Engineers are a line of defence
Security threats in the online world are only increasing. Organisations need their engineers to be a line of defence against threats and vulnerabilities by releasing solid and secure code.
If you are part of a security team or an engineering leader, trying to gate-keep code is near impossibility - you’ll never find that bad line of code before it ships, or even long after. Worst still, even the best analysing tools cannot spot whole classes of security coding issues.
Requiring your engineers sit though 'funny' training videos and multi-choice quizzes will neither win hearts and minds or make your products more secure. You need a different approach to bringing good 🔥.
Engage to empower
Your engineers are the folks who live in the code that runs your products and services. Engage with them and turn your risk into an asset. Let them know they are a line of defence, and what needs to be defended against. Tell them who and what the threats are (sadly, real news stories are easy to supply).
Education, Education, Education
A key challenge is that engineers are not always security aware, but as Specialising Generalists, most engineers love learning by doing. Help them think like the hackers you want to defend against and they will take better precautions.
I’ve harnessed this in literal hack-days - where groups of engineers have teamed up to try their hand at hacking challenges - seeing who can complete the most challenges in an hour.
Game-days such as these often produce delightful side-effects. A few times, post hack-training, engineers have spotted a similar avenue of attack in production code, and have fixed it up, a true reward indeed.
Where to start
Here are a few of the sites I have liked and used.
- Google’s XSS game focuses on a single class of problem. Offering puzzles in injecting JS into pages in increasingly complex ways. Its single focus might not be a thing for everyone - but it's a great way to get the party started and its a totally common issue.
- Game of Hacks challenges engineers to spot problems and vulnerabilities in code snippets. It supports many languages but can feel a little dry. Short bursts or on a shared / big screen could bring the energy.
- Over the Wire host several war-games that start simple and get more and more difficult. Natas presents increasingly difficult challenges over HTTP. Bandit looks like a fun introduction at OS level hacking.
Ready to scale up? Time for a CTF?
If you want to run something a little more complex for your teams, Capture the Flag events are great competitive challenges that help bring teams’ security knowledge to the fore. I’ve not run one of these (yet) but OWASP’s Juice Shop supports CTF and offers great advice for hosting CTFs