See the latest Secure Code Warrior feature releases, product improvements and bug fixes.
February 1, 2021
Enabled PCI-DSS Recommendations course templates for security program manager to align the training more tightly with PCI requirements 6.5. CONTENT
Added Secure Code Warrior Recommendations course templates for developers to receive a more up-to-date training on high priority vulnerability of a language. Compared to OWASP Top 10 templates, these templates include emerging new vulnerabilities and revised priority based on the data we have. CONTENT
Added Intro templates for clients to have a quick and easy experience of a short Course. CONTENT
Supported Typescript in the platform (20 Challenges). CONTENT
Our first iteration of the Sensei Cookbook Index is now available. Developers can find recipes and cookbooks that help them write high quality and secure code right inside the IDE. SENSEI
Enabled 4 more languages in Missions, including: CONTENT
Supported Korean in the platform, helping Korean developers who are not used to English material to have more focus on learning instead of translating the content.CONTENT
Added more challenges to 7 languages: CONTENT
December 7, 2020
November 2, 2020
Missions can now be played in your subscription as a Bonus Level in Tournaments. PLATFORM
Three new language frameworks: CONTENT
Reinforce structured learning with just-in-time training snippets using GitHub Action workflows. Learn more about building coding skills at every stage of the SSDLC here. Get the Secure Code Warrior GitHub Action from the marketplace today!
Sensei now available on the JetBrains Marketplace for organisations and developers to try it for themselves. SENSEI
Increased the number of Python:Basic challenges 59 challenges (Δ 17), providing greater content options for developers requiring framework-agnostic training. CONTENT
Review of Common Weakness Enumeration (CWE) mapping against platform vulnerability categories (more than 30%) with the inclusion of more CWE ID’s (particularly for mobile specific vulnerabilities). This review will significantly improve in the reporting of challenge vulnerabilities. CONTENT
As an extension of platform anonymization, company admins will now have the option to hide API Key generation for ‘all roles’, providing increased personal information security when generating reporting API keys. PLATFORM
October 6, 2020
Enabled finish-date modification for published/unpublished courses. When you go to the course management pages of those courses, you will see an edit button under Course End Date.
Introduced a new scripting/command-line language, Powershell, to the platform with 30 Challenges, securing your DevOps, DBA, and business automation teams' development.
Launched Secure Code Bootcamp on Google PlayStore. It is a free and interactive game for beginners to learn secure coding knowledge.
Extend anonymization capability to the whole platform, including Courses, settings, and search options. Companies are able to have No-PII reporting.
Introduced more challenges for 4 languages, providing more playtime and difficulty levels for these languages in tournaments:
Implemented more consistent naming conventions in learning resources videos, providing a better education quality.
Fixed the occasional max-point issue in mix-language tournaments. Maximum points are guaranteed to be the same for all participants, making tournaments fair for all.
September 7, 2020
Introducing standard Java with 68 Challenges, providing developers who code in Java (without any frameworks) with relevant security training.
10 additional languages have been enabled for Courses - Company admins and team managers can now create a course from scratch from these languages.
Added new Pseudocode content with challenges focusing on mobile vulnerabilities - 66 Challenges. These new additions allow non-coding users to experience, learn and understand the concepts around mobile vulnerabilities without needing to know or specialize in a specific in a specific coding language:framework.
New video content covering Mobile Vulnerabilities: Reverse Engineering/Code Information Leakage, Improper Session Handling/Client Side Session Token Generation.
New video content covering Web Vulnerabilities: Authentication/Forceful Browsing, Information Exposure/Error Details, Memory Corruption/Race Conditions.
Two updates for Courses: Custom Activity and End of Course Activity
Anonymization has now been enabled. Company Administrators are now able to toggle on the anonymization of personal identifiers on the platform. This will allow customers to comply with regulatory requirements that require personal identifiable information or performance information of individual users to be anonymized within the company.
Improvements have been made to existing Java:Spring challenges enhancing overall content and quality of challenges for the developer.
Improved Java:Enterprise Edition JSP challenges to provide developers with more solid training.
August 3, 2020
14 more language:frameworks are Courses ready:
Added "First Completion Date" in the Courses reporting API. Monitoring developers' study progress to meet compliance schedule is easier.
Anonymization for Tournament Leaderboard is now available, providing Company Admins more options to protect developers' privacy.
Team Managers and Company Admins will see better report accuracy when tracking developer engagement on the platform, due to improvements in the time calculations. This change will only affect time spent data after July 3rd.
Pseudocode challenges now cover all Web Vulnerability categories, providing developers and non-developers alike with a broader awareness of secure coding for web applications. 84 Challenges (▲38).
PL/SQL language is now Assessment ready with 35 Challenges (▲3).
Added more challenges in web languages:
Reworked on the quality of 96 Java:Spring challenges, providing developers with more solid training.
July 6, 2020
Introducing two new language:frameworks to the platform:
New video content covering Web Vulnerability: Insufficient Transport Layer Protection/Unprotected Transport of Credentials
New video content covering Mobile Vulnerability: Improper Platform Usage/Tapjacking, Insecure Authentication/Client-Side Authentication For Authenticating To Server, Insecure Authentication/Misuse of Fingerprint, Insecure Authentication/Weak Lockout Mechanism, Improper Platform Usage/Incorrect Activity Configuration, Improper Platform Usage/Misuse of Intents.
Secure Code Warrior for Jira (Jira Cloud and Jira Server versions) have now been introduced to Public Labs, accessible through Atlassian Marketplace. Secure Code Warrior for Jira, provides just-in-time contextual micro-learning (on-premises and cloud variant) to developers as they work to resolve security issues.
Improved localization of content. Platform admins can now select the language localization (US or UK English) relevant to their company, improving the immersiveness of content, user experience, and engagement.
Significant improvement of existing Pseudocode challenges, enhancing overall content and quality of challenges for the developer.
Addressed and implemented a number of user interface fixes, which look to improving both overall user play experience and eliminating administrative confusion.
Significant improvement to the length of time to export training leaderboard and related reports, team admins will now receive the exported report by email in a more timely manner.
Performance improvement and scalability of reports resulting in faster response times and report retrieval for the user.
June 1, 2020
Introducing two new language:frameworks to the platform:
New video content will be made available in the following week, covering Mobile vulnerabilities: Lack Of Binary Protections/No Protection From Piracy, Unintended Data Leakage/Copy/Paste Buffer Caching (Pasteboard), Unintended Data Leakage/Logging Sensitive Information
New video content will be made available in the following week covering API Vulnerability: Access Control - Missing Object Level Access Control, Security Misconfiguration - Improper Permissions.
Courses is available to Secure Code Warrior Labs. Company Administrators will be able to opt-in to Secure Code Warrior Labs for a team or their entire company to test drive new features and offer feedback
Java Enterprise Edition (JSP) has now reached 373 Challenges (▲57).
Support for Microsoft Azure within the Ansible Basic Challenges providing content to support organizations using different cloud infrastructure.
Enhancement to the User Management API. You can now update your user’s email address programmatically via the API.
Added French spoken language support to the platform, improving navigation and overall user experience for French-speaking users by making the user interface content available in their native tongue.
April 5, 2020
Introduced three new language:frameworks to the platform:
New video content covering Mobile Vulnerabilities: Client-Side Injection/JavaScript Injection, Code Tampering/Backups Enabled, Extraneous Functionality/Autofill Password, Improper Platform Usage/Webview settings, Insecure data storage/Storage on SD card external storage, Insecure Authorization/Insecure direct object reference, Insecure Authorization/Using inputs from untrusted sources, Insecure Data Storage/Plaintext Storage Of Credentials, Insecure Data Storage/Storage In SQLite Databases, Insufficient Transport Layer Protection/Improper Certificate Pinning Configuration, Reverse Engineering/Emulation Detection.
We've introduced additional challenges to our Go content, providing developers of different experience levels from junior to senior with a greater variety of challenges to best suit their different skill levels - 184 challenges (▲29).
Improved team and user management capabilities via API:
Improved the retrieval performance of the Assessment Summary report (CSV), providing better insights to help manage teams.
Reviewed platform user interface when selecting Vulnerability Category options, ensuring that all options are relevant and up-to-date for the user.
The Weekly Active Summary report email has been reviewed and is showing the activity metrics of platform users for the client, helping provide better transparency on platform usage and utilization.
April 6, 2020
Introducing two new language: frameworks - Python:Basic, with 41 challenges and Java:Spring API with 35 challenges.
Java:Spring has reached 399 challenges (▲94).
C# (.NET):Web Forms has now reached 382 challenges (▲126).
Ruby:Rails now Mixed Tournament Ready with 233 challenges (▲14).
Improved quality of challenges for Kotlin:Android SDK.
March 9, 2020
Introducing new language: framework Perl:Dancer2, with 31 Challenges.
Added new Web vulnerability video resources covering; Side Channel Vulnerability/Timing Attack, Access Control/Using input from untrusted sources, Business Logic/Insufficient Validation, Injection/CSS Injection, Memory Corruption/Double Free, Injection Flaws/Log Forging.
Java: Enterprise Edition (JSP) has reached 314 challenges (▲79).
Improved quality of Challenges for C# (.NET):MVC.
Revised accuracy of Chinese and Spanish translations.
Improved usability when playing Challenges to help developers choose the correct solution when fixing a vulnerability.
Fixed vulnerability category display issue when playing 'Identify' stage.
February 10, 2020
Expanding on last month’s newly introduced Infrastructure-as-Code language: framework - we’ve added two new Infrastructure-as-Code language: framework - Ansible (▲24) and Docker (▲24).
New training videos covering Mobile languages: Broken Cryptography/Insecure Generation Of Encryption Keys, Broken Cryptography/Insecure Storage Of Encryption Keys, Broken Cryptography/Reuse Of Initialization Vector, Broken Cryptography/Use Of Hardcoded Keys, Client Code Quality/Improper Memory Management.
Enhanced tool-tips and guidance for Administrators and Team Managers when editing Assessments to help make them aware of what edits will create a new Assessment version.
More challenges for Node.js (Express) now at 279 challenges (▲5).
C# (.NET): Webforms and Java: Enterprise Edition (JSF) are now mixed-tournament ready with 274 and 146 challenges respectively.
January 13, 2020
First Infrastructure-as-Code (IaC) language:frameworks now available covering Terraform (▲24) and AWS CloudFormation (▲32).
Introduce 39 new challenges covering Server-Side Request Forgery (SSRF) vulnerability sub-category for JavaScript, C#, and Python programming languages.
Foster genuine learning by limiting the number of Assessment attempts within a specified timeframe.
Multiple API Keys – Company Admins now have the ability to generate more than one Report or Admin API Key's for their Company.
Updated user object in API so that a Developers preferred programming language can be specified.
PL/SQL one of our most played language:framework is now top-10 ready with 25 challenges available (▲17).
Additional Challenges for C#(.NET): MVC (▲101), C#(.NET):WebForms (▲22), Java:Spring (▲32), JavaScript:NodeJS (▲8), Python:Django (▲5), Java Enterprise:JSF (▲4), and Java:Servlets (▲5).
Updated mobile vulnerability video resources covering; Reverse Engineering, Insufficient Transport Layer Protection, Extraneous Functionality, Broken Cryptography and Code Tampering.
December 1, 2019
Brand-new help menu to instantly access 24x7 knowledgebase, request support and keep up-to-date with the latest news and advice from Secure Code Warrior.
All new languages C#(NET):API and Java:Servlets (Jackson) are Top 10 Ready. C#(NET):API is our first API only language and Jackson is a popular and efficient java based library to serialize or map java objects to JSON and vice versa.
New and improved Direct Linking Content Mappings against CWE, OWASP and VRT (Vulnerability Rating Taxonomy), plus improved statistics to track leads being generated by our Partner Integrations.
5x new videos cover web vulnerabilities and 2x specifically for API vulnerabilities covering: Improper Assets Management and Mass Assignment.
Added preferred development language:framework(s) to account profiles for a more tailored gamified learning experience.
API now supports team management level role Reporting and Admin keys for better data segregation across an organisation.
More than 300 challenges for C#:MVC (▲70) – that's over 15hrs of playing time!
Mixed Tournament Ready for GO (▲23), and Scala:Play (▲21).
Additional Challenges for Swift:iOS SDK (▲17), C (▲10), C++ (▲5), Java:Spring (▲5), Javascript:Node.JS (▲5) and Java EE:JSP (▲2).
Certified ISO27001 for information security management.
November 4, 2019
API Version 2: Streamline user management, and save time by programmatically managing users and building management reports with new reporting metrics and better filtering. Ability to programmatically assign users to assessments now also available.
6x New video learning resources for web vulnerabilities covering: Authentication/Improper Authentication, Authentication/Insecure Password Change Function, Authentication/Insecure Password Reset Function, Authentication/Insufficient Anti-Automation, Security Misconfiguration/Disabled Security Features, Lack of Resources and Rate Limiting.
New Challenges for Swift (▲33), Python:Django(▲29), C (▲28), GO (▲8), JavaSript:Node.js (▲8), Java EE - JSP (▲6), C# Web Forms (▲4), C# MVC (▲4) and Java:Spring (▲2).
Updated brand and messaging for email templates.
Fixed issue preventing the generation of PDF Certificates for Assessments.
October 14, 2019
6x New video learning resources for web vulnerabilities covering: Insufficient Logging, Information Exposure - Sensitive Data Exposure, Cross-Site-Scripting - DOM-Based XSS, Authentication, Server-Side Request Forgery and Insecure Cryptography - Exposed Keys.
New Challenges for Ruby:Rails (▲62), C# Web forms (▲15), Java:Spring (▲6), Java EE: JSP (▲7), and C (▲4).
Replaced 12 vulnerability categories across Mobile (8) and Web(4) video learning resources with 25 finer-grained vulnerability sub-category resources for a more focused learning experience.
Prevent Players from enrolling in superseded Assessments.
Added new email deliverability status for Company Administrators and Team Managers to see if an email has bounced.
Fixed issues when creating Tournaments with C# (.NET) Core.
Migration to the Future Ready Platform that will deliver a more scalable, higher quality product at velocity.
September 9, 2019
New C#.NET CORE language:framework is Top-10 Ready with 40 Challenges.
New challenges for Platinum languages; C#:MVC (▲19), C#:WebForms (▲8), Java: Spring (▲21), Java: Enterprise Edition - JSP(▲27), JavaScript: Node.JS (▲21)
Improved Partner Integration for MicroFocus with with increased mappings of vulnerabilities and training content.
Various back-end performance improvements to deliver a faster first-time login and better player experience.
Resolved issue of missing Tournament Missions (Quests) when geo-blocked countries had been enabled.
August 5, 2019
New challenges elevate Java:AndroidSDK to Gold Status + Mobile Mixed-Tournament Ready (▲51) and Python:Django now has over 170 challenges (▲36).
Change main navigation menu order to better align user experience with AppSec program rollouts.
Fixed over 40 bugs for more accurate challenges across available language/frameworks.
Enhanced monitoring to deliver a better end-user experience by accurately viewing end-user page load times and reporting of application errors.
Addition capacity and performance for the Secure Code Warrior infrastructure to speed up our overall service.
July 1, 2019
Grammatical improvements for our platinum languages including; Python Django, NodeJS, C# MVC and Pseudocode.
New Challenges now available for many of our supported languages and frameworks including C with more than 100 challenges and GO with over 130+.
Aligned training points calculation between UI display and report, CSV export and REST API. No underlying data was changed or altered.
June 3, 2019
New "Last Nudged" timestamp has been added to better manage team communications and improve engagement.
Mobile Languages are now available to be played in Mixed Tournaments.
Grammatical errors have been fixed in Java Springs.
Removed videos from categories were irrelevant to prevent points penalty when using hints.
Fixed missing API timestamps for invitations and registration reports..
May 1, 2019
Privacy Policy link added for greater transparency and convenience.
Grammatical errors have been fixed for Java EE (JSP) and C++
April 1, 2019
Training ground improvements for Scala Play and Python Django.
Fixed sound issues in Web App Security 101.
Load Monitoring enabled to deliver a more secure and scalable platform.
Logging API operations enabled to increase platform security.
Talk to us today to build a business case or sign up for a 21-day free trial to experience the value first-hand.