Stars: 450
Forks: 122
Pull Requests: 92
Issues: 36
Watchers: 25
Last Updated: 2023-09-16 03:15:05
The Secure Coding Dojo is a platform for delivering secure coding knowledge.
License: Apache License 2.0
Languages: HTML, Java, C, JavaScript, Shell, Dockerfile, C++, PHP, Hack, Groovy
The Secure Coding Dojo is a platform for delivering secure coding training. While it comes with its own vulnerable training application (the Insecure.Inc website) the training portal can be used in conjunction with other training applications. The strength of the platform is its extensibility and the integration with the commonly used development collaboration platform Slack. The training portal can be easily setup in the cloud and instructions for AWS Elastic Beanstalk setup are available below.
Be sure to also check the wiki for more details on deploying and installing the Dojo.
Download the demo to get a look and feel of the training portal and the Insecure.Inc application.
Also take a look in /screenshots
The following steps will get you the basic configuration for the Dojo. For advanced configuration and integrations check the wiki
Install Docker latest version.
Git clone the repository
Change directory to the repo root directory
Configure an environment variable DATA_DIR as a mount point for the dojo files. On *nix/mac modify .bash_profile as follows
export DATA_DIR="/YOUR_DATA_DIR"
On Mac you must allow Docker access to this directory in Docker > Preferences > File Sharing
Restart your terminal
Run with
docker-compose up
While open source training sites to teach application security concepts are not new the target audience for these sites has been pen-testers and ethical hackers. The Secure Coding Dojo is primarily intended as a delivery platform for developers and here's why:
While we don't guarantee compliance the training could be used to meet compliance requirements such as PCI 6.5.a. See Insecure.Inc curriculum document on mapping to SANS 25/ OWASP Top 10 / PCI 6.5
Training portal
Insecure.Inc
Training portal
Insecure.inc
Training portal
Insecure.Inc
Check out the wiki.
More info on the wiki.
You will need to create a Slack app for authentication.
Google authentication can also be configured in config.json. You will need a Google developer account and obtain the OAuth credentials from the Google API console: https://console.developers.google.com
In the same place you will setup your domain and authorized redirect URIs. For example for a localhost setup the redirect url would be: http://localhost:8081/public/google/callback
For small teams or pre-configured images Slack or Google authentication may not be an option. For this scenario you can configure authentication working with a local flat file.
Check the wiki for more information.
If you don't configure a DB the training portal will just use a local SQLite DB
You can also install MySQL and create a DB and credentials for that DB. Note your user name and password you will need them for later.
You will have to setup encryption keys as OS environment variables. On *nix/mac modify .bash_profile as follows
export ENC_KEY="put something random here"
export ENC_KEY_IV="put something random here"
The following is to prevent participants from generating their own challenge codes.
export CHALLENGE_MASTER_SALT="put something random here"
You can add new lessons by following the model of existing ones.
Challenges are defined in ./trainingportal/static/lessons The file definitions.json points to the corresponding html challenge description, play link and corresponding code blocks by code block id. Follow the already defined examples to create a new one.
.
+-- /trainingportal/static/lessons
| +-- modules.json //configuration file where lesson modules are defined
| +-- /attack-grams //visual representations of attacks included in challenge descriptions
| +-- /blackBelt //lesson module
| +--definitions.json //individual lesson definitions
| +--cwe494.md // html or markdown file including the lesson description
| +--cwe494.sol.md //solution for the lesson
| ....
| +--quiz.html
| +-- /secondDegreeBlackBelt
Code Blocks are defined in ./trainingportal/static/codeBlocks. This folder has a similar structure with a definition json and a bunch of html files for each challenge.
.
+-- /trainingportal/static/codeBlocks
| +-- codeBlocksDefinitions.json //configuration file where code blocks are defined
| +-- authenticationByDefault.html //code block description html
| ...
| +-- useStrongDataEncryption.html