SecDim Play Level Builder

SecDim Play is an open training game for secure programming. It is available to community to foster secure programming skills.

It is very easy to make game levels.

Each level is an app with a security bug and two sets of tests: usability and security. Usability tests are always given to the player, while security tests, depending on the level difficulty, may not be given.

Usability tests should always pass, however security tests should fail as they test for a security bug in the app.

Step 1: Pre-requisites

Fork and clone this repository.

Install docker and make and development environment for the language that you are going to build a level.

Step 2: Initialise

To get the SDK, in a terminal, run ./build.sh, then select init and enter a language.

This will create a directory called level with a sample vulnerable app and test suites.

Currently supported languages are:

python, go, typescript, javascript, C# (csharp), java, solidity

Step 3: Create a private repository

Create a private repository on github and clone it.

cd ../
git clone github.com/my-user/my-private-repo

From SDK copy the level directory and build.sh to your private repository.

cp -r ../sdk/level .
cp ../sdk/build.sh .
cd level/

Step 4: Add a security bug

In this task you will modify the sample app to introduce a security bug.

1. make build To build the app’s container image.

2. make run to run the container.

3. make test to run the usabiity tests.

4. make securitytest to run security tests. Security tests fail because sample app has a security bug. This is intended.

5. make debug give a shell from container and maps src directory from host to the container.

To begin:

1. Review the code and tests in src/ directory.

2. Refactor it to introduce a security bug:

   1. Remove the sample security bug, usability and security tests.

   2. You can completely refactor the app and tests.

   3. You can add a new functionality or modify existing functionalities.

   4. Add a usability test for new or modified functionalities.

   5. Remember your bug must be a security vulnerability.

Tip	Looking for an idea? CWE Top 25 or SemGrep Registry have sample codes with security bugs.

Step 5: Add security test(s)

In this task you will add security test(s) to test for the security bug

1. Test title should include what is tested and what is expected: test_whenAmountisIntMax_shouldThrowRangeErrorException

2. make build && make securitytest to run security tests. They should fail.

Step 6: Create a patch

In this task you will create a patch for the security bug.

1. git checkout -b patch to create a patch branch

2. Patch the program

3. make build && make test && make securitytests to run all tests. They should pass.

Note	This patched branch will NOT be provided to the players and it is only used to verify if level is solvable.

Step 7: Verify

• ❏ ./build.sh > verify: to verify if everything is okay

• ❏ Update level/Readme.adoc (NOT this file!) with a level story/incident, level and any pre-requisites.

• ❏ Remove unnecessary files and directories

Step 8: Push

git push both master and patch branches.

git push
git push -u origin patch

Add secdim as one of the contributers/collaborators to your private repository. A friendly SecDim team member will review your level and will be in touch for the next step.

Done!

Important notes

1. Remember to push both master and patch branches.

2. Usability tests must always pass in both master and patch branches.

3. Security tests must pass in patch branch but fail in master branch.

Troubleshooting

Ask your question on SecDim Discuss