Finding Cisco DevNet Elite Secure Code Warriors
In my earlier blog post, ”So, You Can Code… But Can You Write Secure Code?“, we talked about how our partner Secure Code Warrior (SCW) would be an integral part of Cisco DevNet Create yet again, for the second time in a row. In the blog post you can read more about how it went, the winners, and of course what happens next!
Devvie Defends: Challenge (Round 1)
As a reminder, this year we decided to go with a 2-phased tournament. The first tournament, “Devvie Defends,” has been held last week at DevNet Create 2021. The Devvie Defends: Challenge align with Cisco’s focus on Cloud Native applications.
Participants
We had a total of 371 people who actively participated in 1 or more challenge, and we had 204 participants actively joining in on the Devvie Defends tournament. Together, they spent a total of 386 hours (about 2 and a half weeks) in these challenges. In total, 5,646 challenges were completed by these secure code warriors (or should I call them legends?)!
Programming languages
As you may remember, the tournament included popular web application language frameworks like GO, Node.js Express, and Python along with some classics like Java and C# .NET to choose from. Python Django was by far the most popular choice, taking around 75% of the attention of the participants. The other 25% consisted of JavaScript (10%), C# (7%), Java (4% and GO (4%).
Looking at the PYPL list of most popular programming languages, it makes sense that Python is on the top of the list. Also, as fellow Dutchman and University of Amsterdam (UvA) alumnus, I can only be proud that a language (Python) that was conceived in the late eighties at the UvA by Guido van Rossum. Having said that, I think it is also great to see a relatively new language, like GO, taking the stage with 4% (even though PYPL only lists it as having a share of 1.49%). GO, being a compiled language and having other advantages, beats Python by far when you look at performance. This might not be important with everyday usage but becomes important when designing larger and more complex applications.
Vulnerabilities
Now let’s talk a bit more about specifics: SCW is all about writing secure code, finding and patching vulnerabilities. The most played vulnerability was Session Handling followed by a couple of other common vulnerabilities (check table below).
What is session handling you may ask? Well, think about certain websites like online stores can keep your cart up to date even though you close and re-open the tab. Sessions are key to a good user experience when using the web. However, managing sessions incorrectly can lead to security holes that attackers can exploit. Proper session management is essential to the security of an application. A valid session ID has the same level of trust as a username/password, or even a second-factor authentication token. Seeing that this is such an important part of creating (web)applications, it is great to see that the warriors were able to crush this. During the challenges, the participants identified (given a vulnerable codebase, identify vulnerability type), located (locate vulnerabilities within a codebase), fixed (identify the correct solution for the vulnerability) and did missions (experiencing vulnerabilities in real-world scenarios) for the various vulnerabilities.
What’s is next?
DevNet Create 2021 is now over. That means the Devvie Defends tournament is also over and the top 25 have been identified. The Top 3 winners will earn prizes and bragging rights. But wait, there is more! The Top 25 have earned their seat in the Devvie Secures: Tournament (Round 2) – a new elite tournament to be held today. The heat will be turned up as the difficulty of challenges increases and players will also be tested with advanced missions to earn even more points as they fight their way to the top!
The Top 3 will earn premium prizes and uber bragging rights, with prizes for everyone who competes. I would like to congratulate everyone who competed so far, and of course some extra congratulations to the Top 25! Good luck today and I will report back in a final blog post on the results of round 2 of this tournament: Devvie Secures!
Want more of Secure Code Warrior?
If you want to learn more about SCW, check out the session “Playing to win with security champions & coaches: Why your development team needs both in the fight against common vulnerabilities!”
Secure Code Warrior special offer
Check out the Secure Code Warrior special offer for all DevNet Community Members! With their flagship learning platform, they guide each coder along their own preferred learning pathway, so that security-skilled developers become the everyday superheroes of our connected world. Get a free user license for every license purchased between now and March 31, 2022! Terms apply.
We’d love to hear what you think. Ask a question or leave a comment below.
And stay connected with Cisco DevNet on social!
Twitter @CiscoDevNet | Facebook | LinkedIn
Visit the new Developer Video Channel
Share: