Secure Code Warrior™ Trains and Equips Developers to Create Protected Software in a Gamified, Hands-On Learning Experience

TL; DR: Instead of continuing to work hacking into companies to expose their weaknesses, digital security expert Pieter Danhieux diverted his skills to helping developers create strong applications from the start. The Secure Code Warrior training platform encourages company-wide collaboration in a gamified environment complete with tournaments, prizes, and real-time feedback. Once training and assessments are complete, Secure Code Warrior’s Sensei module continues to monitor a dev team’s code to ensure it adheres to secure coding guidelines — just like a spell-checker. Now, Pieter and the Secure Code Warrior team are looking to expand their services to new industries and geographic regions to help build a more secure internet.

The profession of software engineering has been around for roughly 50 years. That seems plenty long enough to be established in the larger global workforce — until you consider jobs in civil engineering. Man has been building bridges, roads, and houses for more than 2,000 years; that’s 20 centuries of knowledge, improvement, and learning.

That’s the context Pieter Danhieux uses to show how software development and security is truly still in its infant stages in terms of process development and establishing industry best practices.

“Today, when someone builds a bridge, they think about safety, security, and performance,” he said. “But that’s knowledge we’ve gained from over 2,000 years of human experience, and I’m pretty sure the first bridges we built were probably not that safe or secure.”

To help accelerate the industry’s learning process, Pieter and Matias Madou have turned their global reputations as security experts and more than a decade’s worth of experience as developers, researchers, trainers, and consultants into a cutting-edge platform that gives companies a stronger front line of defense. Secure Code Warrior trains developers to write secure code from the start, which means organizations and security personnel no longer have to play a frantic, time-consuming, and expensive game of catch up.

“We need to adapt and understand that, whenever you build software, it’s still the first batch of bridges and buildings,” Pieter said. “Let’s learn about security and help the people building these things to make sure they know how to securely build a piece of software.”

As Pieter tells it, he was into cybersecurity before the term even existed. Instead, he operated under the umbrella of IT and information security, spending about 14 years as an ethical hacker — breaking into companies’ online systems and getting paid to expose their vulnerabilities.

“We got frustrated after that long and realized we were always giving people problems, never actually solving them,” he said.

What’s more, Pieter and his colleagues were encountering the same security vulnerabilities with alarming frequency. Not only were the weaknesses well-known in the security industry at the time, but they had been exposed online since the early 2000s.

“Even in 2014, the way most data breaches were happening and more companies were getting compromised are with security vulnerabilities that are at least a decade old,” he said. “That’s 10 years of applications and things developers don’t really understand or have no concept of how to build something with security in mind.”

Instead of continuing to point out the same problems, Pieter said he and his team wanted to take a more proactive approach to solving the issues. Because most of the flaws the group covered were related to software issues, the team focused on providing resources to developers.

“We tried to solve the problem on a global scale because I knew this was not a European problem or an Australian problem or a certain industry problem,” Pieter said. “We wanted to build something where we can help developers become better developers, write better code, and develop good coding habits.”

With experience organizing several hacking conferences and capture-the-flag events, Pieter decided to apply the competitive, gamified approach to teaching software engineers how to improve security.

“What we basically want to do is bring those developers through a journey,” he said.

Secure Code Warrior starts with engaging and competitive tournaments where developers can register, select a coding language, and attempt to solve various real-world challenges.

“We’ll show a piece of code to these developers and tell them there’s a vulnerability that was used in the Ashley Madison data breach a few years ago. Go in and fix it,” Pieter said.

A hinting system will provide clues to developers who can’t identify the coding misstep, and points are awarded for the speed and hints needed to complete the task.

“They’re competing for two or three hours against their peers,” Pieter said. “It might be their own agile scrum team, it might be the whole company or other industry organizations. Tournament mode is to introduce them to the fact that security is not just a bore, it’s something that can produce a fun and challenging experience.”

From there, Secure Code Warrior provides training modules that address an organization’s top four most common security weaknesses. Developers can progress through the lessons at their own pace.

“It’s all gamified, not videos or boring eLearning slideshows,” Pieter said.

Progress is then measured with the platform’s assessment or certification mode. Once the knowledge gains are demonstrated, Secure Code Warrior equips developers with Sensei, a simple plugin that integrates with development environments and acts like a spell checker.

“While the developer is writing real, production code, we’re going to check on the fly and verify he is doing everything correctly,” Pieter said. “If he’s not, we’re going to put a pop-up in and direct him back to the relevant training.”

Pieter said he is well aware of the divide between developers and security personnel that’s common at many enterprise organizations. In the effort to protect companies from attackers, security teams are often viewed as a barrier to developer productivity and creativity.

“The average developer doesn’t really like security people or security as a function within the organization, and I don’t blame them,” he said. “For the past 20 years, security has always said no to things, and I think that’s why there’s a strained relationship between them and developers,” he said. “What we want to do is fix that relationship.”

Because security personnel can organize Secure Code Warrior tournaments, the two communities begin to form connections and can better identify each others’ roles and strengths.

“Our gamified system suddenly creates a bridge between these two groups that typically don’t talk to each other,” he said, adding that the training platform also enables security professionals — who can sometimes be outnumbered by developers 500-to-1 — to reach more people with meaningful, effective information.

Secure Code Warrior helps enterprises preemptively address security issues at the programming level instead of needing to fix weaknesses already in production code, where Pieter said they’re 1,000 to 10,000 times more expensive to fix.

“Just imagine you build a house, and your house is completely built and furnished when you suddenly realize there’s something wrong with the fundamental architecture or foundation,” he said. “How much time and effort and money is it going to cost to deconstruct your house, fix the problem, and basically open it up again? The same things happen with software.”

Secure Code Warrior initially focused on the banking industry, serving institutions with anywhere between 500 and 20,000 developers, but Pieter said that has expanded well beyond to technology, telecommunications, retail, manufacturing, gaming, and airline industries.

“I honestly think this whole world is turning into one big software machine,” he said. “The pain does not only exist in banking, but it also exists in the online payment processors, large retailers, airlines, and anyone who builds code as a business on a global scale.”

Pieter pointed specifically to the manufacturing of cars and home appliances as industries that are not regulated in terms of cybersecurity — but will soon need help.

“The car is just a little bit of hardware,” he said. “Everything else is being steered by software. The same is happening with refrigerators and dishwashers.”

The need for secure coding and robust training systems means Secure Code Warrior is poised for rapid expansion, Pieter said. In addition to traction in the U.S. and Europe, the platform is gaining ground in areas like Singapore, Hong Kong, and China thanks to companies outsourcing development needs.

From a technology perspective, Secure Code Warrior supports a wide — and growing — range of languages. In addition to the standards like Java, C#, Python, Ruby, and Node.js, the platform also provides training for legacy languages like COBOL and the more modern Go, Angular.js, and React.js.

“Being able to offer a solution that is not for one specific group of developers is critically important to us,” Pieter said. “We support 17 different languages and frameworks on the platform, and they can all train the same. Whether you’re a COBOL guy or mobile developer, there’s something there for you.”