“I learned more about security in one day than I have in years as a developer.” This was something an engineer told me immediately after the awards ceremony for our first CTF tournament.
Approaching development with a security mindset is not something that comes naturally to everyone. I was managing server infrastructure and security for an engineering organization of otherwise very intelligent and talented engineers who just hadn’t been exposed to much security training in their career. While our applications were well designed in other ways, security at the time was an afterthought. While we could have taken the traditional security training route, I decided to try an approach that would put the developers in the mindset of the attacker.
Capture the Flag tournaments have long been used to test hacker skills but they can also serve as effective security training for developers. I’ll share a case study where I turned teams of developers with no prior security training against each other in a CTF cloud arena featuring their own applications and watched them rack up points as they popped shells in each other’s applications and filed bugs in our bug tracker. I’ll cover rules, scoring, and the preliminary training leading up to the CTF tournament as well as how I set up the arena and the results of my own CTF tournament.
Kyle Rankin is the vice president of engineering operations for Final Inc. and the author of a number of books, including DevOps Troubleshooting, The Official Ubuntu Server Book, Knoppix Hacks, and an upcoming book on server hardening. Kyle is an award-winning columnist for Linux Journal and has written for PC Magazine, TechTarget, and other publications. He speaks frequently on security and open source software at conferences such as OSCON, SCALE, CactusCon, Linux World Expo, and Penguicon and a number of Linux user groups.
©2016, O’Reilly UK Ltd • (800) 889-8969 or (707) 827-7019 • Monday-Friday 7:30am-5pm PT • All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. • email@example.com