SecureBuild – Go Beyond the Code to Reduce Software Risk

Development teams constantly deal with rapid release cycles, dozens of technologies, and relentless threats. They generally want to address these challenges in a secure way but are not sure how (or why).

SecureBuild combines CBT with AppSec cyber ranges to make security approachable. By mastering competency in a real-world environment, teams build confidence and security just becomes a natural part of the software assurance process.

Shift security left

Gather security requirements, threat model, scrutinize design, reduce the attack surface

Usher in technology securely

Full-stack coverage ensures security incompetence won’t slow down the business

Track Skills Progression

Set goals, the baseline against other industries/roles, and use reports staying on track

SecureBuild: SAMM-SecureBuild

SecureBuild covers all design, implementation,  verification activities

Ideal for Software & Development Teams

SecureBuild: Reduce Code Risk in Development

Reduce Code Risk in Deployment

With SaaS, the cloud, and continuous release, the line between development and deployment is munged.

Understanding how code flaws propagate into attack vectors changes mindsets
from “Why would anyone do that?” to “That’s a problem – I need to prevent it!”

Build any Desired Competency

Not all roles need the same security proficiency. Our progressive CBT facilitates the building of awareness and specialized knowledge in a sequential way.

Our cyber ranges also progress in difficulty.  Simpler ranges are ideal for those that need to be security-aware, and advanced ranges are great for grooming security champions.

  • SDLC phases: requirements, design, coding, verification
  • Platforms: Android, iOS, AWS, Azure, Web, Linux, Embedded, IoT, DB
  • Standards: PCI DSS, OWASP, CWE
  • Languages: AJAX, Django, React.js, .NET, Powershell, GO, Angular, jQuery, Ruby, Perl, Bash, C/C++, C#, Web Services, Swift, Ruby, Python, PHP, Node.js, Javascript, Java, HTML5
  • Environments: Web & Mobile applications
  • Focus:  code- and design-level vulnerabilities, OWASP Top Ten, data protection
  • Attacks: XSS, SQLi, role-based, business logic
  • Gameplay: No tools needed. Learning Labs, hints, and cheat sheets ensure all skill levels can compete

Who’s Got Real Talent?

While CBT and gamification do a great job ramping up knowledge, pre-determined outcomes make it harder to assess actual security acumen.

Cyber ranges incorporate real-world vulnerabilities that can be exploited in several ways, just like hackers do.

Our sophisticated scoring engine doesn’t rely on syntax or pattern matching. To earn points,  players need to demonstrate the ability to apply knowledge correctly.

Real Talent? Novice, Training & Advanced Developers

But Do My Developers Need to Know how to Hack?

The goal of our cyber range is not to turn developers into pen testers but to make them offensive-minded. Hacking is the most accurate way to gauge if teams can recognize poorly implemented security principles. If they can’t, they’re likely making the same mistakes.

SQL Injection

For example, if a developer can’t conduct a basic SQLi attack, they might not understand:

  • How databases get exploited
  • Security principles like input sanitation and trust no data
  • How to implement code-level mitigations like blacklisting

Detailed cyber range reports highlight these gaps and provide specific course recommendations.

"After the cyber range, I approached coding differently. Now my first thought is 'how could I hack this? What if I changed the form input, would we reject it appropriately?'"
Molly Struve, Software Engineer, Dev.To
"Our members found CMD+CTRL to be an engaging way to think more offensively in order to effectively apply secure coding concepts to the development lifecycle"
Michael Allen, OWASP Chicago Chapter Lead

Reporting & Measuring

As a starting point, you can baseline against industries and/or roles.
Detailed reports make it easy to gain insight into individual and team performance, allowing you to:

  • Fill gaps identified in the cyber range with specific courses
  • Track against key performance indicators and goals
  • Measure staff risk over time

Learn More