Build code security skills with the GitHub Secure Code Game

[GitHub]

In March 2023, we launched the Secure Code Game, an in-repo learning experience where players fix intentionally vulnerable code, so developers can build a secure coding mindset while having fun! Since then, more than 3,500 developers have played, and we love seeing how it has helped enterprise, open source, and education communities achieve their objectives. Today, we are excited to release the second season with five community-contributed challenges in JavaScript, Python, Go, and GitHub Actions!

How the game works

The game is still as simple as it can be: review the code, fix the bugs, and run the tests to progress to the next level! The best part? It takes less than two minutes to spin it up as a fully configured environment in the cloud via GitHub Codespaces, with up to 60 hours a month free. It’s designed for developers and students who want to improve their code security skills, learn how to build security into workflows, and how to use GitHub Advanced Security (GHAS).

Why a game?

Our initial motivation was to tackle the pain points that the developer community was struggling with in secure coding training. In our interactions with the community, we collected the following feedback:

• “Boring courses that follow a purely theoretical approach, often video-based.”
• “Learning outside of a dev environment.”
• “Assessments through multiple-choice questions while in the real world there are not guarantees of fixing a security issue without introducing new ones.”
• “Lack of personalization based on the programming languages and frameworks in use, including frequent security issues occurring from one’s coding style.”

We chose a gamified approach that excited our learners and the in-repo experience, either inside Codespaces or locally, made it developer-first, keeping developers where they excel: their code editor. We then gave players a threefold challenge: spot the security issue(s), fix them, and keep the code as functional as initially to proceed to the next level. This made players recognize the real-world challenge of fixing an issue effectively, without introducing any regression of the existing functionality. Finally, by open sourcing our game, we also gave the community a chance to contribute. They seized the opportunity and contributed to four out of five challenges of the new season!

Contributing to the Secure Code Game means having an impact in the wider security world through open source. I added challenges to the second season inspired by real-life scenarios, to help others learn in an engaging, fun, and hands-on way.

- Deniz Onur Düzgün, Senior Product Security Specialist, HashiCorp, and Open Source Contributor

Over the past year, hearing from our community about how they’ve been using the game has been incredibly rewarding. For example, a PropTech startup gathered its developers for the first of its kind hackathon based on the Secure Code Game. After trying other trainings unsuccessfully and seeing vulnerabilities in code continue piling up, they decided to take some common security issues they were facing and transform them into Secure Code Game challenges for their engineers to compete in teams of two. As a result, they noted a 96% reduction in security issues when combining GHAS and the Secure Code Game, and nearly 97% reduction in the weekly time required from the security team to help developers with security remediation.

Our engineers had fun! We noticed an increased sense of ownership among developers and willingness to learn directly from our security engineers.

- Chief Information Security Officer (CISO) of a PropTech Startup

Additionally, the Secure Code Game was used in the classroom at the University of Novi Sad for delivering interactive lectures with the active participation of students.

I observed that this is a more efficient way to share knowledge compared to the classic delivery with a passive audience. Students immediately got a chance to practice concepts and learn by doing. They also realized that security shouldn’t be an afterthought because they experienced in practice when it’s bolted on top of a feature-rich application, it’s just too late and risky.

- Ervin Varga, Associate Professor in the Faculty of Technical Sciences at the University of Novi Sad

Your chance to level up!

We can’t wait to find out how you will perform on the challenges of this second season. And for the creative readers, don’t miss your opportunity to contribute! We welcome your ideas to shape the game’s future. Just take a look at our contribution guideline for more details.

So, what are you waiting for? Start playing now!

---

Did you know?

You can try out CodeQL for free while playing the Secure Code Game. CodeQL is the Static Application Security Testing (SAST) tool within GHAS, and if you get stuck on the Secure Code Game challenges, you can have a look at the alerts raised by CodeQL for guidance.