GitHub has launched a new project, the Secure Code Game, aimed at helping developers avoid typical programming vulnerabilities. The tutorial, which forms part of the GitHub Skills training, consists of five levels, each offering code templates with vulnerabilities, which developers must detect before moving on to the next level. The focus of the game is on general measures for secure code, rather than specific techniques of the version control platform. It is intended to help developers keep security in mind from the early stages of development.
The Secure Code Game repository currently contains five code templates, written in either Python or C, with varying levels of difficulty. One exercise involves an e-shop hack that enables users to order a TV without payment, while others relate to database exploits and encrypted passwords. The GitHub Skills training is primarily aimed at introducing developers to the GitHub platform and its tools; however, the Secure Code Game focuses specifically on promoting secure code.
To ensure that the fixed code is not only safe but also functional, the game incorporates files for unit testing. The repository also provides a quick guide on how to complete the exercises, with a button that sets up a fresh repository for registered GitHub users, which can be public or private, but with limitations on the use of GitHub Actions for private repositories.
Exercises can be completed either locally in an IDE or source code editor or via GitHub Codespaces. GitHub also recommends the in-house security analysis engine CodeQL for three of the exercises. Full details of the Secure Code Game can be found on the GitHub blog, along with the code and installation instructions in the associated repository.
The GitHub Skills training is part of a range of initiatives aimed at promoting secure development practice. The 2023 heise devSec conference on secure software development, taking place on September 12th and 13th in Karlsruhe, aims to focus on the importance of secure software in the development process. A call for proposals for lectures and workshops is open until March 31st, while an online theme day on the subject of 2FA (multi-factor authentication) will take place on May 16th.