Home

Welcome to the Secure Coding Dojo wiki!

Please review the wiki pages for information on compiling, deploying and enhancing this project.

The Secure Coding Dojo is a platform for delivering secure coding training. While it provides two vulnerable training applications the training portal can be used in conjunction with other applications as well.

Vulnerable applications:

• "Insecure.Inc" is a Java site that demonstrates simple exploits based on SANS Top 25/OWASP Top 10
• "Hacker's Den" is a Serverless application for more advanced users based on OWASP Top 10

While training sites to teach application security concepts are not new, the target audience has traditionally been pen-testers and ethical hackers. The Secure Coding Dojo is primarily intended as a delivery platform for developers and here's why:

• The predefined lessons are based on the MITRE most dangerous software errors (also known as SANS 25) so the focus is on software errors rather than attack techniques
• The predefined hacking challenges are created for entry level and keep the developers engaged
• In other training sites or CTFs there is a puzzle aspect to the challenges which is great for pen-tester audiences but can make some developers lose interest. In the Secure Coding Dojo the focus is on demonstrating the vulnerability.
• There are tips that help the developers as they are exploiting the issue to avoid getting stuck
• It integrates with Slack for authentication!
• It also integrates with Google, ADFS, LDAP and local user database
• It allows grouping of participants according to their development teams
• It allows teams to track progress and compete with each other
• Each lesson is built as an attack/defence pair. The developers can observe the software weaknesses by conducting the attack and after solving the challenge they learn about the associated software defences (code blocks)