Application security is often overlooked, under-funded, or ignored. Part of the reason for this is because it can be a complex, difficult aspect of IT security…but mostly it's because it's simply misunderstood.
When I speak with CISOs and other InfoSec professionals, the perception is that AppSec is a frustrating, vexing problem for them: the tools are expensive, burdensome, and inaccurate; developers won't take procured training; and, there's a distinct sense of being overwhelmed with dependence so many applications and so much code to run their business. Despair and lack of visibility leaves organizations with the question "Where do we start?" and that question frequently never gets answered.
In other industries when we have complex and difficult problems, we turn to simulations, collaboration, and situational awareness to solve the challenge. This is precisely what some groups are doing with application security.
On Tuesday of this week, Women in Security and Privacy (WISP) partnered with the Wikimedia Foundation and Security Innovation to offer members a fun "find the vulnerabilities" game that taught the importance of effective website security and secure coding habits. WISP brought the players (nearly 100 of them!), Wikimedia provided the venue, and Security Innovation staffed the event with 3 of our subject matter experts and the software from our CMD+CTRL Web Hackathon product.
Leveraging cheat sheets and other easy to understand tips, participants of all skill levels learned how hackers break into websites in a fun and realistic environment. And then they tried some hacking themselves! The Hackathon game features authentic (and intentionally vulnerable) websites to introduce core concepts played as a group. We didn’t need to remind players they were using simulation, situational awareness, and collaboration to acquire skills. It was just part of a fun game.
Just like in most games, the concept of earning points gives a sense of accomplishment. The challenges are meant to simulate actual attacks or hacks that players have heard about, e.g.:
- Breaking into someone else's account
- Transferring/stealing money
- Adding items to an online shopping cart and buying them for $0
Security Innovation has donated and hosted similar CMD+CTRL Web Hackathon events to middle-school kids in Montana and the RSA Conferences in both US and Europe. We sell the product/event to our customers and I've been amazed at the range of organizations that have used it (often on multiple occasions) as part of their core training program. Industries have ranged from consumer electronics to sports apparel, software, outdoor gear, medical devices, and insurance.
The shortage of application security skills, lack of ability to measure AppSec risk, and the proliferation of web-born attacks have many worried. These simulation games make application security feel accessible and real. It gives teams the confidence that, while it isn't a walk in the park, they can help reduce vulnerabilities and risk even with simple best practices. If more executives could see the passion and fun their teams can have for security and the instant learning and gratification that occurs, I am confident they would invest in it. Hackathons and other types of hands-on and authentic events lead to businesses understanding the issues better, which means your defensive posture improves.