If you didn't know already, Google takes its application security seriously, especially when it comes to Cross-Site Scripting. They already have a Vulnerability Rewards Program and XSS Learning Documentation posted on their application security site. A few weeks ago, I saw some chatter on Twitter about a new approach for teaching folks about Cross-Site Scripting: The XSS Game! Wait a second, teach people about XSS by playing a game? It sounds like an app I would download on my tablet for my daughter to play with. Brilliant! Where do I sign up?
Overall, I'd say this game does a fantastic job of challenging developers to think about the various ways that Cross-Site Scripting can be introduced into an application. It combines two very important skill sets for those working in application security: code review analysis and dynamic testing, both of which are needed to fully assess the security of a web application.
Are you up for the challenge? https://xss-game.appspot.com/
Eric Johnson is a security consultant at Cypress Data Defense, and an instructor and contributing author for the SANS DEV544 Secure Coding in .NET course. He previously spent six years performing web application security assessments for a large financial institution, and another four years focusing on ASP .NET web development. Other experience includes developing security tools, secure code review, vulnerability assessment, penetration testing, risk assessment, static source code analysis, and security research. Eric completed a bachelor of science in computer engineering and a master of science in information assurance at Iowa State University. Eric currently holds the CISSP, GWAPT, and GSSP-.NET, certifications and is located in West Des Moines, IA. Follow Eric on Twitter @emjohn20.