Security Champions · Challenge Bank
Practice Arena
Champ's Challenge Bank
27 exercises across all 9 modules. Code reviews, scenarios, matching, sequencing, and writing challenges. Each one tests a skill you'll use in production — not trivia you'll forget tomorrow.
How it works: Exercises appear in module order. Answer, reveal, learn. Your score tracks across all 27 challenges.
Cover
#1 · Module 1 — Champion
Module 1
What's your lane?
Matching
A production outage happens. Classify each task — is it the Security Champion's job, or not your job?
ℹ️ How to play
① Click an item from the pool below
② Click the bucket where it belongs
③ Wrong bucket? Click × on the placed item to move it back
④ All placed → click "Check answers"
✓ Champion's job
✗ Not your job
Champion's job: b, d, f. Not yours: a (IR lead), c (developer), e (security team). The Champion doesn't own security — they embed it. Their superpower is asking the right question at the right moment: "did we think about this?" in design, "should we test this?" in review, "let's add this to the backlog" in planning. If you're doing someone else's job, you're not doing yours.
#1 / 27
#2 · Module 1 — Champion
Module 1
SAMM domains
Matching
OWASP SAMM organizes security practices into 5 business functions. Match each activity to its SAMM domain.
ℹ️ How to play
① Click an item from the pool below
② Click the bucket where it belongs
③ Wrong bucket? Click × on the placed item to move it back
④ All placed → click "Check answers"
Governance
Design
Implementation
Verification
Operations
(a) Design — threat modeling lives in the architecture phase. (b) Governance — training is a governance activity. (c) Operations — WAF management is operational security. (d) Verification — pentesting validates security controls. (e) Governance — vendor SLAs are policy decisions. SAMM helps Champions map their activities to business functions — so when a PM asks "what do you actually do?" you have a framework, not a vague answer.
#2 / 27
#3 · Module 2 — SDLC
Module 2
Spot the trust boundary
Diagram analysis
User Browser  →  API Gateway  →  Auth Service  →  Database
  [untrusted]      [semi]         [trusted]      [trusted]
                     ↕
              Payment Provider
                 [external]
How many arrows cross between DIFFERENT trust levels?
C — Three boundaries. (1) User→API Gateway (untrusted→semi), (2) API→Payment Provider (internal→external), (3) API→Database (semi→trusted). The API→Auth connection is NOT a boundary IF both are mutually authenticated within the same VPC at the same trust level. The skill isn't counting arrows — it's asking "what's the trust level on each side?"
#3 / 27
#4 · Module 2 — SDLC
Module 2
Shift-left gone wrong
Scenario
Your team added SAST scanning to the CI pipeline. First run: 247 findings. Team is overwhelmed, developers start adding // nosec comments to suppress warnings. Velocity drops 30%.
As Security Champion, what's your move?
Write your answer first, then click Check with Champ for personalized AI feedback. You have 3 attempts — make each one count!
Triage first — classify by severity, suppress true false positives with documented reasons, create tickets only for critical/high. Set a baseline: new code must pass clean, legacy debt gets a separate backlog. The golden rule: don't block the dev workflow. 247 findings at once is a wall, not a gate.
#4 / 27
#5 · Module 2 — SDLC
Module 2
The four layers
Matching
Classify each requirement by its layer in the security requirements taxonomy.
ℹ️ How to play
① Click an item from the pool below
② Click the bucket where it belongs
③ Wrong bucket? Click × on the placed item to move it back
④ All placed → click "Check answers"
Layer 1 — Business requirements
Layer 2 — Secure functional
Layer 3 — Functional security
Layer 4 — Dev & ops
(a) Layer 3 — MFA is a security feature. (b) Layer 1 — what the product does. (c) Layer 4 — build pipeline control. (d) Layer 2 — security property of a business function. The taxonomy helps Champions speak the PM's language: Layer 1 and 2 go in the PRD, Layer 3 and 4 go in technical specs.
#5 / 27
#6 · Module 3 — OWASP
Module 3
The modern injection
Code review
app.post('/search', (req, res) => {
  db.collection('users').find({ 
    username: req.body.username,
    password: req.body.password 
  });
});
What happens if the attacker sends this as the password?
{ "$gt": "" }
Write your answer first, then click Check with Champ for personalized AI feedback. You have 3 attempts — make each one count!
NoSQL Injection — A05:2025. The MongoDB query becomes { username: "admin", password: { "$gt": "" } } which matches any non-empty password — the attacker logs in as admin without knowing the password. Fix: (1) Validate input types explicitly (if (typeof password !== 'string') reject). (2) Use a schema validator like Joi or Zod. (3) Use $eq operator explicitly. Classic SQL injection is caught by ORMs — NoSQL injection is the vector mid-level devs encounter today.
#6 / 27
#7 · Module 3 — OWASP
Module 3
The helpful error
Code review
app.post('/login', (req, res) => {
  const user = db.findUser(req.body.email);
  if (!user) {
    return res.status(401).json({ 
      error: `No account found for ${req.body.email}`
    });
  }
  if (!bcrypt.compare(req.body.password, user.hash)) {
    return res.status(401).json({ 
      error: 'Incorrect password for this account'
    });
  }
});
This code has TWO security issues. Can you spot both?
Write your answer first, then click Check with Champ for personalized AI feedback. You have 3 attempts — make each one count!
(1) User enumeration — different error messages for "user not found" vs "wrong password" let attackers confirm which emails exist. Fix: use a generic "Invalid credentials" for both. (2) The email is reflected back in the response — potential XSS if rendered in a frontend, and it confirms the email to an attacker.
#7 / 27
#8 · Module 3 — OWASP
Module 3
The abandoned dependency
Scenario
Your project uses a popular npm package (12k GitHub stars) for PDF generation. You notice: last commit 14 months ago, 3 open CVEs all unpatched, maintainer's last activity: 8 months ago.
What's your recommendation to the team?
Write your answer first, then click Check with Champ for personalized AI feedback. You have 3 attempts — make each one count!
A03:2025 — Software Supply Chain Failures. Options: (1) Find an actively maintained alternative, (2) Fork and patch the CVEs yourself (only if critical), (3) If neither is feasible, document the risk, restrict the package's permissions, and add monitoring. "It has 12k stars" is not a security argument.
#8 / 27
#9 · Module 4 — Threat Modeling
Module 4
Classify the threat
STRIDE
A user modifies the is_admin: true field in their JWT token payload. The server accepts it without signature verification.
Which STRIDE category?
D — Both Tampering AND Elevation of Privilege. Data is modified in transit (Tampering), AND the user gains admin rights they shouldn't have (Elevation). In practice, many real threats map to multiple STRIDE categories. The critical failure: the server doesn't verify the JWT signature.
#9 / 27
#10 · Module 4 — Threat Modeling
Module 4
The missing diagram
Scenario
Sprint planning. A new feature: "Allow users to export their data as CSV via email." The PM says it's simple — just a button and an email. No threat model needed.
As Champion, give THREE reasons this needs a threat model.
Write your answer first, then click Check with Champ for personalized AI feedback. You have 3 attempts — make each one count!
(1) New trust boundary: the email service is external — data leaves your perimeter. (2) PII exposure: CSV contains user data, email is not encrypted at rest. (3) Abuse vector: an attacker could trigger mass exports to flood the email service (DoS) or enumerate users. "Simple" features often have the most hidden threat surface.
#10 / 27
#11 · Module 4 — Threat Modeling
Module 4
Prioritize these threats
Ranking
You ran STRIDE on a payment API and found three threats. Rank them by DREAD score (highest risk first). Click in order.
ℹ️ How to play
① Click items in the correct order (1st, 2nd, 3rd…)
② Click a numbered item to remove it
③ "Reset" clears all selections
④ All numbered → click "Check order"
One defensible ranking: B → A → C. (B) Admin panel exposure has highest Damage + Exploitability. (A) No rate limiting is high Reproducibility but moderate Damage. (C) Truncated card numbers are low risk by PCI standards. BUT: your team might rank differently. The skill is defending your ranking with DREAD criteria, not memorizing one order.
#11 / 27
#12 · Module 5 — Supply Chain
Module 5
The Dockerfile
Code review
FROM node:latest
COPY . /app
WORKDIR /app
RUN npm install
RUN npm run build
USER root
EXPOSE 3000
CMD ["node", "server.js"]
Find THREE security issues in this Dockerfile.
Write your answer first, then click Check with Champ for personalized AI feedback. You have 3 attempts — make each one count!
(1) FROM node:latest — unpinned tag, could pull a compromised image. Pin to a specific digest. (2) USER root — container runs as root. Use a non-root user. (3) COPY . /app copies everything including .env, .git, node_modules. Use .dockerignore. Bonus: no multi-stage build — build dependencies ship to production.
#12 / 27
#13 · Module 5 — Supply Chain
Module 5
The lockfile conflict
Scenario
Monday morning. A PR updates package-lock.json with 47 changed packages. The developer says: "Just ran npm update, everything passes tests."
As Champion, what do you check before approving?
Write your answer first, then click Check with Champ for personalized AI feedback. You have 3 attempts — make each one count!
(1) Were any major versions bumped? (2) Run npm audit on the new lockfile — does it introduce new vulnerabilities? (3) Check changelogs for top-level dependencies. (4) Was this intentional or a side effect of npm update pulling transitive deps? "Tests pass" is necessary but not sufficient.
#13 / 27
#14 · Module 6 — Secrets
Module 6
Spot the secret
Code review
import boto3

client = boto3.client(
    's3',
    aws_access_key_id='AKIAIOSFODNN7EXAMPLE',
    aws_secret_access_key='wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY',
    region_name='us-east-1'
)
What's wrong here and what's the fix?
Write your answer first, then click Check with Champ for personalized AI feedback. You have 3 attempts — make each one count!
Hardcoded AWS credentials in source code. If this repo is public (or gets leaked), anyone has access to your S3. Fix: use IAM roles (for EC2/Lambda), environment variables, or AWS Secrets Manager. Never commit credentials — add pre-commit hooks to catch them (e.g., git-secrets, trufflehog).
#14 / 27
#15 · Module 6 — Secrets
Module 6
The rotation that wasn't
Scenario
Your team uses a shared API key for a third-party payment service. It was created 2 years ago. Three people who had access have since left the company. Nobody knows who else has it saved locally.
What's your action plan?
Write your answer first, then click Check with Champ for personalized AI feedback. You have 3 attempts — make each one count!
(1) Assume compromise. Pull usage logs — look for unexpected IPs/regions/times. (2) Rotate — generate new key, update all services, invalidate old one. (3) Audit — review logs for unusual patterns during exposure window. (4) Move to a vault (HashiCorp Vault, AWS Secrets Manager). (5) Set automatic rotation policy (90 days max). (6) New key accessed through vault only, never shared directly.
#15 / 27
#16 · Module 7 — Config
Module 7
The generous CORS
Code review
app.use(cors({
  origin: '*',
  credentials: true,
  methods: ['GET', 'POST', 'PUT', 'DELETE']
}));
What's the security issue?
Write your answer first, then click Check with Champ for personalized AI feedback. You have 3 attempts — make each one count!
origin: '*' with credentials: true is the most dangerous CORS config. It allows any website to make authenticated requests to your API — a textbook CSRF bypass. Fix: whitelist specific origins (origin: ['https://yourapp.com']). Never use wildcard with credentials.
#16 / 27
#17 · Module 7 — Config
Module 7
The intern's access
Scenario
A summer intern needs to debug a production issue. The team lead gives them full production database access "just for today." Three weeks later, the intern still has access.
What principle was violated and how do you fix it?
Write your answer first, then click Check with Champ for personalized AI feedback. You have 3 attempts — make each one count!
Principle of Least Privilege + no access expiry. Fix: (1) Create time-bound access with automatic revocation. (2) Give read-only access to a replica, not production. (3) Implement access reviews — weekly audit of who has what. (4) Use just-in-time access tools (e.g., HashiCorp Boundary) instead of permanent credentials.
#17 / 27
#18 · Module 8 — IR
Module 8
It's 2 AM and the pager goes off
Sequencing
Alert: unusual spike in failed login attempts — 50,000 in the last hour, targeting 200 different accounts. Some succeeded.
Put these actions in the correct order. Click them in sequence.
ℹ️ How to play
① Click items in the correct order (1st, 2nd, 3rd…)
② Click a numbered item to remove it
③ "Reset" clears all selections
④ All numbered → click "Check order"
Correct order: E → D → C → B → A. (1) Escalate first — you shouldn't handle this alone. (2) Preserve evidence before it's gone. (3) Understand scope before acting. (4) Contain the attack. (5) Notify users last — you need accurate info before communicating. Acting on B before C might block legitimate users.
#18 / 27
#19 · Module 8 — IR
Module 8
Write the runbook
Structured writing
CRITICAL: Unauthorized data export detected. 50,000 customer records accessed via internal API by service account svc-analytics outside business hours. Source IP: 185.22.xx.xx (non-corporate range).
Write an incident runbook with four sections: Trigger, Steps (first 5 actions), Rollback, Escalate.
Write your answer first, then click Check with Champ for personalized AI feedback. You have 3 attempts — make each one count!
TRIGGER: Alert fires when >10,000 records accessed by any service account outside 06:00–22:00 OR from non-corporate IP. STEPS: (1) Confirm alert not false positive. (2) Suspend svc-analytics. (3) Capture session data & preserve logs. (4) Identify all records accessed. (5) Check if credentials were rotated recently. ROLLBACK: Revoke tokens, rotate credentials, block source IP, flag records for breach notification. ESCALATE: Immediately: IR lead + SRE. Within 1 hour: CISO if confirmed exfil. Within 4 hours: Legal if PII confirmed exposed.
#19 / 27
#20 ⚑ · Module 8 — Capstone
Capstone
The post-mortem blame game
Interpersonal
Post-mortem meeting after a data leak. The CTO asks: "Who pushed the code that caused this?" A developer looks nervous. The room goes silent.
As Security Champion, what do you say?
Write your answer first, then click Check with Champ for personalized AI feedback. You have 3 attempts — make each one count!
Redirect from blame to process: "The question isn't who, but what in our process allowed this to reach production." Blameless post-mortems produce better outcomes — people share information freely when they're not defending themselves. Focus on: what controls were missing, what would have caught it earlier, what systemic change prevents recurrence. This is the single most important interpersonal skill a Champion has — the ability to shift a room from blame to learning.
#20 / 27 · Capstone
#21 · Module 9 — Mobile
Module 9
The trusting app
Code review · Android
val client = OkHttpClient.Builder()
    .hostnameVerifier { _, _ -> true }
    .build()
What does this code do and why is it dangerous?
Write your answer first, then click Check with Champ for personalized AI feedback. You have 3 attempts — make each one count!
This disables hostname verification — the app will accept ANY SSL certificate, including a man-in-the-middle attacker's. Often added "temporarily" during development and never removed. MASVS NETWORK-1 violation. Fix: remove the custom hostnameVerifier entirely and use default verification. For dev/staging, use proper test certificates.
#21 / 27
#22 · Module 9 — Mobile
Module 9
The local storage
Code review · iOS
UserDefaults.standard.set(authToken, forKey: "user_token")
UserDefaults.standard.set(refreshToken, forKey: "refresh_token")
What's the MASVS violation here?
Write your answer first, then click Check with Champ for personalized AI feedback. You have 3 attempts — make each one count!
MASVS STORAGE-1 — sensitive data stored insecurely. UserDefaults is a plain plist file, not encrypted, accessible to anyone with physical device access or a backup. Auth tokens must go in the iOS Keychain (kSecClassGenericPassword). This is the #1 mobile storage mistake developers make.
#22 / 27
#23 · Cross-Module
Cross-Module
The pod from hell
Code review · K8s
apiVersion: v1
kind: Pod
metadata:
  name: payment-service
spec:
  hostNetwork: true
  containers:
  - name: app
    image: mycompany/payments:latest
    securityContext:
      runAsUser: 0
      privileged: true
    ports:
    - containerPort: 8080
Find FOUR security issues in this pod spec.
Write your answer first, then click Check with Champ for personalized AI feedback. You have 3 attempts — make each one count!
(1) runAsUser: 0 — runs as root inside the container. (2) privileged: true — full access to host kernel, can escape container. (3) hostNetwork: true — shares host's network namespace, bypassing network policies. (4) No resource limits — vulnerable to resource exhaustion DoS. Bonus: image: latest is unpinned.
#23 / 27
#24 · Cross-Module
Cross-Module
The workflow that trusts too much
Code review · GitHub Actions
name: Build and Deploy
on:
  pull_request_target:
    types: [opened, synchronize]

permissions: write-all

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - uses: some-org/deploy-action@main
    - name: Deploy
      env:
        AWS_KEY: ${{ secrets.AWS_ACCESS_KEY }}
      run: ./deploy.sh
Find THREE security issues in this workflow.
Write your answer first, then click Check with Champ for personalized AI feedback. You have 3 attempts — make each one count!
(1) permissions: write-all — violates least privilege. Scope to only what's needed. (2) some-org/deploy-action@main — unpinned third-party action. Pin to a specific commit SHA. (3) pull_request_target + secrets — this combination exposes secrets to code from forks. An attacker opens a PR, the workflow runs with repo secrets on their untrusted code.
#24 / 27
#25 · Cross-Module
Cross-Module
The React trap
Code review · Frontend
function Comment({ userInput }) {
  return <div dangerouslySetInnerHTML={{ __html: userInput }} />;
}
What vulnerability is this? What's the fix?
Write your answer first, then click Check with Champ for personalized AI feedback. You have 3 attempts — make each one count!
Stored XSS — unsanitized user input rendered as raw HTML. An attacker submits a script tag as a comment — every user who views it executes the script. Fix: (1) Use {userInput} without dangerouslySetInnerHTML — React auto-escapes by default. (2) If HTML rendering is needed, sanitize with DOMPurify. This is the #1 frontend security mistake in React apps.
#25 / 27
#26 · Cross-Module
Cross-Module
The open gate
Code review · Terraform
resource "aws_security_group" "api" {
  name = "api-server"

  ingress {
    from_port   = 0
    to_port     = 65535
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = {
    Environment = "production"
  }
}
Find THREE security issues.
Write your answer first, then click Check with Champ for personalized AI feedback. You have 3 attempts — make each one count!
(1) Ingress opens ALL ports (0–65535) to the entire internet. Only expose the ports your API needs (e.g., 443). (2) Egress allows all outbound traffic — if compromised, the attacker can exfiltrate data anywhere. (3) Tagged production — these aren't dev shortcuts. In production, every open port is attack surface. Infrastructure IS code — review it like code.
#26 / 27
#27 · Cross-Module
Cross-Module
Frame it for the PM
Communication
You discovered that a critical npm dependency handling payment routing has an unpatched RCE vulnerability (CVE score 9.8). The maintainer acknowledged it but has no timeline for a fix.
Draft a 3-sentence Slack message to your PM that frames this in business impact — not CVE scores.
Write your answer first, then click Check with Champ for personalized AI feedback. You have 3 attempts — make each one count!
Example: "Hey — the library that routes our payment transactions has a confirmed security hole that could let an attacker execute code on our servers. If exploited, we'd face payment processing downtime and potential card data exposure — both PCI compliance violations. I recommend we switch to [alternative] this sprint; I've scoped it at ~2 days of work."

Champions who frame security in dollars and downtime get budget. Champions who say "there's a 9.8 CVE in our transitive dependency" get blank stares.
#27 / 27
Complete · Challenge Bank
Challenge Bank Complete
27 exercises across 9 modules
0
Total XP
0
Correct
0
Best Streak
Every exercise here mirrors something that happens in production. The patterns you practiced — spotting injections, classifying threats, writing runbooks, framing risk for stakeholders — these are the daily tools of a Security Champion.
Complete