Security quiz for developers

Question

Does anyone know of a short security quiz that could be administered online, to test the security knowledge of a developer? I'm looking for something simple to administer and simple to grade, ideally something that would take a developer only a few minutes, as a screening tool to differentiate folks who have no experience with security from those who have at least a minimum level of knowledge/experience.

Ideally, this would test knowledge of security problems in web application code (most especially, PHP code, but others would be useful too).

Does anyone know of anything like this? Or even something that's in this general space? Alternatively, does anyone have any experience with designing or using such a quiz?

Answer 1

Use DVWA or Mutillidae, get them to fix the code, then demonstrate pre/post fix behavior? Perhaps a little more complex than you were thinking, but it would also prove their coding ability.

Or, if this is too much, get them to go through DVWA at lowest security settings, looking for certain data? (get usernames, login without creds, etc.) You could even reduce the quiz to asking a single question? "What is the admin's password?" It won't test their coding knowledge, but how to test for insecure coding practices.

Full disclosure: I have not used these as a quiz.

Answer 2

Here's some:

• http://www.myappsecurity.com/threat-modeling/secure-coding-quiz/
• http://www.myappsecurity.com/threat-modeling/owasp-top-ten-quiz/
• http://www.myappsecurity.com/threat-modeling/application-security-crossword/
• http://myappsecurity.com/encryption-quiz/
• http://myappsecurity.com/threat-modeling-quiz/

Microsoft also seems to have a Threat Modeling Card game:

• http://www.microsoft.com/security/sdl/adopt/eop.aspx