In the event you ask the typical developer, “What is SQL injection and how can you prevent it?” or “What are the current OWASP Top 10 critical web application security risks?” you’ll most likely get a clean stare in return. Builders right now have little to no coaching on the way to code net functions securely. At greatest, they might have taken a single class whereas in faculty or picked up ad-hoc safe coding practices from their group or dev lead. Coaching builders on the way to code securely is sorely missing at a time when net functions are more and more beneath assault from unhealthy actors.
To be frank, most builders are paid to create new options and performance to satisfy enterprise wants—safety is usually an afterthought. Positive, no developer needs to be the one who by chance creates the subsequent Goal breach, however the threat of exploits is often not top-of-mind.
That’s the place Checkmarx Codebashing will help. It gives just-in-time, focused classes that cowl precisely what builders have to know, when they should understand it. Every lesson takes 5 to eight minutes to finish and might be accessed from the developer’s IDE of selection (i.e., Eclipse, JetBrains IntelliJ, Visible Studio, and Visible Studio Code). What number of instances have you ever discovered your self watching a one-hour coaching video, after which about 10 minutes into it, you’re already checking your e-mail and getting distracted? I’m responsible as charged!
A key differentiator for Codebashing, relative to different types of developer coaching, is we are able to pinpoint particular classes related to safety vulnerabilities discovered inside a code scan, which removes the “abstraction” side and underscores to the developer that “this is a vulnerability we found in your code, and here is a short lesson on how you can fix it and prevent it in future code.” No extra watching countless movies or webinars on coaching which will or might not apply to your particular safety situation. The coaching offered in Codebashing helps builders apply their newly skilled expertise not simply to the vulnerability at hand, but additionally future coding vulnerabilities, which is a serious purpose for any AppSec coaching program.
Let’s take a deeper dive into Codebashing and see the way it will help builders create safe code.
Determine 1 exhibits an Eclipse IDE utilizing the Checkmarx plugin. The undertaking highlighted (JavaVulnerableLab) is a normal Java-based undertaking with Checkmarx scan outcomes retrieved within the IDE.
The Checkmarx scan has uncovered 263 Static Utility Safety Testing (SAST) vulnerabilities, with 123 of these within the Excessive class. On this occasion, we’re taking a look at a Mirrored XSS All Purchasers vulnerability discovered within the xpath_login.jsp file on line 9, as seen within the supply code within the higher center window.
Within the decrease center window of Determine 1, highlighted by the pink circle, is a hyperlink to the Checkmarx Codebashing website. No want in your builders to go to a separate web site for coaching, they’ll entry the coaching straight inside the IDE. This enables developer schooling and coaching to embed within the present developer workflow so it can begin even earlier within the software program improvement life cycle (SDLC).
Clicking on the Codebashing hyperlink takes you to the Checkmarx Codebashing website proven in Determine 2.
Checkmarx Codebashing supplies developer-focused classes that permit builders to determine and resolve vulnerabilities and safety considerations in an setting that simulates the actual world. On this case, a course on DOM Cross Web site Scripting is introduced. Our associates Alice and Bob (click on to right here to see a captivating story on the historical past of this well-known couple) will exhibit the way to forestall this sort of assault.
Click on the “Let’s Play” button to see what’s subsequent!
Determine 3 exhibits the beginning of the Codebashing lesson for DOM Cross Web site Scripting. As seen on the left, this lesson has 10 interactive steps for the developer to carry out. It’s introduced within the programming language the developer was utilizing of their IDE (on this case Java, as seen by the pink circle in Determine 3), making the coaching extra sensible and helpful.
One of many distinctive differentiators of Codebashing is that builders work together with the teachings themselves reasonably than simply watch a pre-recorded video, which reinforces the ideas and concepts behind the teachings. Many conventional coaching websites have countless movies that customers are pressured to observe with little to no interplay. These movies might be skipped via (not that I’ve ever executed that after all) and never a lot is taken from them as they don’t have interaction crucial considering. In distinction, in step 4 of the Codebashing lesson (as seen in Video 1), the person will work together with the video which captures their consideration and ensures a greater studying setting.
Because the person progresses via the lesson, there’s a clear path as to what they’re speculated to do. Right here’s a seize of step 7 displaying precise code and the outcomes of malicious enter.
Lastly, the final step of the lesson exhibits remediation steps and proposals to make sure this sort of vulnerability isn’t launched into code sooner or later, as seen in Determine 5.
On the finish of every lesson, there’s a “Test Your Knowledge” web page with a brief one- to two-question quiz, referenced in Determine 6. This quiz additionally supplies problem factors for proper solutions that apply to tournaments arrange by your Codebashing Administrator. Getting the query proper on the primary strive is all the time a winner!
The final web page in every lesson is a key takeaways web page with a complete abstract. It supplies an summary of the lesson and the way to forestall the particular coding vulnerability. It additionally gives additional classes on further subjects.
In abstract, Checkmarx Codebashing is a enjoyable and interactive strategy to provide builders just-in-time, interactive coaching on safe coding practices. By implementing a developer schooling program corresponding to Codebashing—versus Stackoverflow or Google searches—we anticipate your group to see a big improve in productiveness.
Prepared to offer Codebashing a strive?
Request a demo, right now.
