Secure Coding Workshop

Project Overview

The "Secure Coding Workshop" was held in Bhutan from August 19-23, 2019, to tackle the rising risk of insecure applications impacting national infrastructure and education platforms. Organized by the Department of Information Technology and Telecom (DITT), Royal Government of Bhutan, the workshop focused on OWASP Top 10 vulnerabilities, web services security, and secure development practices.

53

Total Participants

13

Female Participants

5

Training Days

94.3%

Satisfaction Rate

OWASP Top 10 Vulnerabilities Covered

Comprehensive hands-on training covering the most critical web application security risks:

🛡️ SQL Injection

Database query manipulation through unsanitized inputs

🔐 Broken Authentication

Session management flaws and authentication bypasses

💾 Sensitive Data Exposure

Inadequate protection of sensitive information

🌐 Cross-Site Scripting (XSS)

JavaScript injection and client-side attacks

⚙️ Security Misconfiguration

Insecure default configurations and settings

🔗 Insecure Direct Object References

Unauthorized access to internal objects

🎯 Cross-Site Request Forgery (CSRF)

Unauthorized actions on behalf of authenticated users

📦 Known Vulnerable Components

Insecure third-party libraries and frameworks

🔧 Security Tools & Frameworks

Burp Suite

OWASP ZAP

SANS Top 25

Web API Security

Buffer Overflow

Security Testing

5-Day Training Schedule

Day 1: Foundation & Injection

Lab setup, Burp Suite familiarization, SQL and command injection demonstrations with real-world scenarios and patching techniques.

Day 2: Authentication & XSS

Broken authentication, session management, brute force techniques, cookie theft, and cross-site scripting mitigation strategies.

Day 3: Data Security & Config

Insecure direct object references, sensitive data exposure, and security misconfiguration risks with secure implementation guides.

Day 4: CSRF & Access Control

Cross-site request forgery attacks, missing function-level access controls, secure token implementation, and role-based access control.

Day 5: Advanced Threats & APIs

SANS Top 25 vulnerabilities, web API threats, secure API coding, buffer overflows, and third-party library security.

🚩 Capture The Flag Challenge

Teams designed and tested secure web applications while competing to identify and exploit vulnerabilities in peer applications. This hands-on challenge reinforced week-long lessons through practical application and real-time security assessment.

Key Outcomes & Impact

✅ Enhanced Security Competencies

Improved Secure Coding Awareness: Application security introduced across 50+ participants using real-world examples
Hands-On Skills: Developers and administrators conducted security assessments and implemented fixes
National Reach: Participants from 30+ institutions across government, academia, and private sectors
CTF Practical Application: Capture-the-flag challenge assessed real-time security defense capabilities

🤝 Stakeholder Collaboration

Strengthened coordination among government, academia, and private sector in cybersecurity. Enhanced cooperation between DITT, BtCIRT, and various institutions across Bhutan's digital ecosystem.

📢 Public Visibility

Workshop proceedings disseminated via official websites (DITT, MoIC, BtCIRT) and promoted through social media (Facebook, Twitter, LinkedIn) for transparency and national replication.

Partner Organizations

Led by the Department of Information Technology and Telecom (DITT), Royal Government of Bhutan, with strong technical partnerships:

DITT

Lead Organizer
Ministry of Information & Communications

BtCIRT

Bhutan Computer
Incident Response Team

APNIC

Technical Partner
Resource Support

DrukREN

Education Network
Bhutan

Challenges & Future Directions

⚠️ Identified Challenges

Time Constraints: 5-day schedule limiting for deep learning on vast security topics
Skill Level Diversity: Mixed experience levels among participants made pacing difficult
Infrastructure Limitations: VM performance constrained due to limited machine specifications
Topic Coverage: Some SDLC themes had to be abbreviated due to time constraints

🚀 Future Plans

Expanded Program: Increase workshop duration to 8-10 days for deeper engagement. Include mobile security, DevOps security, and OWASP audit automation.

Infrastructure Enhancement: Provide high-spec systems for faster VM execution and better lab performance.

National Replication: Deliver workshops in colleges, private institutions, and across DrukREN nodes throughout Bhutan.

Sustainable Development Goals

This cybersecurity capacity building project contributes to multiple UN Sustainable Development Goals:

SDG 4: Quality Education

SDG 9: Innovation & Infrastructure

SDG 16: Peace & Strong Institutions

SDG 17: Partnerships for Goals