orange icon with code symbols.
  SECURE CODE COACH

Stay ahead of secure coding best practices.

The cyber-threat landscape is constantly shifting and staying ahead of common software vulnerabilities is more important than ever. With a range of handy secure coding guidelines, hands-on missions, and videos we can help keep you up to date with best practices.

Start Learning Now   
Secure Code Coach

{
 "dependencies": {
   "foo": "1.0.0 - 2.9999.9999",
   "bar": ">=1.0.2 <2.1.2"
 }
}

Using Components with Known Vulnerabilities

Most applications make use of large amounts of third-party components. These components provide everything from logging, templating, database access, and more. This makes developing software much easier and saves a lot of time. But they're also made by people, which means some will inevitably contain vulnerabilities. Read the guideline to find out more.

View The Guidelines   
Using Components with Known Vulnerabilities
Our top secure coding guidelines.

Many frameworks also have a set of endpoints that can be enabled which allows for monitoring of the application, whether that's in a production or test/dev environment. These can include:

Metrics (Prometheus)
Logs
Environment information
Path/Url Mappings

Security Misconfiguration

Security Misconfiguration is somewhat of an umbrella term that covers common vulnerabilities that come into play because of an application’s configuration settings, rather than bad code. It’s a wide-ranging subject and it’s heavily dependent on factors like your technology stack. Often times addressing these issues is something that seems simple, like changing a configuration file or even a single line of code, but the impact and consequences of these vulnerabilities can be severe. Read our guideline to learn more about this vulnerability and how to mitigate it.

View The Guidelines   
Security Misconfiguration
Our top secure coding guidelines.

ts
let url = request.params.url;

let response = http.get(url);
let render = response.render();

return render.export();

Server-Side Request Forgery

Server-Side Request Forgery vulnerabilities occur when a user is able to cause an application to make HTTP requests to an attacker-determined domain. If an application has access to private/internal networks, an attacker could also cause the application to make requests to internal servers. We’ll take a closer look at this with some examples to better understand what it looks like in action in this guideline.

View The Guidelines   
Server-Side Request Forgery
Our top secure coding guidelines.

import mysql.connector
db = mysql.connector.connect
#Bad Practice. Avoid this! This is just for learning.
(host="localhost", user="newuser", passwd="pass", db="sample")
cur = db.cursor()
name = raw_input('Enter Name: ')
cur.execute("SELECT * FROM sample_data WHERE Name = '%s';" % name) for row in cur.fetchall(): print(row)
db.close()

SQL Injection

SQL injection (SQLi) injects code into SQL statements to attack and gather important information from an application. It is a web security vulnerability. It is the most common technique of hacking that manipulates the database and extracts crucial information from it.

View The Guidelines   
SQL Injection
Our top secure coding guidelines.

Missions & Walkthroughs

Explore our library of free interactive content.

More Missions  
Secure Code Warrior Research

The state of developer-driven security report, 2022

For the 2nd year, Secure Code Warrior commissioned research with Evans Data Corp. to survey 1,200 developers globally to understand the skills, perceptions, and behaviors when it comes to secure coding practices and the barriers to adoption. Download the report or read the whitepaper for the findings and analysis of The State of Developer-Driven Security, 2022.

Discord logo.

Join Our Community on Discord

Duis vehicula hendrerit finibus. In hac habitasse platea dictumst. Quisque aliquet, lacus eget feugiat viverra, diam dui dapibus mauris, at vehicula diam sem vitae nibh.

Thank you for joining us!
Check your e-mail and follow the link to join our discord server.
Oops! Something went wrong while submitting the form.
Semi-circle graphic at the bottom of the section.
blue triangular play icon.
  LEARN VISUALLY

Secure Code Cinema

Visit our curated YouTube playlist where you’ll find general software cybersecurity tips as well as insights about current and ongoing cyber-threats and stories from developers about how they got interested in security.

triangular play icon in an orange box.

Leaders in DevSec with Prajwal Shetty

Hear from Prajwal Shetty, senior technical lead, and find out how he developed a passion for security and pursued formal training to develop his career as well as the various secure coding projects he’s working on.

triangular play icon in an orange box.

Leaders in DevSec with Lexi Condon

Lexi Condon’s career in security and secure coding began while she was working as a unit tester, but her interest in coding started much earlier than that when she realized she could modify games she played. Hear about how she decided to use these powers for good.

triangular play icon in an orange box.

Securing Software with Erik Costlow

Erik Costlow, Director of developer relations at Contrast Security, shared a few tips on how to consider security at every stage of the development lifecycle so it doesn’t pop up at the last minute and cause delays. He offered three different recommendations on how to do this including dependency analysis, static analysis, and instrumented analysis.

More on the Blog   
3d shield shaped s in a purple silver color.

Discover the Secure Code Warrior Learning Platform

We secure software through developer-driven security at the start of the software development lifecycle.

Visit Secure Code Warrior