Cloudogu Logo

Hello, we are Cloudogu!

Experts in Software Lifecycle Management and process auto­mation, supporter of open source soft­ware and developer of the Cloudogu EcoSystem.

featured image More security thanks to micro-learning and gamification – Secure Code Warrior plugin for SCM-Manager
06/17/2021 in Quality

More security thanks to micro-learning and gamification – Secure Code Warrior plugin for SCM-Manager

The regularity of media reports on cyberattacks shows that security is, or should be, a key issue for software development teams these days. Experience also shows that security vulnerabilities are usually not created by highly specialized functions. Rather, many successful attacks exploit well-known security vulnerabilities. For this reason, we are very pleased that the learning platform Secure Code Warrior is now integrated into our version management tool SCM-Manager.

An example of well-known security vulnerabilities is SQL injections, where arbitrary code is injected into database queries, allowing unauthorized information to be read (for more on this, see the Wikipedia article). Such attacks are very popular because they can be carried out very easily. That’s why SQL injections have consistently ranked first in the Open Web Application Security Project’s (OWASP) top 10 security risks since 2010.

These vulnerabilities are actually easy to close. Often, there just seems to be a lack of awareness, or the necessary time to perform appropriate security checks and design processes in such a way that security aspects are taken into account on an ongoing basis. Awareness can be created either classically through targeted training or through continuous learning, e.g. by means of microlearning or gamification. Secure Code Warrior is a very good example of the latter. By combining Secure Code Warrior with the version control management tool SCM-Manager, security aspects can be integrated into processes easily and in a time-saving manner.

Learning with Secure Code Warrior

The Secure Code Warrior platform makes it possible to use microlearning and gamification to gain knowledge about widespread security vulnerabilities and thus close them. The platform offers learning content on almost 150 security topics such as SQL Injection, Cross-Site Scripting (XSS), Memory Corruption or Client Side Injection for all common programming languages such as PHP, JSP, JavaScript, C++, Java Spring, .NET and many more. The content is taught in the form of videos (see example below) and programming exercises (challenges).

In combination with the plugin for the version control management tool SCM-Manager, the information is integrated directly into the software development process.

Open Source Version Management Tool SCM-Manager

SCM-Manager is an open source version management tool that Cloudogu took over in 2020 (to the official announcement of the acquisition). In the same year, we released the completely revised version 2 of the tool. SCM-Manager can be operated on-premises and offers, in addition to repository management, a complete review process for changes, the ability to edit files directly in the browser, and many other features.

SCM-Manager repository overview Figure 1: SCM-Manager repository overview

The Integration of learning content about security vulnerabilities with the plugin for Secure Code Warrior is the latest enhancement of the tool.

Secure Code Warrior Logo
Download the exclusive and free Secure Code Warrior plugin for SCM-Manager via myCloudogu. Learn more about it here.
To the Secure Code Warrior plugin

Secure Code Warrior Plugin for SCM-Manager

With the free plugin, videos and links to security vulnerability challenges are displayed directly in pull requests. This way developers directly get all important information about the security vulnerability. For this purpose, the description of pull requests as well as comments and tasks from reviewers are searched for keywords.

Pull request with information about a security vulnerability Figure 2: Pull request with information about a security vulnerability

For example, the pull request shown in figure 2 contains the keyword “SQL Injection” in the description. Therefore, the corresponding learning content is displayed.

This integration offers the possibility to use the information from Secure Code Warrior in different ways.

SCM-Manager makes the pull request a “security issue” with Secure Code Warrior

When a security vulnerability is found and fixed in the application, the pull request can be used to educate other team members on the topic – by performing the review. By mentioning the security vulnerability in the pull request’s description, information about the topic is displayed. This can be used to learn the theory. At the same time, the learned basics can be comprehended in the context of the expert’s changes in the own application. This approach spreads the knowledge of the topic over several people.

To have information on security topics displayed in pull requests, it is sufficient to mention the topic in the description or title of the pull request.

In SCM-Manager, reviewers can provide feedback on pull requests to point out potential security vulnerabilities. All that is required, is to mention a security topic in comments or in tasks. Thus, the corresponding Secure Code Warrior content is displayed in an automatically generated comment.

Comment with information about a security vulnerability Figure 3: Comment with information about a security vulnerability

Note: Only “root” comments are searched for keywords, not replies to comments.

Conclusion

The Secure Code Warrior plugin for SCM-Manager integrates information about vulnerabilities directly into the creation and approval process for changes. All that is required is that a person involved in the process mentions the security vulnerability. All the necessary information for implementation is then provided automatically. The advantage of this approach is that knowledge about security vulnerabilities is spread throughout the team without additional effort, and team members can educate themselves through self-study using micro-learning and gamification.


Daniel Huchthausen
Daniel Huchthausen

- IT Consultant -

When he is not exploring the wilderness, Daniel keeps himself busy with topics such as quality assurance, testing and PM methods.