The regularity of media reports on cyberattacks shows that security is, or should be, a key issue for software development teams these days. Experience also shows that security vulnerabilities are usually not created by highly specialized functions. Rather, many successful attacks exploit well-known security vulnerabilities. For this reason, we are very pleased that the learning platform Secure Code Warrior is now integrated into our version management tool SCM-Manager.
An example of well-known security vulnerabilities is SQL injections, where arbitrary code is injected into database queries, allowing unauthorized information to be read (for more on this, see the Wikipedia article). Such attacks are very popular because they can be carried out very easily. That’s why SQL injections have consistently ranked first in the Open Web Application Security Project’s (OWASP) top 10 security risks since 2010.
These vulnerabilities are actually easy to close. Often, there just seems to be a lack of awareness, or the necessary time to perform appropriate security checks and design processes in such a way that security aspects are taken into account on an ongoing basis. Awareness can be created either classically through targeted training or through continuous learning, e.g. by means of microlearning or gamification. Secure Code Warrior is a very good example of the latter. By combining Secure Code Warrior with the version control management tool SCM-Manager, security aspects can be integrated into processes easily and in a time-saving manner.
In combination with the plugin for the version control management tool SCM-Manager, the information is integrated directly into the software development process.
SCM-Manager is an open source version management tool that Cloudogu took over in 2020 (to the official announcement of the acquisition). In the same year, we released the completely revised version 2 of the tool. SCM-Manager can be operated on-premises and offers, in addition to repository management, a complete review process for changes, the ability to edit files directly in the browser, and many other features.
The Integration of learning content about security vulnerabilities with the plugin for Secure Code Warrior is the latest enhancement of the tool.
With the free plugin, videos and links to security vulnerability challenges are displayed directly in pull requests. This way developers directly get all important information about the security vulnerability. For this purpose, the description of pull requests as well as comments and tasks from reviewers are searched for keywords.
For example, the pull request shown in figure 2 contains the keyword “SQL Injection” in the description. Therefore, the corresponding learning content is displayed.
This integration offers the possibility to use the information from Secure Code Warrior in different ways.
When a security vulnerability is found and fixed in the application, the pull request can be used to educate other team members on the topic – by performing the review. By mentioning the security vulnerability in the pull request’s description, information about the topic is displayed. This can be used to learn the theory. At the same time, the learned basics can be comprehended in the context of the expert’s changes in the own application. This approach spreads the knowledge of the topic over several people.
To have information on security topics displayed in pull requests, it is sufficient to mention the topic in the description or title of the pull request.
In SCM-Manager, reviewers can provide feedback on pull requests to point out potential security vulnerabilities. All that is required, is to mention a security topic in comments or in tasks. Thus, the corresponding Secure Code Warrior content is displayed in an automatically generated comment.
Note: Only “root” comments are searched for keywords, not replies to comments.
The Secure Code Warrior plugin for SCM-Manager integrates information about vulnerabilities directly into the creation and approval process for changes. All that is required is that a person involved in the process mentions the security vulnerability. All the necessary information for implementation is then provided automatically. The advantage of this approach is that knowledge about security vulnerabilities is spread throughout the team without additional effort, and team members can educate themselves through self-study using micro-learning and gamification.