Presented at
AppSec USA 2017,
Sept. 21, 2017, 3:30 p.m.
(45 minutes).
Getting developers to care about security is tough, but turning your developer training into a hands-on puzzle game with a Capture the Flag (CTF) event can create excitement while effectively accomplishing the real goal of the training. Permanently open their eyes to what goes wrong when security controls are left out and give them the attacker's perspective to look critically at their code moving forward. Consider that students remember 20% of what they hear - and 90% of what they do. Hands-on training is radically more effective.
This presentation will discuss the pedagogical underpinnings to the technique (so management will approve it), and practical recommendations on implementing an event (so that the participants will have a good time). After several years of running events in a variety of contexts, I'll share some success stories and admit to some failures that will help put you on the right path for your own event.
Topics will include:
• Designing your event infrastructure to minimize risk and satisfy IT policies.
• Preparing difficult, but solvable challenges.
• Managing players while encouraging them to break the rules.
Presenters:
-
Mark Hoopes
- Senior Application Security Engineer - Aspect Security
Mark Hoopes has been working in enterprise IT delivery for nearly 20 years in an assortment of roles including development, project management, and major incident management. He found his niche in application security and has been effectively on vacation ever since. Throughout his career Mark has been an instructor of numerous virtual training sessions and full-day live courses. He gets irrationally excited about demonstrating technically interesting topics to others, leading him to be an active member of his local hackerspace. He cut his teeth as a presenter at OWASP SnowFROC 2016. A love of puzzles and learning by doing has also led Mark to be a frequent Capture the Flag competitor and developer.
Links:
Similar Presentations: