Gamify Security Training with Developer CTFs

“I learned more about security in one day than I have in years as a developer.” This was something an engineer told me immediately after the awards ceremony for our first CTF tournament. Approaching development with a security mindset is not something that comes naturally to everyone. I was managing server infrastructure and security for an engineering organization of otherwise very intelligent and talented engineers who just hadn’t been exposed to much security training in their career. While our applications were well designed in other ways, security at the time was an afterthought. While we could have taken the traditional security training route, I decided to try an approach that would put the developers in the mindset of the attacker. Capture the Flag tournaments have long been used to test hacker skills but they can also serve as effective security training for developers. I’ll share a case study where I turned teams of developers with no prior security training against each other in a CTF cloud arena featuring their own applications and watched them rack up points as they popped shells in each other’s applications and filed bugs in our bug tracker. I’ll cover rules, scoring, and the preliminary training leading up to the CTF tournament as well as how I set up the arena and the results of my own CTF tournament.