You are not expected to have any knowledge of software security going in. All you need is programming knowledge.
After you complete the training you should have a good understanding of software security aspects. However only training by itself will not be sufficient to make your software secure. Safeguards such as changes to development processes and security tools will also be necessary.
The goal of the Dojo is to be the first step in your journey towards becoming a safer developer. It also aims to enact cultural changes and a secure mindset within organizations whether they are schools or companies.
The training is intended to be fun and easy to achieve. It's just like in martial arts but aims to make you a Secure Coding Ninja. Are you ready to get your Black Belt?
Read more about how it works below.
In order to know how to defend you must first learn what you need to defend against.
Attacks on software are conducted by taking advantage of software weaknesses or misconfigurations.
To advance your training you will have to complete challenges that involve identifying and attacking software weaknesses. This will help you get into the attacker mindset and 'put your hacker hat on'.
Thinking like an attacker will help you avoid vulnerabilities when designing software, a process known as 'Threat Modeling'. It will also help you test your code for vulnerabilities once the software has been built.
In martial arts you learn various blocking techniques. Each block defends against one or more types of attacks.
In a similar way software can be defended through 'code blocks'. They are also more widely known as 'secure coding practices'. Code blocks include practices like: 'allow listing user input' or 'using strong cryptographic algorithms'.
After you complete a challenge you will have the opportunity to review the 'code blocks' that could have prevented the attacks.
Knowing the basic 'code blocks' will help you prevent the attacks while you are writing your code. It will also help you identify software weaknesses during code review.
Just like in Karate you can never use the skills you learn here to attack someone. You are only participating in this training to learn how to defend your software.
Even when you are conducting security testing to find the security bugs so they can be fixed, it has to be fully authorized.
Any unauthorized testing, even when conducted for good, is a criminal offense so be sure to check you have authorization before you touch any applications outside this challenge.
You are fully authorized to conduct testing on the target applications provided for the challenges, however you are not authorized to conduct disruptive testing, load testing, automated scanning or intentionally alter the integrity of the target applications.
You are not authorized to conduct any testing on this page, or the authenticated portion of this site, try to bypass the challenges, steal challenge codes, impersonate any users or otherwise try to break the leaderboard application. If you happen to notice anything you get bonus points for reporting it to the organizers.
Don't get too intimidated by the rules, though :), have fun and enjoy the learning experience.
Sign in below to get started!
Login ({{prov.name}})