How I learned Application Security with the OWASP Secure Coding Dojo

3 min readOct 26, 2023

Are you interested in learning how to build more secure software applications? Application security is crucial for any developer these days. I was excited to try the OWASP Secure Coding Dojo, a free training platform for learning about common software vulnerabilities.

In this post, I’ll give you an overview of the Secure Coding Dojo and share my experience using it to solve some sample challenges.

What is the OWASP Secure Coding Dojo?

The Secure Coding Dojo is an interactive training platform that teaches secure coding practices through lessons and challenges. It was initially developed by Trend Micro and donated to OWASP in 2021.

According to the OWASP Secure Coding Dojo website, some key features include:

- Integrates with enterprise environments using Slack, Google, and LDAP for authentication

- Allows grouping participants into teams to track progress

- Each lesson is structured as an attack/defense pair — learn about vulnerabilities by exploiting them, then learn secure defenses

- Predefined lessons based on OWASP Top 10 and CWE/SANS Top 25 most common errors

- Browser-based — no need to install tools!

The Dojo focuses on demonstrating vulnerabilities and secure coding techniques rather than getting stuck on elaborate CTF-style puzzles. I love that it’s free and easy to use in any browser.

Trying Out the Challenges

I started with the “Input Validation” and “Parameterized Statements” lessons.

The first challenge presented a code snippet vulnerable to command injection due to improper input validation. I had to choose the option that used allow listing rather than a simple blocklist. Proper input validation is significant — according to OWASP, it can remove up to 90% of the attack surface!

The second challenge involved an SQL query vulnerable to injection. I prevented the injection by using a parameterized query with placeholders instead of concatenating user input.

For both challenges, it was illuminating to see vulnerable code contrasted with more secure implementations. I appreciated the tips explaining why certain practices, like allow listing and parameterized queries, are more secure.

Takeaways

Working through just a couple of lessons, I gained:

- Awareness of common flaws like command injection and SQLi

- Hands-on experience exploiting and fixing vulnerabilities

- Understanding of security best practices like input validation and parameterized queries

I love that the OWASP Secure Coding Dojo lets you learn by doing in a risk-free environment. You can sharpen your security skills without building vulnerable sample apps yourself.

The interactive lessons and instant feedback make learning fun, too! I look forward to completing all the challenges on input validation, authentication, access control, and more.

I highly recommend checking out the OWASP Secure Coding Dojo to improve your application security knowledge. It’s free, beginner-friendly, and a great hands-on learning tool.

Let me know if you give it a try! I’d love to hear about your experiences learning with the Secure Coding Dojo.