Skip to content
Paul Ionescu edited this page Jan 25, 2019 · 7 revisions

Welcome to the Secure Coding Dojo wiki!

Please review the wiki pages for information on compiling, deploying and enhancing this project.

The Secure Coding Dojo is a platform for delivering secure coding training. While it provides two vulnerable training applications the training portal can be used in conjunction with other applications as well.

Vulnerable applications:

  • Insecure.Inc is a Java site that demonstrates simple exploits based on SANS Top 25/OWASP Top 10
  • Hacker's Den is a Serverless application for more advanced users based on OWASP Top 10

While training sites to teach application security concepts are not new, the target audience has traditionally been pen-testers and ethical hackers. The Secure Coding Dojo is primarily intended as a delivery platform for developers and here's why:

  • The predefined lessons are based on the MITRE most dangerous software errors (also known as SANS 25) so the focus is on software errors rather than attack techniques
  • The predefined hacking challenges are created for entry level and keep the developers engaged
  • In other training sites or CTFs there is a puzzle aspect to the challenges which is great for pen-tester audiences but can make some developers lose interest. In the Secure Coding Dojo the focus is on demonstrating the vulnerability.
  • There are tips that help the developers as they are exploiting the issue to avoid getting stuck
  • It integrates with Slack for authentication!
  • It also integrates with Google, ADFS, LDAP and local user database
  • It allows grouping of participants according to their development teams
  • It allows teams to track progress and compete with each other
  • Each lesson is built as an attack/defence pair. The developers can observe the software weaknesses by conducting the attack and after solving the challenge they learn about the associated software defences (code blocks)