Today we had a combined application security event with another tech company.
It was the first time we ran the combined event and it involved security champions from both companies.
We had planned on spending the morning reviewing 4 security concepts; XSS, CSRF, RCE and SSRF.
The initial idea was to spend 30 minutes on each concept. 10 minutes presenting the concept, 15 minutes for everyone to work on a CTF (capture the flag) challenge that is based off that concept and the last 5 minutes to work through the solution. That would have taken us till lunch time. After lunch we would do the CTF challenge proper until 3:30pm were we would then walk though the solutions. The event should conclude at 4pm.
We ended up spending quite a bit of time getting everyone setup with Burpsuite. The presentation on the first topic was XSS and that went according to plan. The CTF challenge for XSS took everyone a lot longer than we had anticipated to complete. In all fairness, it was not an easy CTF challenge and we had to give out a number of hints. By the time we did the walk through, it was lunch time.
After lunch, we did the second security concept, CSRF. After the presentation, we decided to open up all the challenges instead of just the CSRF challenge. Everyone worked through the challenges until around 3:45pm. Some teams were able to complete the challenges and some were also able to complete additional challenges.
We didn’t cover as many as we had planned, but the verbal feedback from everyone so far has been very positive. They all enjoyed it, found the training useful and the collaboration with the other company good; and are already asking about the next event.
Below is the final scores from the CTF.