Remediate the Flag: Practical Application Security Training for Developers

47420754de0528af69e2a5d50e74ce0f?s=47 Blue Hats
December 11, 2019

Remediate the Flag: Practical Application Security Training for Developers

Présentation faite lors de la journée #BlueHats du Paris Open Source Summit 2019.


Blue Hats

December 11, 2019


  1. Remediate the Flag Practical Application Security Training for Developers

    Paris Open Source Summit 2019
  2. AppSec Training for Developers • Developing secure software is a

    key component in enterprise defense strategy. • AppSec training is part of cyber security programs for most companies operating in regulated industries. • Software developed today still suffering from 20 year old vulnerabilities.
  3. AppSec Training, today. In Class Training Computer Based Training ✓

    Provides real-world examples Expensive (Cost / Time) Often a one time event No hands-on examples ✓ Scales well for large companies Difficult to assess competency
  4. AppSec Training, tomorrow. • 100% hands-on training • Identify, exploit

    and fix security issues. • Dedicated DEV environment accessed in seconds through a web browser. • Learn using the same tools used at the workplace.
  5. Engaging and Interactive • Real-time results & Hints • Automated

    scoring • Gain Points & Trophies
  6. Learning Paths • Learners become expert in a topic in

    small steps. • When candidates complete a Learning Path, they receive a RTF certification. • Certifications expire and they can be renewed by taking refresher exercises.
  7. Tournaments • Run time-boxed challenges. • Users of the same

    Organization compete to remediate security issues. • Engage the whole developer community. OWASP London CTF
  8. Measure ROI for Training • Measure real competency in secure

    coding and remediation • Metrics allow for rapid discovery and closure of gaps o User o Team o Geographical region o Organization
  9. Live Demo 1. Start an exercise 2. Exploit vulnerability 3.

    Remediate code 4. Check results
  10. Supported Exercise Technologies On the Roadmap Installation • Automated installation

    on AWS cloud. • Up and running in 15 minutes. Exercises • Install Exercises from RTF Exercise Hub. • Create your own exercises using the RTF SDK.
  11. DGFiP experimentation • Started experimentation in April 2019 with 15

    users, DGFiP deployed AWS RTF instance with Java exercises • Developers comments: “it is great to learn with the same tools as developer workspace”, “ great to have hands-on/practical exercises”, “platform is very reactive”; they have asked more exercises and languages and to add it in developer formation. • Will be presented during a workshop at DGFiP project manager day in December 2019 RTF Collaboration with DGFiP • After participation at OWASP Appsec London in July 2018, DGFiP started a trial of RTF in September 2018 • DGFiP considering adding exercises in Java or Php, it will be proposed to the RTF community • From the beginning : great support by Andrea Scaduto during installation and deployment of RTF DGFiP instance
  12. Q&A