For the Win! Reflecting on Vivun’s First CTF Event
As Vivun continues to grow, the security of our products and the trust that our customers place in us with their data is paramount. In order to deliver on this, we must provide continuous learning options to our engineers so they can not only build useful, stunning, and reliable software, but so they can also build it securely.
Secure software development is a broad and complex topic that is much easier to digest through hands-on activities. It’s one thing to read about SQL Injection in the OWASP Top 10, and another thing entirely to craft a payload that you send to an application and watch as it dumps the contents of the user database table. Enter the Capture the Flag (CTF) event.
Capture the flag
The highlight of the year for secure software development training at Vivun occurred during October for Cybersecurity Awareness month, where we hosted an optional two week Capture the Flag event. For those not familiar, this type of event is a gamified competition among players trying to find and use exploits in a deliberately vulnerable application—behaving like hackers, players are awarded points based on the exploits they take advantage of.
The key thing to note here is that issues our players discover in Capture the Flag are potential vulnerabilities that might be found in any application, and they are also exploited using the same techniques. So the event provides a hands-on learning experience while also making it fun for players who are competing for first place.
Setting up CTF for a distributed team has its challenges
When DJ Wiza and I started planning this event, we had to think through a lot of variables, but the most important aspect was the vulnerable application itself. This was the hands-on part of the event where players would interact and cement their learning. There are many platforms available to utilize for this and we chose the most well-known, OWASP Juice Shop. This platform has a large number of flags to be found, ranging across many different security vulnerabilities.
However, OWASP Juice Shop is mainly set up for self-paced, structured learning. The platform has a comprehensive guide and other online resources created by the community to walk players through the different exercises. For our CTF event, we wanted players to utilize their knowledge and skills to work through the exercises rather than simply walk through the guide to earn points.
Another challenge the event faced was that Vivun employees span many time zones, including those in the United States and Europe. This meant that we couldn’t all join a meeting for a kickoff session or regular check-ins. We had to be creative, thoughtful, and intentional in how we would carry out the event, and ensure that Capture the Flag would still be just as fun and engaging as if all the players were in the same room together, hacking away.
To overcome these obstacles, we took a number of different approaches and blended them together. To address the challenge of using a platform that is well known and has a lot of material to assist players towards the answers, we went through the process of “de-juicing” the OWASP Juice Shop. For starters, we transformed the look and feel of the shop from the OWASP Juice Shop to the Vivun Swag Shop. The platform would be an online store for some of the coolest Vivun apparel. There were also references in the exercises to the OWASP Juice Shop, so this meant additional customization, and even disabling some exercises, to make everything Vivun-specific for the event.
To address the challenge of distributed players, we held the event entirely asynchronously. Tools like Slack and Confluence made it easy to disperse details about the event so that players could consume the information when they had the time. We also recorded a few videos which allowed us to talk about aspects of the event while sharing our screen, which enabled us to give instructions on how to play the game, and allowed us to divulge tips on how to use tools to assist in gameplay.
To keep the event engaging throughout the entire two weeks we would reach out to the players each day, and provide hints and exercises, and displayed a leaderboard to inspire friendly competition. This asynchronous communication model worked well for the event, and we would highly recommend it if you are faced with similar challenges hosting your own Capture the Flag event.
Overall, the Capture the Flag event went well. Being entirely optional, we didn’t have as many players as we would have hoped for, but the engineers that did participate, considered it worthwhile. Player Kevin Perrine remarked, “I’ve really been loving this CTF. I’ve learned so much and realized how easy some things are and how much my thinking around dev needs to switch.” As for the grand prize for first place, DJ created a custom trophy!
One of the main lessons we learned from holding the Capture the Flag event is that it requires a lot of time, effort, and planning to coordinate. It is also inevitable that something will go wrong in the execution, such as players discovering a bug in the OWASP Juice Shop that displays a bunch of flags to them. Nevertheless, the event was rewarding and our time was well spent as the players learned new aspects about software security.
Looking forward to what’s next
We had fun planning and hosting this event, and we know the players enjoyed it as well. Our goal now is to host a Capture the Flag event at least once a year and we are already forming ideas for the next one. Each event will be different and fresh, and as the engineering organization continues to grow, we must keep up with providing engaging training. The active learning benefit that comes from these events is undeniable. The more adept Vivun’s engineers are at secure software development, the better Vivun will continue to deliver on its promise of providing secure products for our clients.