< Updates />

November

November 2, 2020

NEW

Missions can now be played in your subscription as a Bonus Level in Tournaments. [PLATFORM]

  • Bonus Level in Tournaments are now automatically enabled for eligible language:frameworks (unless disabled by Admin), increasing the difficulty of the tournament and thus more engaging for more experienced developers.
  • 40 Missions will be made available in 7 Web languages - C# Core, C# MVC, C# Webforms, Java Enterprise Edition, Java Spring, Node.js Express, Python Django. Additional languages will be progressively added. [CONTENT]


Three new language frameworks:  [CONTENT]

  • Kotlin Spring API (35 challenges), allows back-end developers to train and explore the Kotlin language through the Spring API framework library.
  • Javascript: Basic (45 challenges), provides developers with a framework-agnostic option for Javascript content, this opens up the platform to broader appeal giving developers who do not want content that is limited to a specific framework library.
  • Salesforce APEX (46 challenges), Salesforce APEX, used on the Salesforce platform, allows customers to extend the capabilities of Salesforce for their specific needs. Your SFDC instance contains essential customer and confidential information. With this new content you can now ensure developers and contractors touching or interacting with your code base are coding securely. Invite them to your team today. Find out how you can invite your Salesforce APEX developers to the platform here.

Reinforce structured learning with just-in-time training snippets using GitHub Action workflows. Learn more about building coding skills at every stage of the SSDLC here. Get the Secure Code Warrior GitHub Action from the marketplace today!

Sensei now available on the JetBrains Marketplace for organisations and developers to try it for themselves.[SENSEI]

  • Added the ability to add tags onto recipes, allowing users to add custom metadata which can be used to categorize and group recipes.
  • Added our variable browser into the recipe editor in more places. The variables shown are relative to the selected target. This helps developers understand their code and craft a good recipe with less effort.

IMPROVEMENTS

Increased the number of Python:Basic challenges 59 challenges (Δ 17), providing greater content options for developers requiring framework-agnostic training. [CONTENT]

Review of Common Weakness Enumeration (CWE) mapping against platform vulnerability categories (more than 30%) with the inclusion of more CWE ID’s (particularly for mobile specific vulnerabilities). This review will significantly improve in the reporting of challenge vulnerabilities. [CONTENT]

As an extension of platform anonymization, company admins will now have the option to hide API Key generation for ‘all roles’, providing increased personal information security when generating reporting API keys. [PLATFORM]

October

October 6, 2020

NEW

  • Enabled finish-date modification for published/unpublished courses. When you go to the course management pages of those courses, you will see an edit button under Course End Date.
  • Introduced a new scripting/command-line language, Powershell, to the platform with 30 Challenges, securing your DevOps, DBA, and business automation teams' development.
  • Launched Secure Code Bootcamp on Google PlayStore. It is a free and interactive game for beginners to learn secure coding knowledge.

IMPROVEMENTS

  • Extend anonymization capability to the whole platform, including Courses, settings, and search options. Companies are able to have No-PII reporting.  
  • Introduced more challenges for 4 languages, providing more playtime and difficulty levels for these languages in tournaments: Perl:Dancer 2 - 90 Challenges (▲15), C#(.NET):Core - 176 Challenges (▲126), Java:Spring - 495 Challenges (▲53), Java:Enterprise Edition (JSP) - 475 Challenges (▲60)
  • Implemented more consistent naming conventions in learning resources videos, providing a better education quality.

FIXES

  • Fixed the occasional max-point issue in mix-language tournaments. Maximum points are guaranteed to be the same for all participants, making tournaments fair for all.

September

September 7, 2020

NEW

  • Introducing standard Java with 68 Challenges, providing developers who code in Java (without any frameworks) with relevant security training.
  • 10 additional languages have been enabled for Courses - Company admins and team managers can now create a course from scratch from these languages. Rust - 31 Challenges, Java:Servlets - 40 Challenges, Java:Struts - 51 Challenges, JavaScript:React Native - 64 Challenges, JavaScript.Vue.js - 30 Challenges, Perl:Dancer2 - 75 Challenges. PHP:Symfony - 44 Challenges, Angular 1 - 8 Challenges, Swift:iOS SDK - 141 Challenges, PL/SQL - 44 Challenges
  • Added new Pseudocode content with challenges focusing on mobile vulnerabilities - 66 Challenges. These new additions allow non-coding users to experience, learn and understand the concepts around mobile vulnerabilities without needing to know or specialize in a specific in a specific coding language:framework.
  • New video content covering Mobile Vulnerabilities: Reverse Engineering/Code Information Leakage, Improper Session Handling/Client Side Session Token Generation.
  • New video content covering Web Vulnerabilities: Authentication/Forceful Browsing, Information Exposure/Error Details, Memory Corruption/Race Conditions.
  • Two updates for Courses: Custom Activity and End of Course Activity
  • Anonymization has now been enabled. Company Administrators are now able to toggle on the anonymization of personal identifiers on the platform. This will allow customers to comply with regulatory requirements that require personal identifiable information or performance information of individual users to be anonymized within the company.

IMPROVEMENTS

  • Improvements have been made to existing Java:Spring challenges enhancing overall content and quality of challenges for the developer.
  • Improved Java:Enterprise Edition JSP challenges to provide developers with more solid training.

August

August 3, 2020

NEW

  • 14 more language:frameworks are Courses ready: 5 Infrastructure-as-Code languages:, Ansible - 50 Challenges (▲26), Docker - 37 Challenges (▲1), CloudFormation - 36 Challenges, Terraform - 24 Challenges, Kubernetes - 31 Challenges (▲7). 6 API language:frameworks: C# (.NET): Web API - 47 Challenges (▲3), Java:Spring API and Java:EE API both have 35 Challenges, JavaScript:Node.js API, GO:API, and Python:API each has 35 Challenges. 3 others: Objective-C - 76 Challenges, Python:Flask - 60 Challenges (▲16), C# (.NET):Basic - 40 Challenges.
  • Added "First Completion Date" in the Courses reporting API. Monitoring developers' study progress to meet compliance schedule is easier.
  • Anonymization for Tournament Leaderboard is now available, providing Company Admins more options to protect developers' privacy.

IMPROVEMENTS

  • Team Managers and Company Admins will see better report accuracy when tracking developer engagement on the platform, due to improvements in the time calculations. This change will only affect time spent data after July 3rd.
  • Pseudocode challenges now cover all Web Vulnerability categories, providing developers and non-developers alike with a broader awareness of secure coding for web applications. 84 Challenges (▲38).
  • PL/SQL language is now Assessment ready with 35 Challenges (▲3).
  • Added more challenges in web languages: Java:Spring - 507 Challenges (▲106), Java:Servlets - 40 Challenges (▲3), C# (.NET):Web Forms - 382 Challenges (▲10), Ruby:Rails - 234 Challenges (▲8), Scala:Play - 201 Challenges (▲8), PHP:Symfony - 44 Challenges (▲3).
  • Reworked on the quality of 96 Java:Spring challenges, providing developers with more solid training.

July

July 6, 2020

NEW

  • Introducing two new language:frameworks to the platform: Python: Web API with 35 Challenges. Go: Web API with 35 Challenges.
  • New video content covering Web Vulnerability: Insufficient Transport Layer Protection/Unprotected Transport of Credentials
  • New video content covering Mobile Vulnerability: Improper Platform Usage/Tapjacking, Insecure Authentication/Client-Side Authentication For Authenticating To Server, Insecure Authentication/Misuse of Fingerprint, Insecure Authentication/Weak Lockout Mechanism, Improper Platform Usage/Incorrect Activity Configuration, Improper Platform Usage/Misuse of Intents.
  • Secure Code Warrior for Jira (Jira Cloud and Jira Server versions) have now been introduced to Public Labs, accessible through Atlassian Marketplace. Secure Code Warrior for Jira, provides just-in-time contextual micro-learning (on-premises and cloud variant) to developers as they work to resolve security issues.

IMPROVEMENTS

  • Improved localization of content. Platform admins can now select the language localization (US or UK English) relevant to their company, improving the immersiveness of content, user experience, and engagement.
  • Significant improvement of existing Pseudocode challenges, enhancing overall content and quality of challenges for the developer.

FIXES

  • Addressed and implemented a number of user interface fixes, which look to improving both overall user play experience and eliminating administrative confusion.
    -- Identified and fixed an issue where the solution dropdown could not be selected by the developer.
    -- Fixed an issue where changes to the title of a course were not being reflected when viewed by the developer.
  • Significant improvement to the length of time to export training leaderboard and related reports, team admins will now receive the exported report by email in a more timely manner.
  • Performance improvement and scalability of reports resulting in faster response times and report retrieval for the user.

June

June 1, 2020

NEW

  • Introducing two new language:frameworks to the platform: Javascript:Vue.js with 30 Challenges, Node.js API with 35 challenges.
  • New video content will be made available in the following week, covering Mobile vulnerabilities: Lack Of Binary Protections/No Protection From Piracy, Unintended Data Leakage/Copy/Paste Buffer Caching (Pasteboard), Unintended Data Leakage/Logging Sensitive Information
  • New video content will be made available in the following week covering API Vulnerability: Access Control - Missing Object Level Access Control, Security Misconfiguration - Improper Permissions.
  • Courses is available to Secure Code Warrior Labs. Company Administrators will be able to opt-in to Secure Code Warrior Labs for a team or their entire company to test drive new features and offer feedback

IMPROVEMENTS

  • Java Enterprise Edition (JSP) has now reached 373 Challenges (▲57).
  • Support for Microsoft Azure within the Ansible Basic Challenges providing content to support organizations using different cloud infrastructure.
  • Enhancement to the User Management API. You can now update your user’s email address programmatically via the API.
  • Added French spoken language support to the platform, improving navigation and overall user experience for French-speaking users by making the user interface content available in their native tongue.

April

April 6, 2020

NEW

  • Introducing two new language: frameworks - Python:Basic, with 41 challenges and Java:Spring API with 35 challenges.

IMPROVEMENTS

  • Java:Spring has reached 399 challenges (▲94).
  • C# (.NET):Web Forms has now reached 382 challenges (▲126).
  • Ruby:Rails now Mixed Tournament Ready with 233 challenges (▲14).
  • Improved quality of challenges for Kotlin:Android SDK.

May

April 5, 2020

NEW

  • Introduced three new language:frameworks to the platform: Kubernetes an Infrastructure-as-code language with 24 challenges. Java:Enterprise Edition API with 35 challenges. Rust with 31 challenges.
  • New video content covering Mobile Vulnerabilities: Client-Side Injection/JavaScript Injection, Code Tampering/Backups Enabled, Extraneous Functionality/Autofill Password, Improper Platform Usage/Webview settings, Insecure data storage/Storage on SD card external storage, Insecure Authorization/Insecure direct object reference, Insecure Authorization/Using inputs from untrusted sources, Insecure Data Storage/Plaintext Storage Of Credentials, Insecure Data Storage/Storage In SQLite Databases, Insufficient Transport Layer Protection/Improper Certificate Pinning Configuration, Reverse Engineering/Emulation Detection.

IMPROVEMENTS

  • We've introduced additional challenges to our Go content, providing developers of different experience levels from junior to senior with a greater variety of challenges to best suit their different skill levels - 184 challenges (▲29).
  • Improved team and user management capabilities via API:
    -- Better reporting - Managers are now able to retrieve detailed information on each team and its members via the API, providing managers with better insight to more efficiently manage their teams.
    -- User's last login date - Team managers are now able to see an individual user's last login date, providing managers with better visibility to monitor Platform usage.
  • Improved the retrieval performance of the Assessment Summary report (CSV), providing better insights to help manage teams.
  • Reviewed platform user interface when selecting Vulnerability Category options, ensuring that all options are relevant and up-to-date for the user.

FIXES

  • The Weekly Active Summary report email has been reviewed and is showing the activity metrics of platform users for the client, helping provide better transparency on platform usage and utilization.

March

March 9, 2020

NEW

  • Introducing new language: framework Perl:Dancer2, with 31 Challenges.
  • Added new Web vulnerability video resources covering; Side Channel Vulnerability/Timing Attack, Access Control/Using input from untrusted sources, Business Logic/Insufficient Validation, Injection/CSS Injection, Memory Corruption/Double Free, Injection Flaws/Log Forging.

IMPROVEMENTS

  • Java: Enterprise Edition (JSP) has reached 314 challenges (▲79).
  • Improved quality of Challenges for C# (.NET):MVC.
  • Revised accuracy of Chinese and Spanish translations.

FIXES

  • Improved usability when playing Challenges to help developers choose the correct solution when fixing a vulnerability.
  • Fixed vulnerability category display issue when playing 'Identify' stage.

February

February 10, 2020

NEW

  • Expanding on last month’s newly introduced Infrastructure-as-Code language: framework - we’ve added two new Infrastructure-as-Code language: framework - Ansible (▲24) and Docker (▲24).
  • New training videos covering Mobile languages: Broken Cryptography/Insecure Generation Of Encryption Keys, Broken Cryptography/Insecure Storage Of Encryption Keys, Broken Cryptography/Reuse Of Initialization Vector, Broken Cryptography/Use Of Hardcoded Keys, Client Code Quality/Improper Memory Management.

IMPROVEMENTS

  • Enhanced tool-tips and guidance for Administrators and Team Managers when editing Assessments to help make them aware of what edits will create a new Assessment version.
  • More challenges for Node.js (Express) now at 279 challenges (▲5).
  • C# (.NET): Webforms and Java: Enterprise Edition (JSF) are now mixed-tournament ready with 274 and 146 challenges respectively.

January

January 13, 2020

NEW

  • First Infrastructure-as-Code (IaC) language:frameworks now available covering Terraform (▲24) and AWS CloudFormation (▲32).
  • Introduce 39 new challenges covering Server-Side Request Forgery (SSRF) vulnerability sub-category for JavaScript, C#, and Python programming languages.

IMPROVEMENTS

  • Foster genuine learning by limiting the number of Assessment attempts within a specified timeframe.
  • Multiple API Keys – Company Admins now have the ability to generate more than one Report or Admin API Key's for their Company.
  • Updated user object in API so that a Developers preferred programming language can be specified.
  • PL/SQL one of our most played language:framework is now top-10 ready with 25 challenges available (▲17).
  • Additional Challenges for C#(.NET): MVC (▲101), C#(.NET):WebForms (▲22), Java:Spring (▲32), JavaScript:NodeJS (▲8), Python:Django (▲5), Java Enterprise:JSF (▲4), and Java:Servlets (▲5).
  • Updated mobile vulnerability video resources covering; Reverse Engineering, Insufficient Transport Layer Protection, Extraneous Functionality, Broken Cryptography and Code Tampering.

December

December 1, 2019

NEW

  • Brand-new help menu to instantly access 24x7 knowledgebase, request support and keep up-to-date with the latest news and advice from Secure Code Warrior.
  • All new languages C#(NET):API and Java:Servlets (Jackson) are Top 10 Ready. C#(NET):API is our first API only language and Jackson is a popular and efficient java based library to serialize or map java objects to JSON and vice versa.
  • New and improved Direct Linking Content Mappings against CWE, OWASP and VRT (Vulnerability Rating Taxonomy), plus improved statistics to track leads being generated by our Partner Integrations.
  • 5x new videos cover web vulnerabilities and 2x specifically for API vulnerabilities covering: Improper Assets Management and Mass Assignment.
  • Added preferred development language:framework(s) to account profiles for a more tailored gamified learning experience.

IMPROVEMENTS

  • API now supports team management level role Reporting and Admin keys for better data segregation across an organisation.
  • More than 300 challenges for C#:MVC (▲70) – that's over 15hrs of playing time!
  • Mixed Tournament Ready for GO (▲23), and Scala:Play (▲21).
  • Additional Challenges for Swift:iOS SDK (▲17), C (▲10), C++ (▲5), Java:Spring (▲5), Javascript:Node.JS (▲5) and Java EE:JSP (▲2).

OPERATIONS

  • Certified ISO27001 for information security management.

November

November 4, 2019

NEW

  • API Version 2: Streamline user management, and save time by programmatically managing users and building management reports with new reporting metrics and better filtering. Ability to programmatically assign users to assessments now also available.
  • 6x New video learning resources for web vulnerabilities covering: Authentication/Improper Authentication, Authentication/Insecure Password Change Function, Authentication/Insecure Password Reset Function, Authentication/Insufficient Anti-Automation, Security Misconfiguration/Disabled Security Features, Lack of Resources and Rate Limiting.
  • New Challenges for Swift (▲33), Python:Django(▲29), C (▲28), GO (▲8),  JavaSript:Node.js (▲8), Java EE - JSP (▲6), C# Web Forms (▲4), C# MVC  (▲4) and Java:Spring (▲2).

IMPROVEMENTS

  • Updated brand and messaging for email templates.

FIXES

  • Fixed issue preventing the generation of PDF Certificates for Assessments.

October

October 14, 2019

NEW

  • 6x New video learning resources for web vulnerabilities covering: Insufficient Logging, Information Exposure - Sensitive Data Exposure, Cross-Site-Scripting - DOM-Based XSS, Authentication, Server-Side Request Forgery and Insecure Cryptography - Exposed Keys.
  • New Challenges for Ruby:Rails (▲62), C# Web forms (▲15), Java:Spring (▲6), Java EE: JSP (▲7), and C (▲4).

IMPROVEMENTS

  • Replaced 12 vulnerability categories across Mobile (8) and Web(4) video learning resources with 25 finer-grained vulnerability sub-category resources for a more focused learning experience.
  • Prevent Players from enrolling in superseded Assessments.
  • Added new email deliverability status for Company Administrators and Team Managers to see if an email has bounced.

FIXES

  • Fixed issues when creating Tournaments with C# (.NET) Core.

OPERATIONS

  • Migration to the Future Ready Platform that will deliver a more scalable, higher quality product at velocity.

September

September 9, 2019

NEW

  • New C#.NET CORE language:framework is Top-10 Ready with 40 Challenges.
  • New challenges for Platinum languages; C#:MVC (▲19), C#:WebForms (▲8), Java: Spring (▲21), Java: Enterprise Edition - JSP(▲27), JavaScript: Node.JS (▲21)

IMPROVEMENTS

  • Improved Partner Integration for MicroFocus with with increased mappings of vulnerabilities and training content.
  • Various back-end performance improvements to deliver a faster first-time login and better player experience.

FIXES

  • Resolved issue of missing Tournament Missions (Quests) when geo-blocked countries had been enabled.

August

August 5, 2019

NEW

  • New challenges elevate Java:AndroidSDK to Gold Status + Mobile Mixed-Tournament Ready (▲51) and Python:Django now has over 170 challenges (▲36).

IMPROVEMENTS

  • Change main navigation menu order to better align user experience with AppSec program rollouts.

FIXES

  • Fixed over 40 bugs for more accurate challenges across available language/frameworks.

OPERATIONS

  • Enhanced monitoring to deliver a better end-user experience by accurately viewing end-user page load times and reporting of application errors.
  • Addition capacity and performance for the Secure Code Warrior infrastructure to speed up our overall service.

July

July 1, 2019

IMPROVEMENTS

  • Grammatical improvements for our platinum languages including; Python Django, NodeJS, C# MVC and Pseudocode.
  • New Challenges now available for many of our supported languages and frameworks including C with more than 100 challenges and GO with over 130+.

FIXES

  • Aligned training points calculation between UI display and report, CSV export and REST API.  No underlying data was changed or altered.

June

June 3, 2019

NEW

  • New "Last Nudged"  timestamp has been added to better manage team communications and improve engagement.

‍IMPROVEMENTS

  • Mobile Languages are now available to be played in Mixed Tournaments.

‍FIXES

  • Grammatical errors have been fixed in Java Springs.
  • Removed videos from categories were irrelevant to prevent points penalty when using hints.
  • Fixed missing API timestamps for invitations and registration reports..

May

May 1, 2019

NEW

  • Privacy Policy link added for greater transparency and convenience.

FIXES

  • Grammatical errors have been fixed for Java EE (JSP) and C++

April

April 1, 2019

IMPROVEMENTS

  • Training ground improvements for Scala Play and Python Django.

FIXES

  • Fixed sound issues in Web App Security 101.

OPERATIONS

  • Load Monitoring enabled to deliver a more secure and scalable platform.
  • Logging API operations enabled to increase platform security.