How to make your security training enjoyable? Think like a deviant
Secure code training is without doubt one of the first issues Chief Technology Officer Rob Zuber requested me to deal with after I began as CircleCI’s first security engineer a couple years in the past. He needed it to be enjoyable. He needed it to create rigidity in folks’s chests.
A couple of years earlier, he’d taken half in a security training occasion at Google. During an train on the occasion, he found a vulnerability that was large open on his service. His coronary heart began pounding as he raced to patch it. That pulse racing expertise modified the way in which he thought of software program. He needed all of our builders to expertise it.
We checked out each training conceivable, from on-line programs to flying the complete division to a security convention as an offsite. None of them promised that very same visceral expertise.
As an organizer and MC of the Bay Area OWASP MeetUps, I get pitched plenty of presentation concepts. One got here from a small firm primarily based out of Hungary known as Avatao, which presents safe code training. This was hands-on breaking issues, with some steerage and felt totally different than guide static code evaluation video games and comparable issues I’d been conscious of.
The training platform is designed by three security researchers who, not coincidentally, have been finalists a number of instances on the DefCon CTF. It consists of a couple hundred modules on every part from binary code exploitation to SQL injection to language-specific issues. And it’s extensible. If we needed one thing they didn’t have, they’d construct a module or assist us write one.
The excellent alternative
While my security training analysis was beginning to bear fruit, our Engineering and Product groups have been busy planning a week-long offsite in Las Vegas. I used to be given 4 hours of prime time after lunch on the second day to run a recreation, and knew this is able to be a nice alternative to invite Avatao to come work face-to-face with our crew.
Together with a few others from our security crew, we chosen a listing of 12 modules centered on the matters most related to our engineers’ day by day lives, issues like Docker secrets and techniques, OWASP Top 10 exploits like Cross Site Request Forgeries, a Vault tutorial and default passwords. For good measure, we threw in replications of a couple of actual world hacks like the Facebook Imagekick.
After lunch on that second day of the offsite in Las Vegas, the Avatao people put in two massive scoreboards on the head of the room and kicked off the competitors with all contributors breaking into pairs. Pair programming is a huge a part of the tradition at CircleCI so we utilized that for the occasion, too. As a twist, we deliberately paired engineers with folks and groups they didn’t sometimes work with and arranged them primarily based on expertise stage.
Half an hour in and I knew it was a success. Every engineer was centered on their display screen, not a single individual was sitting again and chatting, and there was a sense of competitors within the room. Blessedly, the 2 scoreboards on projection screens confirmed each crew was making progress.
At the top of two hours, we handed out prizes, performed a Q&A with the Avatao people after which broke into teams of six engineers so they may focus on each what every individual realized in addition to what was essentially the most relevant to our inside processes. Finally, everybody moved to an adjoining room for cocktails, espresso, and lock selecting workouts.
Lessons realized, securely
For me, there have been 4 key classes I took away from this occasion:
- Focus on the modules your viewers makes use of on daily basis. Just as a result of the security crew is eager about an esoteric exploit doesn’t imply everybody else will probably be.
- Keep the workouts brief for fast wins. It’s necessary that folks really feel like they’ll do security relatively than driving residence the concept that security is tough and must be left to specialists.
- Assemble a group of engineers from throughout the division to form the curriculum and check out upfront. This not solely aligns the modules with wants, it creates educating assistants through the occasion who can triage issues.
- Security is extra than simply code. Add issues on each side of the programming like lock selecting to maintain the enjoyable quotient excessive.
For others, the occasion took away among the thriller round how particular points like cache poisoning occur. Reverse engineering real-world hacks like Imagetrick are fascinating. The modules have been difficult, however not discouraging.
“Capture the flag was cool,” stated Software Engineer Breon Knight, who paired with a Principal Software Engineer. “It was interesting to see it from a principal level engineer’s mindset.” And our VP of Platform, Michael Stahnke, commented: “Who knew security training wasn’t just ’90s clip art with the bad guys wearing ski masks while typing?”
Software Engineer Jacqueline Garcia stated it was attention-grabbing to see security bugs firsthand and to spend two hours discussing them with a teammate. That made them assume in another way about implementing security into coding practices.
“What I enjoyed the most was the collaboration involved,” she stated.
For groups trying to enhance their security competency or abilities, I’d extremely take into account placing collectively a arms on occasion corresponding to this one. The time it takes to plan and assemble a hackathon of this type is properly well worth the ROI, and is extra attention-grabbing than the usual training you hear about. It brings groups nearer and improves communication and processes within the occasion of a actual security risk. And in case you want any concepts, or as a minimum a nice playlist to jam out to through the occasion, I’ve a few to share with you.
Published March 23, 2020 — 07:00 UTC