November 8, 2022, 9:58 AM. It’s the end of the security committee meeting, and a conclusion is evident: we need to raise awareness/train our teams on security. 

Training is good, but most of the team are already seasoned developers, so there's a good chance it won't impact them enough. Books? They would need to be motivated to read, and it's unsure whether that would even work to make them more sensitive to the risks.

A Creative Approach

When you don't know, you ask those who do. Conducting research to see what others are doing often leads to new ideas.

I have an abundance of training courses and books on computer security, but I know these won't help. Instead, someone suggested trying something different (1). Organizing a Capture the Flag (CTF) event would allow them to get their hands dirty and understand the impact of a security vulnerability. The challenge here would be to include all the programming languages that we use internally and add a section for admins/devops.

What’s a Capture the Flag Event?

A CTF is an event where teams of varying sizes (in our case, limited to 4 people) compete to achieve the highest score. They are presented with a series of challenges or computer puzzles of varying difficulty. The objective is to find the vulnerability in the challenge. Points are awarded when one of the team members successfully exploits the intentionally created vulnerability in a challenge.

At Camptocamp, a multidisciplinary team was assembled to create the challenges. We needed Python, Java, infrastructure, and "all-level" tasks. We proposed a wide range of puzzles that anyone, even non-technical individuals, could solve.

One of the challenges, for example, involved proving that MD5 is not secure (md5-collision/minced). In this challenge, the first step was to discover the "robots.txt" file (which was given as a hint in the challenge). It pointed to a file containing a password hashed in MD5. By performing a search with this MD5 hash, the password appeared in plain text.

Other more challenging tasks involved taking control of a remote server. Once the shell was open, they had to retrieve the pod's access to Kubernetes and retrieve a secret from the API. Only two teams succeeded in completing this challenge.

The infrastructure was set up in AWS using their EKS solution, with only camptocamp's IPs allowed to access it. All of this was quickly accomplished thanks to the Devops Stack (2).

The competition was tough among the teams. Non-technical participants struggled, but they didn't leave empty-handed: they managed to capture the "small" flags and understood the concepts we wanted to convey. This is exactly what we had envisioned.

Of course, some players pushed the infrastructure to its limits, as evidenced by the excessive CPU consumption. They later admitted to launching a recursive grep at the root of the challenge. It's disappointing; they could have at least mined some bitcoin.

At the end of the challenges, we distributed the challenge code and added writeups so that those who wished could revisit the tasks (3).

In the end, 11 teams competed with a total of 38 players and 12 challenges.

Some had their baptism by fire and got hooked on the game. For many, it was their first experience with the world of security, and they wholeheartedly embraced it. People who had never talked to each other formed teams and collaborated for the first time to increase their chances of "flagging." The initial objective, let's remember, was to train the teams on security risks, and that goal has been achieved.

The CTF event has helped raise awareness of security more than any book and/or training course. And the people present had a great time. So, we're killing two birds with one stone.

You can find more information about this at the following links:

  1. Medium article on organizing an internal security competition
  2. Devops Stack website
  3. Capturethecamp GitHub repository