Gamify Security with OWASP BLT Adventures 🚀

[DonnieBLT]

Goal: Design and implement interactive adventures across OWASP projects. Each adventure includes multiple actions/tasks and offers one or more badges as rewards. These tasks encourage users to explore, learn, and apply security concepts using OWASP tools and resources.

Sample Adventures

1. Secure the Fortress (OWASP ZAP + OWASP Security Knowledge Framework)
   • Actions:

   1. Use OWASP ZAP to scan a vulnerable application.
   2. Identify and document 3 vulnerabilities.
   3. Reference the OWASP Security Knowledge Framework to suggest mitigations for the vulnerabilities.
   4. Submit a report summarizing findings and mitigations.
      • Badge: 🛡️ “Fortress Defender”

2. Break the Code (OWASP Juice Shop + OWASP Cheat Sheets)
   • Actions:

   1. Complete 5 security challenges in OWASP Juice Shop.
   2. Use the OWASP Cheat Sheets to explain the underlying vulnerabilities for each solved challenge.
   3. Create a pull request to add a new challenge idea for Juice Shop.
      • Badge: 🔓 “Code Breaker”

3. Cryptography Conundrum (OWASP ASVS + OWASP Cryptographic Storage Guidelines)
   • Actions:

   1. Audit a sample application for cryptographic practices against ASVS requirements.
   2. Implement improvements based on OWASP Cryptographic Storage Cheat Sheet.
   3. Write a blog post or summary of your findings.
      • Badge: 🔐 “Crypto Custodian”

4. APIs Under Fire (OWASP API Security Top 10 + OWASP ZAP)
   • Actions:

   1. Use OWASP ZAP to scan an API endpoint.
   2. Test for vulnerabilities in OWASP API Security Top 10 (e.g., Broken Authentication, Excessive Data Exposure).
   3. Suggest remediation strategies and document findings.
      • Badge: 📡 “API Defender”

5. Hunting Secrets (OWASP Dependency-Check + OWASP Top 10)
   • Actions:

   1. Run OWASP Dependency-Check on a project to identify vulnerabilities in libraries.
   2. Map findings to OWASP Top 10 categories.
   3. Create a pull request fixing one identified vulnerability.
      • Badge: 🔍 “Vulnerability Hunter”

6. Threat Modeling Journey (OWASP Threat Dragon + OWASP Application Security Verification Standard)
   • Actions:

   1. Use OWASP Threat Dragon to create a threat model for a sample application.
   2. Perform a gap analysis using OWASP ASVS.
   3. Present your threat model to the community for feedback.
      • Badge: 🌐 “Threat Architect”

7. Secure the CI/CD Pipeline (OWASP DevSecOps Guideline + OWASP ZAP)
   • Actions:

   1. Integrate OWASP ZAP into a CI/CD pipeline.
   2. Run automated scans for every build and document results.
   3. Apply remediation suggestions from OWASP DevSecOps guidelines.
      • Badge: 🏗️ “Pipeline Protector”

8. Web Crawler Challenge (OWASP Web Security Testing Guide + OWASP ZAP)
   • Actions:

   1. Use OWASP ZAP’s spidering feature to map a web application.
   2. Apply tests from the OWASP Web Security Testing Guide.
   3. Report and fix at least one discovered issue.
      • Badge: 🕸️ “Web Explorer”

9. Privacy Shield (OWASP Privacy Risks + OWASP Secure Headers Project)
   • Actions:

   1. Audit a website for privacy risks using the OWASP Privacy Risks Project.
   2. Implement recommended secure headers (e.g., Content-Security-Policy).
   3. Demonstrate improvements with before/after scans.
      • Badge: 🔒 “Privacy Protector”

10. Mobile Security Odyssey (OWASP Mobile Security Testing Guide + OWASP MASVS)
    • Actions:

    1. Use OWASP Mobile Security Testing Guide to perform security tests on a mobile app.
    2. Cross-reference findings with OWASP MASVS.
    3. Propose fixes for at least one identified vulnerability.
       • Badge: 📱 “Mobile Defender”

Broader Open-Source Coding Adventures

1. Bug Fixer’s Path
   • Actions:

   1. Find an open-source project with labeled “good first issue” or “help wanted.”
   2. Identify a bug, review the code, and submit a fix via pull request.
   3. Write a test case to verify the fix and prevent regression.
      • Badge: 🛠️ “Bug Fixer”

2. Secure the Dependencies
   • Actions:

   1. Run a dependency scanner (e.g., OWASP Dependency-Check, Snyk) on an open-source project.
   2. Identify outdated or vulnerable dependencies.
   3. Update and test the dependencies, then submit a pull request.
      • Badge: 🔍 “Dependency Defender”

3. Refactor Hero
   • Actions:

   1. Choose an open-source project with identified technical debt (e.g., code smells, outdated practices).
   2. Refactor a module or function to improve performance, readability, or maintainability.
   3. Document changes and explain how the refactor enhances the project.
      • Badge: 🌀 “Refactor Hero”

4. Internationalization Expert
   • Actions:

   1. Find an open-source project lacking support for internationalization (i18n).
   2. Add i18n support for one or more languages (e.g., translations, locale handling).
   3. Submit a pull request and collaborate with the maintainers to integrate the changes.
      • Badge: 🌍 “i18n Champion”

5. Performance Booster
   • Actions:

   1. Profile an open-source project for performance bottlenecks (e.g., using tools like Profiler, Lighthouse).
   2. Optimize at least one identified bottleneck (e.g., inefficient algorithms, resource-heavy functions).
   3. Validate improvements and share results with the community.
      • Badge: ⚡ “Performance Booster”

6. Open Source Tester
   • Actions:

   1. Find an open-source project with insufficient test coverage.
   2. Write and submit test cases to improve coverage (unit, integration, or end-to-end).
   3. Run tests and submit results to the project’s maintainers.
      • Badge: 🧪 “Testing Prodigy”

7. Documentation Maven
   • Actions:

   1. Choose an open-source project with outdated or incomplete documentation.
   2. Write or update README files, tutorials, or API documentation.
   3. Propose additional improvements, such as better examples or setup guides.
      • Badge: 📘 “Documentation Maven”

8. Secure by Default
   • Actions:

   1. Identify a misconfiguration or missing security feature in an open-source project.
   2. Implement a secure default configuration (e.g., enable HTTPS, secure headers, input validation).
   3. Submit a pull request and explain the benefits of the change.
      • Badge: 🔒 “Security Advocate”

9. Accessibility Guru
   • Actions:

   1. Audit an open-source project for accessibility issues using tools like Lighthouse or Axe.
   2. Fix at least one accessibility issue (e.g., ARIA roles, color contrast, keyboard navigation).
   3. Document how the fix improves usability for users with disabilities.
      • Badge: 🧑‍🦽 “Accessibility Guru”

10. Open-Source Mentor
    • Actions:

    1. Help a newcomer navigate an open-source project by answering questions in the community forums or Discord/Slack.
    2. Pair with a newcomer to guide them through their first contribution.
    3. Document the mentoring experience and share tips for first-time contributors.
       • Badge: 🤝 “Open Source Mentor”

How to Participate
1. Select an Adventure: Pick a task from the list or customize your own based on interests and skills.
2. Collaborate: Work on the tasks and interact with maintainers or other contributors.
3. Submit Proof: Share links to pull requests, commits, or other evidence to claim badges.
4. Earn Badges and Learn: Gain recognition while enhancing your coding and collaborative skills.

[tsu-ki]

/assign

[github-actions]

Hello @tsu-ki! You've been assigned to OWASP-BLT/BLT issue #3197. You have 24 hours to complete a pull request.

[github-actions]

⏰ This issue has been automatically unassigned due to 24 hours of inactivity.
The issue is now available for anyone to work on again.

[tsu-ki]

@DonnieBLT sir please assign me to this issue as this'll take substantial amount of time to implement. thank you!

[tsu-ki]

/assign

[github-actions]

Hello @tsu-ki! You've been assigned to OWASP-BLT/BLT issue #3197. You have 24 hours to complete a pull request.

[github-actions]

⏰ This issue has been automatically unassigned due to 24 hours of inactivity.
The issue is now available for anyone to work on again.

[tsu-ki]

/assign

[github-actions]

Hello @tsu-ki! You've been assigned to OWASP-BLT/BLT issue #3197. You have 24 hours to complete a pull request.

[github-actions]

⏰ This issue has been automatically unassigned due to 24 hours of inactivity.
The issue is now available for anyone to work on again.

[github-actions]

⏰ This issue has been automatically unassigned due to 24 hours of inactivity.
The issue is now available for anyone to work on again.

[tsu-ki]

/assign

[github-actions]

Hello @tsu-ki! You've been assigned to OWASP-BLT/BLT issue #3197. You have 24 hours to complete a pull request.

[github-actions]

⏰ This issue has been automatically unassigned due to 24 hours of inactivity.
The issue is now available for anyone to work on again.

[github-actions]

⏰ This issue has been automatically unassigned due to 24 hours of inactivity.
The issue is now available for anyone to work on again.

[github-actions]

⏰ This issue has been automatically unassigned due to 24 hours of inactivity.
The issue is now available for anyone to work on again.