The year is slowly coming to an end and it’s time again to look back and reflect on the great fun and achievements of the year. This is where we would like to thank our community and share a little gift, as we do every December since 2016. We are excited to announce our seventh consecutive Code Security Advent Calendar and invite all developers and security enthusiasts to participate!
At Sonar we believe in the power of Clean Code which means that your code can evolve and execute flawlessly. This is not only about code security but also about maintainability, reliability, sustainability, and more which are impacted by each other. Security, being only one pillar of Clean Code, is particularly interesting because there are so many coding mistakes and attacker tricks that we can all learn about.
We will hide some of our new favorite ones in 24 little code puzzles so you can sharpen your security skills and have a fun December season.
Starting on December 1st, we will release new code challenges on a daily basis. Follow our research team on Twitter and Mastodon to be notified about each new challenge, share it with your friends, and discuss solutions and feedback in the comments. The code challenges as well as the intended solutions are hosted on our website too; you can come back every day and open a new door to reveal the latest puzzle. We plan to keep our challenges and solutions accessible online for your education and also plan to bring back the content from past years’ calenders to the website, so stay tuned!
At Sonar, we spend a lot of time studying and understanding real-world vulnerabilities in order to continuously push our code analysis to the next level. We crafted 24 realistic security bugs and tricks based on what we saw in real, production code during this year's security research.
Some of these challenges may look harder than usual at first, but don’t worry: play around with the code snippet, experiment, and enjoy the “aha moment” when you discover the answer!
We want to make this event enjoyable for all skill levels, so we'll release hints throughout the day (if needed) and a detailed solution after 24 hours. To learn as much as you can from these challenges and get a grasp on all the “tricks” involved, do not just identify the impact of the vulnerability (say, Remote Code Execution), but try to think of how it could be exploited, what would be the steps to follow, etc.
And even if the day’s security challenge isn’t in your favorite language it’s worth looking at because the principles carry across languages and will sharpen your security skills for 2023!
Our products support over 5,000 rules because there are many things that can go wrong on the way to writing clean code. In this year’s Code Security Advent Calendar, we focus on 24 different types of vulnerabilities that can have a major impact on your application security.
Every challenge will hide at least one security flaw. Sometimes it's based on unvalidated or unsanitized user input, sometimes on a bad configuration, and sometimes it's a harmless-looking feature that can be abused by attackers.
We wish you all a happy and safe December season!