Can gamification unite development and security?
Despite years of effort encouraging a DevSecOps approach, development and security teams tend to remain divided. For example, according to 2020 research, 65% of security professionals reported that their companies had successfully shifted security left. Good, right? But the same research also shows that almost a third of people believe the security team is primarily responsible for security — despite shifting left.
The persistence of these silos shows that crossing the divide between development and security teams won’t be simple. Achieving the potential of DevSecOps will require creativity — and even play. Gamification — applying game mechanics to non-game contexts — can be an important way of encouraging teams to work together towards a common goal.
Gamification of developer security is also a topic that comes up on The Secure Developer podcast. In this article, we’ll take a look at a few ways some expert guests from The Secure Developer gamified security.
Turn security into a game and watch your company win
Capture the flag (CTF) is an almost universally recognizable game played in schoolyards across the country. With some creativity, says Snyk Co-Founder Danny Grander on episode 6 of The Secure Developer podcast, CTF can be adapted into a game that encourages developers and security engineers to practice creativity and collaboration.
Security CTF pits individuals or teams against each other in a hacking competition. Teams compete in a range of security challenges, including cryptography, stenography, and reverse engineering.
There are two variants of CTF: jeopardy and attack-defense.
- In jeopardy, there are dozens of separate challenges. The winning team is the one that solves the most challenges by the time the competition ends.
- In attack-defense, each team has to protect a given set of systems and services while also attacking the other team. “It’s much more dynamic,” says Grander, “and represents reality better.”
The flag is usually a string or a hash. Teams need to develop an exploit and attack the other team’s systems to capture it and submit the flag to a website to get points. “It’s similar to the outdoor game,” says Grander, “where every team has a flag on their system, and each team should attack the others and capture the flag by compromising others’ systems.”
Developers and security engineers have to work well together. Winning the game not only means protecting your flag and stealing the other flag — it requires maintaining adequate performance levels. Grander explains that if your services go down and you edit some firewall rules to prevent communication to those services, your team will actually lose points. Similarly, if you patch your service, but the patch hurts performance, you will also lose points.
By combining the fun, competitive elements of attack and defense with the realistic need to maintain a performant service, CTF can provide developers and security engineers with an entertaining, engaging way of learning how to work together.
Make relationship-building an RPG
In role-playing games (RPGs), players assume the role of a character in a complex world, one that often grants players the freedom to explore, talk to other characters, and pursue self-selected quests. In these games, there’s usually a main quest that involves the player saving the world but to succeed, the player also has to build relationships with other characters so that they can get information, gain resources, and find allies.
Similarly, though the main quest of a security engineer might be building a resilient security program, the efforts toward that work can be informed by an RPG-like journey along the way — so says Joshua Gamradt, Director of Rugged DevOps at UnitedHealth Group, on episode 97 of The Secure Developer podcast.
“If you put yourself into a kind of video game mindset,” Gamradt says, “you’re always walking around talking to villagers, talking to people in the town, and they’re telling you a story. They’re telling you, ‘Hey! I went through this issue’ or ‘This is a problem that I have. I need you to help me solve it.’”
In video games, as in security, hearing people’s stories isn’t just a way to pick up side quests but to inform your understanding of the world you’re playing in. According to Gamradt, his work creating connections and developing relationships within his company helped him “broaden the understanding of what security means across an entire organization and not just within the security space.” Even if a company has succeeded in making security everyone’s concern, that doesn’t mean everyone thinks about security in the same way.
Gamradt found it essential to build those relationships because they enabled him to “see where the gaps are and where things exist today that we should be trying to focus on closing.” By gamifying the relationship-building process, Gamradt was able to incentivize the work of understanding security across the organization.
Transform metrics into quests
Quests can break up long-running games into digestible chunks. The game becomes more playable, and the player feels motivated to make progress.
Knowing this, Gamradt turned to games as a metaphor again when he worked on a security advocate program at UnitedHealth Group. He and his team created a security advocate program with three main quests — all focused on encouraging secure coding.
Gamradt used a platform that tasked engineers with examining code to identify vulnerabilities using the OWASP Top 10. According to Gamradt, engineers had to figure out “how to identify the vulnerabilities within this code and then do you fix it?”
Gamradt saw success with engineers trusting the program, and feeling a lot of excitement about “wanting to be a part of this game.”
The program presented an engaging way for developers and security engineers to practice secure coding and familiarize themselves with the most common vulnerabilities. The main quest for the company was to increase the number of security advocates.
“The goal,” says Gamradt, is to “make a correlation between the amount of security advocates in a particular product or application. [Then] apply that to the correlation of how many vulnerabilities are being reduced.” The game increased the number of security advocates, and more security advocates, in theory, reduced the number of vulnerabilities.
Listen to the full episode to learn how Gamradt has modeled the program on RPGs, how learning is rewarded, and how they’re driving engagement.
Gamification turns knowledge into practice
How can people across countries, age groups, and cultures — often without knowing each other — unite to work toward a common goal? Collaboration in that context sounds difficult, but any number of online games make it a daily reality. In these games, the goals can be as simple as defeating an enemy in Call of Duty or as complex as using the strengths of wildly different characters to bring down another team in a game like Overwatch. Collaboration becomes essential, and people with different backgrounds and skill sets can work together to win.
Turning security into a game can provide similar benefits, with gamification offering a structure and set of incentives for working together.
Everyone knows security and development teams should work together, and everyone agrees security is important. A good game, however, can turn belief into action and knowledge into practice. By encouraging people to win, companies can achieve the even greater victory of building lasting security practices.
For more insight and best practices for driving developer security, be sure to subscribe to The Secure Developer.