If you’ve spent some time in AppSec, you've undoubtedly come across questions like, “How can I get into Application Security?”, “What should I study if I want to land a job in AppSec?”, and “How can I begin learning about security vulnerabilities?”. We've all tried to navigate through these inquiries, often recommending OWASP, textbooks, or possibly online resources and mailing lists. However, let's add another valuable tool to your armory: Capture the Flag (CTF) Challenges.

A Capture the Flag event is a hacking challenge where cybersecurity professionals put their skills to the test. The end goal is to retrieve a text string that can be submitted into a central CTF dashboard for points. These points contribute to team rankings, turning the whole process into a competitive game. CTF events serve as excellent platforms for experts to hone their skills, share expertise with junior members, allow security teams to assess their skills and shortcomings, and offer an entry point for those interested in cybersecurity. If you are part of a champions program, a red team, or a penetration testing group, scheduling a CTF event as a team-building exercise can be beneficial.

Two weeks ago, our CTF team secured the 16th place among 982 teams. I’m thrilled to share this result. Even though it's not in the top 10, it's a significant improvement from our 26th place in 2022 and 85th in 2021. To halve our ranking, we had to more than double our score.

This advancement is a result of a decision we made just over a year ago to establish a dedicated team and develop a CTF capability. In this period, we’ve expanded our CTF participation from five members to over sixty and have broadened our areas of expertise to include containers, AI/ML, and the cloud. Building a CTF team is like any capability, but instead of being able to mitigate vulnerabilities in open source or enforce governance, the outcome is that people who might not specialize in security have a chance to become expert security practitioners.

The initial step was assigning a leader. The common saying "When everyone is responsible, nobody is responsible" holds true here. To avoid a lack of leadership, we appointed Aris, who already had a passion for CTF, learning, and competition. Although he had been leading an off-the-books CTF initiative, we recognized the need for a more structured approach to achieve substantial results.

We managed to secure Hack The Box CTF licenses as an initial measure. But if you’ve run an appsec program before, you know that buying a tool is radically different than using the tool. To build momentum, Aris began actively using those HTB licenses. He allocated licenses for specific learning tasks to consultants and set up a weekly learning session where those HTB challenges would be solved by a group.

A leader without a team isn’t a leader at all. To begin building the team, Aris identified experts in various categories from our existing consulting pool to assist with relevant challenges folks who dealt with AI/ML professionally were tapped to provide guidance on AI/ML challenges. Our webapp pen testers were already primed to deal with the traditional webapp CTFs. We even discovered a digital forensics enthusiast among us, although they deny their expertise if asked outright.

The knowledge we've accumulated has done more than just boost our ranking. It has served as a crucible, revealing our weaknesses and illuminating our deficiencies. Last year, I discovered a need to transition from Perl to Python for scripting and to familiarize myself with Ghidra and Volatility for forensics. The forward progress I made this year is that I only need to teach myself Ghidra. CTF participation is an effective way to keep technical skills up to date as professional responsibilities become less technical.

To sum up, the journey of building a CTF team has been illuminating and challenging for not only the participants but our entire organization. It's a perfect representation of the saying 'iron sharpens iron.' By competing against the best in the field, we've honed our skills and forged a team ready to confront the diverse challenges of cybersecurity.

Therefore, if you're seeking to break into AppSec or aiming to upskill, don't underestimate the benefits of CTF events. They offer not just a competitive and entertaining learning environment, but also a pragmatic way to understand and mitigate cyber threats. Whether you're learning solo or as part of a team, I'd encourage you to participate in a CTF event. Trust me, it's an investment of time and effort that yields substantial returns.

There's always more words to spend on a topic like this one, but I've hit my budget for now. Stay secure, and never forget the humans.

P.S. Apologies for the absence! Life has taken an exciting turn recently. The kids have been home from school for the summer and my office doesn’t have doors. We’ve also had some family events that have disrupted non-essential activities. But now that things seem to be winding down, I plan to publish these posts with greater frequency going forward.