Good quality education is essential for the success of a security program. We take a look at Snyks FREE interactive learning platform Snyk Learn which covers multiple coding languages and vulnerabilities.
The Snyk Learn platform
Snyk has been around since 2015 and is currently my go-to Software Composition Analysis (SCA) tool helping me manage code and image dependencies. Whilst primarily known for its high-quality developer-first SCA solution over the last couple of years, Snyk has really started to expand its portfolio.
Snyk Learn is a free platform that can help you teach your development team to code securely in a fun and engaging way.
Look and Feel
When landing on the Snyk learn home page, you are greeted with the familiar no-nonsense styling. Clicking on the lessons link will pull up the entire catalogue, which can be filtered by one of the supported languages.
Entering a lesson pulls up a clean-looking page, with the lesson content to the left and a progression tracker to the right.
When scrolling the content, everything remains well laid out and accessible. Whilst it doesn't have that exciting gamified styling provided by Secure Code Warrior, it certainly provides a clean and pleasant learning environment.
Lessons are currently based on 7 different languages:
Each language has a variable number of lessons that are based on the top common weaknesses found in code scanned by the Snyk SCA tool.
At the time of writing, 27 different interactive lessons are available covering things like SQL injection, Cross-Site Scripting and big-hitting vulnerabilities like Spring4Shell.
The learning experience
Each lesson is broken down into manageable chunks. You can track your progress using the menu on the right-hand side and easily navigate through the different sections.
Learn about the vulnerability
The first section you encounter will give you some information about the vulnerability you are learning about. It's high-level and easy to understand; for example, the SQL injection introduction is as follows:
You are given easy-to-understand, clear objectives and goals for the interactive session and overall lesson. I love the inclusion of the "fun fact" as it helps promote the casual and fun feel of the platform.
Multistage interactive exercise
Each interactive exercise has several stages. In these stages, you will be given specific instructions to execute using virtualised applications, browsers and terminals. Usage of real-life tools like Nmap and cURL bring a bit of realism to the exercise and help give a better insight into how the weakness can be exploited in the wild.
Getting Under the hood and understanding mitigation.
It's great to have hands-on experience of exploitations, but the technical aspect needs to be explained. Snyk learn does this well, providing detailed information via text, code snippets and diagrams to show you what is happening under the hood and how to protect yourself.
I particularly liked the code tour option as it continues the interactive theme keeping the student engaged ... there will be no falling asleep in this class!
A collection of quality, additional resources for those that want to deep dive into the top and learn more.
What do we think?
I love interactive learning! Sitting in front of a corporate video with a multiple-choice; question extravaganza at the end isn't for me.
As with most Snyk products, this platform is developer focussed. It has a good balance of code, and offensive security, ensuring its target audience is educated but not overwhelmed. Budding offensive security professionals should take a look, Hack the Box, OFFSEC proving grounds, or my personal favourite, Try Hack Me would be a better option.
Limited but quality content
As far as content is concerned, there isn't a massive amount on the Snyk Learn portal at the moment, but what is there is well laid out, informative and fun. Knowing Snyk and how fast they operate, I'm sure we will see many more lessons appear as the platform matures.
Suitable for small teams and individuals
There is no centralised management for the learning. Because of this, It's not really suitable for large corporate environments, but for small teams or as an additional learning tool, Snyk Learn is a great option.
If you are looking for something that really works at scale check out Secure Code Warrior.
Like other learning platforms, Snyk has embraced the microburst learning mentality by integrating Snyk Learn with its SCA platform and IDE. If a relevant vulnerability is identified, it automatically suggests the corresponding lesson.
Snyk is continuing to expand and innovate in the application security space. It's great to see an offering of this quality being made freely available, I'm really looking forward to seeing how this platform develops over time.
Share your thoughts and ideas: