-Site Request Forgery (CSRF) CWE 352 N/A 6.5.9 Black Belt : Quiz All of the above
above above

OWASP GLOBAL APPSEC - DC

Demo - Lesson Experience
Black Belt – Buffer Overflow Challenge

TM
GLOBAL APPSEC DC
2nd Degree Black Belt (Hacker's Den)
OWASP Top 10
Challenge Name SANS 25 CWE(s) PCI-DSS Req. 6
2017

Security Misconfiguration N/A A6 N/A

CWE 311; CWE 327;

Sensitive Data Exposure A3 6.5.3, 6.5.4
CWE 759

Broken Authentication & Broken Access Control CWE 306; CWE 862 A2; A5 6.5.10, 6.5.8

Cross-Site Scripting CWE 79 A7 6.5.7

Injection CWE 78 A1 6.5.1

XML External Entities CWE 611 A4 6.5.1

Using Components with Known Vulnerabilities & Insecure

CWE 509 A8; A9 6.5.1
Deserialization

OWASP GLOBAL APPSEC - DC

Training Syllabus – Security Code Review Master
OWASP Top 10
Challenge Name SANS 25 CWE(s) PCI-DSS Req. 6
2017

Input Validation Various Various Various

Parameterized Statements CWE 78; CWE 89; A1 6.5.1

CWE 120; CWE 131;

Memory Best Practices N/A 6.5.2
CWE 193; CWE 134
CWE 311; CWE 312;
Protecting Data CWE 759; CWE 319; A3 6.5.3, 6.5.4
CWE 327

Preventing Cross-Site Scripting CWE 79; A7 6.5.7

Indirect Object References CWE 22; CWE 601 A5 6.5.8

OWASP GLOBAL APPSEC - DC

Demo - Lesson Experience
Security Code Review Master – Memory Best Practices

TM
GLOBAL APPSEC DC
Managing Security Training for a Large Org.
• Authentication with LDAP/SAML
• The Dojo integrates with ADFS SAML,
LDAP, Slack Auth, Google Auth

• Dashboards and metrics

• Team stats and overall organization stats

• Reports
• Generate completion status reports
based on a CSV

OWASP GLOBAL APPSEC - DC

Demo – Teams and Reports

TM
GLOBAL APPSEC DC
Running the Secure Coding Dojo
• Really easy with docker. Docker images are published under:
[Link]

• Quick setup:
git clone [Link]
export DATA_DIR = ~/dojofiles
docker-compose up

• Production config, building your own VM and more on the project

wiki: [Link]

OWASP GLOBAL APPSEC - DC

 Secure Coding Dojo Deployment
Internal Network Training Sites
JAVA
MySQL 8080
API Gateway,
Database [Link] Lambda, EC2
Node JS Separate Host
8081 and Network
GitHub Hacker's Den
ADFS Static Separate Network
Training Portal Site
Secure Host
SSO Security Code Review 101
Hosted from the repo

OWASP GLOBAL APPSEC - DC

Future Plans
• More participation
• Translations
• Investigate Integrations with other OWASP vulnerable applications: Juice
Shop, Dev Slop
• Containerization of Second Degree Black Belt
• New modules
• Roles
• Reporting

OWASP GLOBAL APPSEC - DC

Contribute
• Use the Dojo!

• Pull requests are welcome!

[Link]

• Twitter: @SecureCodeDojo

• OWASP Global Slack: #secure-coding-dojo

OWASP GLOBAL APPSEC - DC

 Q&A

TM
GLOBAL APPSEC DC
Rate this Session

Secure Coding Dojo

Making Software Security Training Fun

SCAN THE QR CODE TO

COMPLETE THE SURVEY
Thank You!

TM
GLOBAL APPSEC DC
OWASP, Open Web Application Security Project, Global AppSec and AppSec Days are Trademarks of the OWASP Foundation, Inc.