May 16, 2022
Create and manage courses more easily with our new Courses creation experience
Instead of taking time replicating the process, you can focus more on the content and strategy to help your developers learn more effectively with the new Courses.
Get early access to new features
You can now turn on new beta-testing features by using the Early Access options in the Administration area. No more manual enablement needed. Early Access options are currently available for company admins.
Secure ABAP applications with newly released training content
Finally, ABAP engineers can also enjoy developer-led security training. ABAP coding challenges are available across Training, Courses, Tournament, and Assessment playmodes (and Missions are coming soon).
April 14, 2022
NEW OWASP course templates - build upon your developer’s knowledge and security awareness. CONTENT
NEW Video: Path Traversal vulnerabilities - Prevent attackers from getting unauthorized access to files on your webserver. In this video learn how to identify and review file system interactions within an application. If an attacker can influence the path being accessed by the server, they may be able to gain unauthorized access to files or even execute arbitrary code on the server. CONTENT
Get actionable secure coding guidance to resolve vulnerabilities faster - with our two new integrations. INTEGRATIONS
Serving improved quality content to help your developers get the most out of their training. CONTENT
Report on the progress and success of your application security program with improved Training metrics. CONTENT
March 14, 2022
Content now available for our latest (58th) language:framework - PHP:Laravel CONTENT
New challenges in existing language:frameworks have been added CONTENT
Want your Java developers to learn more about the Log4j vulnerability? You can now set up a course by adding only Log4j-specific activities to a course without having any other vulnerabilities in the mix. CONTENT
Consistent learning experience - a range of content quality updates were rolled out for the following languages:frameworks: CONTENT
Course template for Certification Level 5 (OWASP 6-10) has been introduced with 7 missions and 16 challenges. CONTENT
February 7, 2022
Released a public Log4j mission for developers to practice offensive skills. Inside the mission, developers will receive step-by-step guidance to mock-exploit the Log4j vulnerability in a simulated web browser. CONTENT
Added walkthroughs to 6 more existing course templates: CONTENT
Added 12 more walkthroughs (in total 26) to better align with OWASP Top 10 2021. Program managers can now build a comprehensive OWASP Top 10 2021 course with 1 walkthrough for each high-prevalence, high-impact subcategories. CONTENT
Added 10 more challenges to Java:Spring for support of OWASP Top 10 2021 (529 challenges). CONTENT
Updated all Certification Program courses templates with the latest OWASP Top 10 2021. CONTENT
Improved the support for deprecated content in courses and assessments, preventing confusion among developers. Before this update, the existing courses or assessments with deprecated content would use random challenges to fill in the gap, which led to confusion. From now on, developers can continue to assess the deprecated challenges instead of random ones, along with a warning explaining that these are outdated content. CONTENT
December 13, 2021
November 8, 2021
Walkthroughs and missions in courses PLATFORM
New and updated challenges: CONTENT
Colour contrast on key elements in the platform, such as buttons and labels, has been improved to meet AA accessibility standards - progressively enabling a better and inclusive user experience for all.
SCW APIs: INTEGRATIONS
API endpoints now include both primary user identifiers - email address and user_id. This provides improved consistency and convenience for API callers needing to match user activity across the various API endpoints.
October 10, 2021
Added new templates to include the recently-released OWASP Top 10 2021 web standard, providing options for developers to receive up-to-date training. CONTENT
Added support for SAML RelayState redirection in SSO configurations. By leveraging this update, program managers are able to connect internal tools with specific Courses or Assessments at scale. Tested by one of our largest clients, this configuration has successfully enabled 20,000+ developers to have a seamless SSO login experience when accessing targeted SCW Courses and Assessments, from right inside their existing learning management system. Learn more about its configuration here. INTEGRATION
Added more challenges: CONTENT
Added special Infrastructure-as-Code (IaC/cloud) challenges for the global tournament (Devlympics 2021). Rest assured, these new Challenges will still be available in the platform after Devlympics: CONTENT
Courses UX improvement. We are continuously improving the experience of managing Courses at scale. PLATFORM
September 13, 2021
New language:frameworks: CONTENT
3 New Courses templates: CONTENT
Added more challenges to 4 languages with the aim of improving the variety of challenges and reducing repetitiveness in content: CONTENT
Improved Courses management navigation: PLATFORM
Secure Code Warrior for GitHub now supports contextual learning in pull request review comments. The plugin will, when available, display relevant learning content by scanning for common vulnerability references and names are found in the comments - added by users or SAST tools. INTEGRATION
August 9, 2021
Our integration with Kondukto is live. An AppSec Orchestration and Correlation platform, Kondukto provides a unified view of vulnerabilities discovered at each stage in the SDLC via various commercial and open-source security tools. The integration will help link to hyper-relevant learning based on detected vulnerabilities. INTEGRATION
Several experiential enhancements have been completed for Courses PLATFORM
Fixed a bug that severely affected performance for some of our customers on our US instance
July 12, 2021
Deprecation of AngularJS was officially implemented on July 1st, you can no longer access it on Training mode, nor can you create new AngularJS Courses or Tournaments. However, you can still access existing ones. CONTENT PLATFORM
June 14, 2021
Added New language:framework Content
Improved challenge quality: Content
Terminology review and update - ‘white’/'black' list terminology in learning resources has been renamed to ‘allow’/'deny' list, ensuring that all terms used on the platform are current and respectful to developers of all backgrounds.
Improvement and expansion to Course templates: Content
Course Focus page - Improved guidance for company course admins, when selecting course focus during course creation (better descriptions about the template and areas of focus), providing a more efficient and informative user experience during course creation. Content Platform
Warrior Connect partners - We’ve partnered with a number of global technology and regional service providers in the DevSecOps ecosystem to provide contextually relevant training material on findings that will help developers understand and resolve security issues, and arm them with the knowledge and skills to help prevent these vulnerabilities from re-occurring:
Sensei Feature Highlight: Library Scope - Discover more about the most loved features of Sensei. Read more (3 min read)
May 3, 2021
Streamlined the user experience of End of Course Activity for messages and assessments. PLATFORM
Missions (bonus level) in Tournaments are available for PHP: Basic and Scala: Play. CONTENT
Added more challenges to 2 languages: CONTENT
Improved the calculation methods of “Challenge Played“ to better indicate engagement level and provide more clarity. Renamed “Language Progress“ dashboard as “Quest Progress“ in the platform and added “Unique Challenge Played“ column in CSVs. PLATFORM
Support for Internet Explorer 11 (IE 11) will be retired by 1st July 2021. For now, we have completed stop supporting API Missions in IE 11. We recommend that customers consider using an alternative browser to avoid a sub-optimum experience. PLATFORM
April 6, 2021
Introducing PHP to the platform with 36 challenges. CONTENT
3 new languages now available to play bonus-level missions in Tournaments including Python, Python:Flask, Java. CONTENT
Added more challenges to 3 languages: CONTENT
Improved challenge quality: CONTENT
Improvement and expansion to Course templates: CONTENT
PCI-DSS Course template has been made available to API languages - providing relevant course templates to companies that require courses for API languages.
Admins will now also be able to download csv-files listing all available content, making them aware of the full breadth and depth of content available to them. The three csv-files (challenges, videos and missions) are available in the administration section under the report tabs. CONTENT
Edit function to published/unpublished courses (applicable only to courses where no developers are enrolled). Course admins will now be able to edit the content of a course that has already been published (or unpublished), this will provide administrators the freedom and flexibility to continue making changes to the course content (add/delete modules and activities) up until course enrollment is opened up for developers. PLATFORM
Changes to the Add/Edit Activity screen in Courses.
Check out the Sensei Product Update - March 2021. Discover the latest improvements to the user experience of Sensei, Secure Code Warrior's IntelliJ plugin and start writing quality code even faster. Learn more here. SENSEI
Support for Internet Explorer 11 (IE 11) will soon be retired. PLATFORM
In preparation for Microsoft’s end-of-support for IE11 the Secure Code Warrior Learning Platform will be retiring support for IE 11 as of 1st July 2021. Until this date, the browser can still be used to access the platform, however, it is recommended that customers consider using an alternative browser as continued use may result in a sub-optimum experience when using the platform.
Retiring Angular.JS language:framework. PLATFORM
In conjunction with Google and the Angular team’s announcement (three years ago) of their end-of-support for AngularJS from December 31 2021, the Platform will also be retiring Angular.JS language:framework content.Customers currently training on AngularJS are encouraged to transition their program to Angular.io. Further communication will be sent out over the next few months.
March 1, 2021
Added auto-send notification for Courses end-date changes. Courses admins can choose to send out email communications to relevant developers when they change the end-date of a published course, making sure developers are well-informed of the changes. PLATFORM
Enabled 4 additional API languages in Missions: CONTENT
Added accuracy and confidence data on top of the progress data for Courses leaderboard ranking, providing better insights for program managers to gauge developer skill levels in the team. PLATFORM
Added more challenges to 4 languages: CONTENT
Reworked the first batch of Node.js challenges, keeping the training content fresh and up-to-date. CONTENT
Realigned Angular and React with a new top 5 categories, making the training more focused on front-end vulnerabilities. The new categories are: CONTENT
February 1, 2021
Enabled PCI-DSS Recommendations course templates for security program manager to align the training more tightly with PCI requirements 6.5. CONTENT
Added Secure Code Warrior Recommendations course templates for developers to receive a more up-to-date training on high priority vulnerability of a language. Compared to OWASP Top 10 templates, these templates include emerging new vulnerabilities and revised priority based on the data we have. CONTENT
Added Intro templates for clients to have a quick and easy experience of a short Course. CONTENT
Supported Typescript in the platform (20 Challenges). CONTENT
Our first iteration of the Sensei Cookbook Index is now available. Developers can find recipes and cookbooks that help them write high quality and secure code right inside the IDE. SENSEI
Enabled 4 more languages in Missions, including: CONTENT
Supported Korean in the platform, helping Korean developers who are not used to English material to have more focus on learning instead of translating the content.CONTENT
Added more challenges to 7 languages: CONTENT
December 7, 2020
Added team-level tagging in API endpoints, making it easier for company admins to manage developers by departments/functions. PLATFORM
Added Courses start-date and end-date data in exportable data files (csv format), helping program managers to keep the progress of PCI compliance training on track. PLATFORM
Supported German content in the platform. CONTENT
The secure coding extension for the Jira Data Center edition is available. Developers can learn about related vulnerabilities right inside their tickets. INTEGRATION
Enabled the End-of-Course activity to support all active types of assessment, making it easier to manage a long-term security program. PLATFORM
Improved the structure of the "Privacy" section in "Company Preferences" settings, admins will find it easier to manage privacy settings across different play modes. PLATFORM
Docker now has in total of 54 challenges (▲17). CONTENT
Renamed racially insensitive “Whitelist/Blacklist” to “Allowlist/Denylist” across all platform content. CONTENT
Supported 2 additional languages, Pseudocode and Java:JSF in Missions - Bonus Level in Tournaments. CONTENT
November 2, 2020
Missions can now be played in your subscription as a Bonus Level in Tournaments. PLATFORM
Three new language frameworks: CONTENT
Reinforce structured learning with just-in-time training snippets using GitHub Action workflows. Learn more about building coding skills at every stage of the SSDLC here. Get the Secure Code Warrior GitHub Action from the marketplace today!
Sensei now available on the JetBrains Marketplace for organisations and developers to try it for themselves. SENSEI
Increased the number of Python:Basic challenges 59 challenges (▲ 17), providing greater content options for developers requiring framework-agnostic training. CONTENT
Review of Common Weakness Enumeration (CWE) mapping against platform vulnerability categories (more than 30%) with the inclusion of more CWE ID’s (particularly for mobile specific vulnerabilities). This review will significantly improve in the reporting of challenge vulnerabilities. CONTENT
As an extension of platform anonymization, company admins will now have the option to hide API Key generation for ‘all roles’, providing increased personal information security when generating reporting API keys. PLATFORM
October 6, 2020
Enabled finish-date modification for published/unpublished courses. When you go to the course management pages of those courses, you will see an edit button under Course End Date.
Introduced a new scripting/command-line language, Powershell, to the platform with 30 Challenges, securing your DevOps, DBA, and business automation teams' development.
Extend anonymization capability to the whole platform, including Courses, settings, and search options. Companies are able to have No-PII reporting.
Introduced more challenges for 4 languages, providing more playtime and difficulty levels for these languages in tournaments:
Implemented more consistent naming conventions in learning resources videos, providing a better education quality.
Fixed the occasional max-point issue in mix-language tournaments. Maximum points are guaranteed to be the same for all participants, making tournaments fair for all.
September 7, 2020
Introducing standard Java with 68 Challenges, providing developers who code in Java (without any frameworks) with relevant security training.
10 additional languages have been enabled for Courses - Company admins and team managers can now create a course from scratch from these languages.
Added new Pseudocode content with challenges focusing on mobile vulnerabilities - 66 Challenges. These new additions allow non-coding users to experience, learn and understand the concepts around mobile vulnerabilities without needing to know or specialize in a specific in a specific coding language:framework.
New video content covering Mobile Vulnerabilities: Reverse Engineering/Code Information Leakage, Improper Session Handling/Client Side Session Token Generation.
New video content covering Web Vulnerabilities: Authentication/Forceful Browsing, Information Exposure/Error Details, Memory Corruption/Race Conditions.
Two updates for Courses: Custom Activity and End of Course Activity
Anonymization has now been enabled. Company Administrators are now able to toggle on the anonymization of personal identifiers on the platform. This will allow customers to comply with regulatory requirements that require personal identifiable information or performance information of individual users to be anonymized within the company.
Improvements have been made to existing Java:Spring challenges enhancing overall content and quality of challenges for the developer.
Improved Java:Enterprise Edition JSP challenges to provide developers with more solid training.
August 3, 2020
14 more language:frameworks are Courses ready:
Added "First Completion Date" in the Courses reporting API. Monitoring developers' study progress to meet compliance schedule is easier.
Anonymization for Tournament Leaderboard is now available, providing Company Admins more options to protect developers' privacy.
Team Managers and Company Admins will see better report accuracy when tracking developer engagement on the platform, due to improvements in the time calculations. This change will only affect time spent data after July 3rd.
Pseudocode challenges now cover all Web Vulnerability categories, providing developers and non-developers alike with a broader awareness of secure coding for web applications. 84 Challenges (▲38).
PL/SQL language is now Assessment ready with 35 Challenges (▲3).
Added more challenges in web languages:
Reworked on the quality of 96 Java:Spring challenges, providing developers with more solid training.
July 6, 2020
Introducing two new language:frameworks to the platform:
New video content covering Web Vulnerability: Insufficient Transport Layer Protection/Unprotected Transport of Credentials
New video content covering Mobile Vulnerability: Improper Platform Usage/Tapjacking, Insecure Authentication/Client-Side Authentication For Authenticating To Server, Insecure Authentication/Misuse of Fingerprint, Insecure Authentication/Weak Lockout Mechanism, Improper Platform Usage/Incorrect Activity Configuration, Improper Platform Usage/Misuse of Intents.
Secure Code Warrior for Jira (Jira Cloud and Jira Server versions) have now been introduced to Public Labs, accessible through Atlassian Marketplace. Secure Code Warrior for Jira, provides just-in-time contextual micro-learning (on-premises and cloud variant) to developers as they work to resolve security issues.
Improved localization of content. Platform admins can now select the language localization (US or UK English) relevant to their company, improving the immersiveness of content, user experience, and engagement.
Significant improvement of existing Pseudocode challenges, enhancing overall content and quality of challenges for the developer.
Addressed and implemented a number of user interface fixes, which look to improving both overall user play experience and eliminating administrative confusion.
Significant improvement to the length of time to export training leaderboard and related reports, team admins will now receive the exported report by email in a more timely manner.
Performance improvement and scalability of reports resulting in faster response times and report retrieval for the user.
June 1, 2020
Introducing two new language:frameworks to the platform:
New video content will be made available in the following week, covering Mobile vulnerabilities: Lack Of Binary Protections/No Protection From Piracy, Unintended Data Leakage/Copy/Paste Buffer Caching (Pasteboard), Unintended Data Leakage/Logging Sensitive Information
New video content will be made available in the following week covering API Vulnerability: Access Control - Missing Object Level Access Control, Security Misconfiguration - Improper Permissions.
Courses is available to Secure Code Warrior Labs. Company Administrators will be able to opt-in to Secure Code Warrior Labs for a team or their entire company to test drive new features and offer feedback
Java Enterprise Edition (JSP) has now reached 373 Challenges (▲57).
Support for Microsoft Azure within the Ansible Basic Challenges providing content to support organizations using different cloud infrastructure.
Enhancement to the User Management API. You can now update your user’s email address programmatically via the API.
Added French spoken language support to the platform, improving navigation and overall user experience for French-speaking users by making the user interface content available in their native tongue.
April 5, 2020
Introduced three new language:frameworks to the platform:
We've introduced additional challenges to our Go content, providing developers of different experience levels from junior to senior with a greater variety of challenges to best suit their different skill levels - 184 challenges (▲29).
Improved team and user management capabilities via API:
Improved the retrieval performance of the Assessment Summary report (CSV), providing better insights to help manage teams.
Reviewed platform user interface when selecting Vulnerability Category options, ensuring that all options are relevant and up-to-date for the user.
The Weekly Active Summary report email has been reviewed and is showing the activity metrics of platform users for the client, helping provide better transparency on platform usage and utilization.
April 6, 2020
Introducing two new language: frameworks - Python:Basic, with 41 challenges and Java:Spring API with 35 challenges.
Java:Spring has reached 399 challenges (▲94).
C# (.NET):Web Forms has now reached 382 challenges (▲126).
Ruby:Rails now Mixed Tournament Ready with 233 challenges (▲14).
Improved quality of challenges for Kotlin:Android SDK.
March 9, 2020
Introducing new language: framework Perl:Dancer2, with 31 Challenges.
Added new Web vulnerability video resources covering; Side Channel Vulnerability/Timing Attack, Access Control/Using input from untrusted sources, Business Logic/Insufficient Validation, Injection/CSS Injection, Memory Corruption/Double Free, Injection Flaws/Log Forging.
Java: Enterprise Edition (JSP) has reached 314 challenges (▲79).
Improved quality of Challenges for C# (.NET):MVC.
Revised accuracy of Chinese and Spanish translations.
Improved usability when playing Challenges to help developers choose the correct solution when fixing a vulnerability.
Fixed vulnerability category display issue when playing 'Identify' stage.
February 10, 2020
Expanding on last month’s newly introduced Infrastructure-as-Code language: framework - we’ve added two new Infrastructure-as-Code language: framework - Ansible (▲24) and Docker (▲24).
New training videos covering Mobile languages: Broken Cryptography/Insecure Generation Of Encryption Keys, Broken Cryptography/Insecure Storage Of Encryption Keys, Broken Cryptography/Reuse Of Initialization Vector, Broken Cryptography/Use Of Hardcoded Keys, Client Code Quality/Improper Memory Management.
Enhanced tool-tips and guidance for Administrators and Team Managers when editing Assessments to help make them aware of what edits will create a new Assessment version.
More challenges for Node.js (Express) now at 279 challenges (▲5).
C# (.NET): Webforms and Java: Enterprise Edition (JSF) are now mixed-tournament ready with 274 and 146 challenges respectively.
January 13, 2020
First Infrastructure-as-Code (IaC) language:frameworks now available covering Terraform (▲24) and AWS CloudFormation (▲32).
Foster genuine learning by limiting the number of Assessment attempts within a specified timeframe.
Multiple API Keys – Company Admins now have the ability to generate more than one Report or Admin API Key's for their Company.
Updated user object in API so that a Developers preferred programming language can be specified.
PL/SQL one of our most played language:framework is now top-10 ready with 25 challenges available (▲17).
Updated mobile vulnerability video resources covering; Reverse Engineering, Insufficient Transport Layer Protection, Extraneous Functionality, Broken Cryptography and Code Tampering.
December 1, 2019
Brand-new help menu to instantly access 24x7 knowledgebase, request support and keep up-to-date with the latest news and advice from Secure Code Warrior.
All new languages C#(NET):API and Java:Servlets (Jackson) are Top 10 Ready. C#(NET):API is our first API only language and Jackson is a popular and efficient java based library to serialize or map java objects to JSON and vice versa.
New and improved Direct Linking Content Mappings against CWE, OWASP and VRT (Vulnerability Rating Taxonomy), plus improved statistics to track leads being generated by our Partner Integrations.
5x new videos cover web vulnerabilities and 2x specifically for API vulnerabilities covering: Improper Assets Management and Mass Assignment.
Added preferred development language:framework(s) to account profiles for a more tailored gamified learning experience.
API now supports team management level role Reporting and Admin keys for better data segregation across an organisation.
More than 300 challenges for C#:MVC (▲70) – that's over 15hrs of playing time!
Mixed Tournament Ready for GO (▲23), and Scala:Play (▲21).
Certified ISO27001 for information security management.
November 4, 2019
API Version 2: Streamline user management, and save time by programmatically managing users and building management reports with new reporting metrics and better filtering. Ability to programmatically assign users to assessments now also available.
6x New video learning resources for web vulnerabilities covering: Authentication/Improper Authentication, Authentication/Insecure Password Change Function, Authentication/Insecure Password Reset Function, Authentication/Insufficient Anti-Automation, Security Misconfiguration/Disabled Security Features, Lack of Resources and Rate Limiting.
New Challenges for Swift (▲33), Python:Django(▲29), C (▲28), GO (▲8), JavaSript:Node.js (▲8), Java EE - JSP (▲6), C# Web Forms (▲4), C# MVC (▲4) and Java:Spring (▲2).
Updated brand and messaging for email templates.
Fixed issue preventing the generation of PDF Certificates for Assessments.
October 14, 2019
6x New video learning resources for web vulnerabilities covering: Insufficient Logging, Information Exposure - Sensitive Data Exposure, Cross-Site-Scripting - DOM-Based XSS, Authentication, Server-Side Request Forgery and Insecure Cryptography - Exposed Keys.
New Challenges for Ruby:Rails (▲62), C# Web forms (▲15), Java:Spring (▲6), Java EE: JSP (▲7), and C (▲4).
Replaced 12 vulnerability categories across Mobile (8) and Web(4) video learning resources with 25 finer-grained vulnerability sub-category resources for a more focused learning experience.
Prevent Players from enrolling in superseded Assessments.
Added new email deliverability status for Company Administrators and Team Managers to see if an email has bounced.
Fixed issues when creating Tournaments with C# (.NET) Core.
Migration to the Future Ready Platform that will deliver a more scalable, higher quality product at velocity.
September 9, 2019
New C#.NET CORE language:framework is Top-10 Ready with 40 Challenges.
Improved Partner Integration for MicroFocus with with increased mappings of vulnerabilities and training content.
Various back-end performance improvements to deliver a faster first-time login and better player experience.
Resolved issue of missing Tournament Missions (Quests) when geo-blocked countries had been enabled.
August 5, 2019
New challenges elevate Java:AndroidSDK to Gold Status + Mobile Mixed-Tournament Ready (▲51) and Python:Django now has over 170 challenges (▲36).
Change main navigation menu order to better align user experience with AppSec program rollouts.
Fixed over 40 bugs for more accurate challenges across available language/frameworks.
Enhanced monitoring to deliver a better end-user experience by accurately viewing end-user page load times and reporting of application errors.
Addition capacity and performance for the Secure Code Warrior infrastructure to speed up our overall service.
July 1, 2019
Grammatical improvements for our platinum languages including; Python Django, NodeJS, C# MVC and Pseudocode.
New Challenges now available for many of our supported languages and frameworks including C with more than 100 challenges and GO with over 130+.
Aligned training points calculation between UI display and report, CSV export and REST API. No underlying data was changed or altered.
June 3, 2019
New "Last Nudged" timestamp has been added to better manage team communications and improve engagement.
Mobile Languages are now available to be played in Mixed Tournaments.
Grammatical errors have been fixed in Java Springs.
Removed videos from categories were irrelevant to prevent points penalty when using hints.
Fixed missing API timestamps for invitations and registration reports..
May 1, 2019
Grammatical errors have been fixed for Java EE (JSP) and C++
April 1, 2019
Training ground improvements for Scala Play and Python Django.
Fixed sound issues in Web App Security 101.
Load Monitoring enabled to deliver a more secure and scalable platform.
Logging API operations enabled to increase platform security.