Cydrill: Emotionally Engaging Drills for Secure Coding

More often than not, cybersecurity efforts temporarily neutralize threats while failing to address the source of the problem - vulnerable codes. On the other hand, organizations can implement security efforts in the development phase by educating software developers about practices that foster secure applications and software systems. To achieve this, organizations need to shift their approach from merely conducting cybersecurity awareness programs to revamping their engineers’ programming practices. This can be substantially cost-effective as well. For example, according to the National Institute of Standards and Technology, the physical sciences laboratory and a non-regulatory agency of the United States Department of Commerce, fixing a bug in the production stage is six times more expensive than the coding stage. To help organizations realize the best coding practices, Budapest-based Cydrill has devised a gamification module through blended learning, ITL and e-Learning labs with gamified hacking and defence drills specifically for developers.

Established in 2019 by three college-mates who met after 20+ years of serving the IT industry in various capacities, Cydrill aims to tackle the root cause of cyber defence, the inadequate coding practices. They created a blended learning journey of Cybersecurity Skills & Drills targeting software developers. Looking at secure coding as the ultimate team-sport, Cydrill developed a set of courses for classroom, virtual and e-learning. Hands-on labs – the drills – engage, persuade, and measure the experiential learning of the participants. Through gamification, they instil the best-practices and teach how not to code.

However, there are no leaderboards, no fierce competition; simply metrics drive individual contribution to team’s collective achievements.

“The software needs to be developed with a different mindset and a change in programming habit is called for,” says László Drajkó, Partner & Co-founder, Cydrill. “This change in the practice of developing code must be entertaining and engaging.” That’s where gamification comes in. The three partners were convinced that the change must evolve from classroom learning, and more than 80 per cent of the module must be hands-on experience through the gamified platform. And this must be done in the ‘natural habitat’ of the software developers for two reasons: organizations cannot afford to give their developers a break from their work hours, and software developers must feel at home to adopt behavioural change.

Diverging from the established concept of simulated environments in a gamified setting, Cydrill introduced embedded learning into Integrated Development Environments (IDE) using Cydrill Sergeant. Just like a drill sergeant, Cydrill Sergeant’ shouts’ (read prompts) step-by-step instructions during drill camp. First, software developers are presented with a simulation of a popular website where the coding mistakes are known and highlighted. The developers are then required to work on an exercise under the guidance of Cydrill Sergeant. The activities are designed to help developers think like a hacker and how they exploit vulnerabilities. The most critical breakthrough, according to Drajkó, is fostering emotional engagement in the developers where they realize what mistakes they were making in their work and gain a quantified understanding of their progression.

Since coding is a team effort, there is no leaderboard in Cydrill’s gamification program. Instead, there are two kinds of assessments: individual and group. Since software can be only as safe as the weakest developer’s secure coding experience, more emphasis is given to comparing individual performance against the team to speed up the slowest movers. “We need to create a reward mechanism that supports the team sport nature of secure coding and tries to lift up everyone instead of creating competition,” says Drajkó. This team sport approach to coding has helped them work with clients from different industries, mainly automobile and defence. Drajkó believes in listening and evolving with the help of its clients and providing consistent updates on Cydrill Sergeant’s drills as per the latest advancements in cybersecurity and hacks.

With AI and autonomous cars taking centre stage, Cyrdrill has realized the need to gain an understanding of preventive measures, similar to vulnerable codes in IT, of all the industries and develop a practical learning journey. The company aims to strike a balance between limiting the causes of cybersecurity threats and addressing the consequences, and, in turn, create a perpetual cure rather than a temporary painkiller.