How Capture the Flag Raises Security Awareness and Enhances Enforcement

While many are familiar with championship sports teams like Manchester United, the New York Yankees and Montreal Canadiens, the real question is whether you have ever heard of perennial champions such as “Plaid Parliament of Pwning”, “More Smoked Leet Chicken” and “Dragon Sector”. If not, then get ready to meet the leading teams in the Capture the Flag (CTF) international cybersecurity competition.

Fast forward to the new millennium and the classic game of “Capture the Flag” has now become a cornerstone of international cybersecurity. Does it really make sense to introduce an air of fun and games into something as serious and mission-critical as your organization’s data security?

The answer is a resounding “YES”.

In the recent Defending Your Software Supply Chain webinar, JFrog CSO, Moran Ashkenazi, remarked, “Especially for software development companies, it is critical to capture the curiosity and ongoing involvement of developers, DevOps and IT professionals in enforcing security policy. Initiating a Capture the Flag competition has proven to be a very effective method for keeping security a top organization-wide priority.”

JFrog enhances security awareness through training and CTF cybersecurity competitions

In support of it’s ongoing efforts to raise security awareness, JFrog is pleased to share how the team thinks out of the box by using CTF gamification and other methods to improve cybersecurity in our organization. As a leader in DevOps security we are constantly innovating to find the best ways to educate, train and engage developers to think in terms of end-to-end security and share our experiences and best practices with the greater cybersecurity community.

Before we go into details about JFrog’s particular approach to CTF implementation, let’s take a look at the theory behind CTF competitions and the reasons they have become an effective tool for enhancing awareness and improving security performance.

The Concept

Structure

The classic CTF game pits one team against another to capture the opponent’s physical flag which is hidden and heavily guarded so it won’t be captured by the other team. The cybersecurity version places the classic formula within the framework of a hackathon.

The result is teams of developers who compete against each other in trying to find, identify and disable simulated malicious code hidden somewhere in their computing environment.  There are many variations of how the game is played, with some competitions consisting of multiple teams searching for the same vulnerability, while others hide their code and try to discover their opponents’ vulnerabilities.

Purpose

Successful CTF implementation requires substantial planning, resources and dedicating the better part of a workday to this effort. Therefore, the goals should be clearly stated along with KPIs to track the results:

• Education – Influences developers to implement security into their code right from the start. Leverages the thrill of becoming a hacker for a couple of hours
• Awareness – Increases development and other departments’ sensitivity to the impotence of security and the impact it can have on the organization
• Practice – Puts developers into the shoes of a hacker, giving them hands-on experience of how to exploit and prevent vulnerabilities.
• Improvement – Statistics should be kept on actual attacks and simulated attacks initiated by the AppSec team before and after CTF and similar activities

Method

The classic approach to increasing security awareness has centered around training, which certainly has made an impact. Unfortunately, the proliferation of online courses coupled with a new generation of developers weaned on PlayStation and Xbox, has caused a reduction in their effectiveness.

A cool way to solve this conundrum is by instilling a sense of fun and excitement that causes developers to become curious and invested in security. Gamification ‌has proven itself as a valuable supplement to standard lectures and online cybersecurity courses. It also brings people from different teams such as development, DevOps, IT and security together, teaching them to engage, collaborate and work together in real-time security situations.

JFrog’s Innovative Approach to CTF Competitions

Now the general goals and rules are understood, let’s take a look the recent JFrog CTF event, where  one of our key goals was to create a space that sparked JFrog employees’ curiosity, letting them create a memorable story and encouraging our developers to be creative and discover how to see things from a hacker’s perspective.

There were over 50 teams competing in the event, consisting of 180 players overall with a maximum limit of 2 players per team. The teams were created by the players themselves, with each participant given the option of creating a team, giving it a memorable name and inviting one of their colleagues to join them.  All the teams worked in the same CTF environment, with the same set of challenges and vulnerabilities

The “flag” they needed to capture was actually a string of text which was only revealed after successfully completing the final challenge. Getting to the final challenge, however, required the players to solve a defined set of problems by identifying different vulnerabilities and exploiting them, prior to getting the opportunity to capture the flag.  Teams then marked the challenges they solved and submitted them via our CTF platform, which displayed all the teams and their point totals – which really got everyone’s competitive juices flowing.

One of the key components to keep the competition exciting was to feature our “Lost Frog Bot” that used a public Slack channel to keep everyone updated in real-time throughout the competition. Messages included teasers, hints and notifications regarding successfully solved challenges. It was really cool to see how engaged the teams were in the competition by their constant use of the channel – especially the abundance of clever and entertaining emojis!

Of course, for added incentive, we offered an Apple Watch to each member of the winning team,  which helped move the competitive spirit up a notch. Outside of taking care of all the details on game day, the JFrog AppSec team’s main goals included:

• Enabling team collaboration across different departments
• Developing a unique platform for creation of CTF events
• Designing a relevant and effective 2023 competition
• Incorporating gamification techniques such as Leaderboards, Hints and Team Info

Dedicating a full day to the competition showed JFrog’s commitment to the event and cybersecurity. The environment was fun and exciting as the teams creatively selected their names and identities, posted their results and learned how collaboration is the best way to achieve security goals.

The first, second and third place place winners of the 2023 JFrog CTF Competition

At the end of a tiring and action-packed day, we were proud to announce that the team led by software engineer Omer Haglili came in first place and was rewarded with a new Apple Watch.

Takeaways

It was really amazing to see the enthusiasm of the teams and the collaboration between them in capturing the flag. More importantly, it raised awareness not only regarding application security, but getting the entire organization into a “security mindset” which is crucial for developing software with end-to-end security.

In terms of results, a high level of engagement was achieved across the entire organization, demonstrating that security is a top priority both in our products and within our company. The success of this event showed us once again the effectiveness of gamification which we intend to integrate into our other cybersecurity awareness and prevention activities such as SecFrogBot which brings tips to employees’ day-to-day workspaces, displays Do and Don’t messaging to prevent common attacks and encourages developers to visit our e-learning platform.

For more information, check out our cutting-edge approach to security at JFrog’s Security Research portal.