02 Mar, 2017

Introducing the nVisium On-Demand Training Platform

by Jack Mannino

When we set out to build an on-demand developer training platform, we wanted to focus on the most important part of any course: the student. Developers learn by using familiar tools and writing code, not by watching non-specific, generic content or playing contrived games. When discussing training options with some clients, the chief complaint about current Computer Based Training (CBT) solutions and gamified apps was that developers didn’t recognize the value in them. Additionally, security struggled internally to build support and adoption for these solutions with their development teams.

We’ve heard your complaints and we want to help. Rather than create a similar solution to what is already available in this space, we decided to go a different route. We wanted something practical, useful, and enjoyable to use as to reduce the friction for widespread adoption among developers. Using real software development tools and practical scenarios that make sense to developers, our On-Demand Training Platform (ODTP) engages developers to hone their craft by writing real code.

Our platform is made up of a few different components:

  1. Interactive grading engine - Developers find and fix vulnerabilities in our code in order to pass the course. There are no multiple choice questions; developers have to demonstrate competency.

  2. Never leave the browser - All exercises, content, etc. are done through the browser. No need to install any software on your client machines. Engaging content - Both written and video content demonstrate each of the vulnerabilities students will be graded on. We explain the issue, its impact, and how to both find and fix the flaw in our vulnerable code base.

  3. Aligned with the OWASP Top 10 - Almost every major compliance standard requires that the flaws listed in the OWASP Top 10 are covered in course material. Our training platform is no different.

  4. Language specific - Each course, whether its content, exercises, or additional categories of vulnerabilities, is geared towards a specific programming language.

We currently offer courses for Java, ASP.NET, and Python. iOS and Android will be available in Q2 of 2017.

In order to pass a lesson, and ultimately the course, a student must prove they have mastered the secure programmatic controls in each section of the course. Each section represents a category of a vulnerability, such as SQL Injection. We grade developers on what matters, writing secure code, not the number of times they watched the XSS video on an endless loop. The days of hoping developers actually watched the boring CBTs and absorbed something are over.

Let’s take a look at the view a new student gets when they sign up for our platform.

New Student View

First, they receive an invite to complete registration and obtain access to the course (or multiple courses). Once registration is completed, the student is guided through the process of using the platform. No human element is required.

The student then begins a review of the content in the course modules. Each module within the course has a set of videos that show how to identify weaknesses found in applications of the specific framework or language. In each section, the student will have an introduction to the vulnerability, learn how to identify the vulnerability, and then learn how to fix the vulnerability. For example, if this student is enrolled in the Java course, they would watch a video about the topic of SQL Injection, learn that string concatenation can be dangerous and why, and then learn how to write safe, parameterized queries in order to prevent it.

As mentioned, each course contains a fully functional vulnerable application that students will use to immediately test what they’ve learned. This vulnerable application contains security flaws encountered in real-world code, and they are mapped to the OWASP Top 10.

When the student is ready to move onto the remediation exercises, they start their browser-based, Cloud IDE instance and fix the type of issues they’ve seen in the content. Finally, the student checks their code into our backend infrastructure to have it analyzed and graded.

Che Cloud IDE

When a student checks in code with Git (all without ever leaving their browser), a little bit of magic happens on the backend. Using a set of security-centric unit tests as well as other identification techniques, we let the student know if their code solved the problem or if they still have work to do. When their originally vulnerable, and now secure, application code passes all of the tests, then congratulations, they’ve mastered the course material.

No one likes to be chained to a desk when they have to get something done. After all, it’s 2017 and we’ve been mobile for ages already. Our users have grown to expect strong mobile support for every product they use, and this expectation should be no different for a training tool. Users of the nVisium On-Demand product can download the EdCast mobile application for iOS or Android and consume videos and written content on-the-go.

So, what if you have a big development team, and you want to track their progress? Well, you’ll be happy to know that our platform was built for large development teams, and you can pull all of the metrics you would ever want. You can track who’s completed the course, student activity, and which modules your developers are breezing through and which ones are making them work a little bit harder. You’ll also be able to sleep better at night because you’ll know your team passed because they were able to demonstrate mastery of practical skills, not because they let the OWASP Top 10 videos keep playing in the background while they browsed the web.

We hope you’ll take our platform for a spin and let us know what you think about it. If you’re interested in seeing more or in trying a full demo of the platform, please contact the nVisium team here: https://nvisium.com/contact/.