Remediate the Flag: Practical Application Security Training for Developers

47420754de0528af69e2a5d50e74ce0f?s=47 Blue Hats
December 11, 2019

Remediate the Flag: Practical Application Security Training for Developers

Présentation faite lors de la journée #BlueHats du Paris Open Source Summit 2019.

47420754de0528af69e2a5d50e74ce0f?s=128

Blue Hats

December 11, 2019
Tweet

Transcript

  1. Remediate the Flag Practical Application Security Training for Developers www.remediatetheflag.com

    Paris Open Source Summit 2019
  2. AppSec Training for Developers • Developing secure software is a

    key component in enterprise defense strategy. • AppSec training is part of cyber security programs for most companies operating in regulated industries. • Software developed today still suffering from 20 year old vulnerabilities.
  3. AppSec Training, today. In Class Training Computer Based Training ✓

    Provides real-world examples Expensive (Cost / Time) Often a one time event No hands-on examples ✓ Scales well for large companies Difficult to assess competency
  4. AppSec Training, tomorrow. • 100% hands-on training • Identify, exploit

    and fix security issues. • Dedicated DEV environment accessed in seconds through a web browser. • Learn using the same tools used at the workplace.
  5. Engaging and Interactive • Real-time results & Hints • Automated

    scoring • Gain Points & Trophies
  6. Learning Paths • Learners become expert in a topic in

    small steps. • When candidates complete a Learning Path, they receive a RTF certification. • Certifications expire and they can be renewed by taking refresher exercises.
  7. Tournaments • Run time-boxed challenges. • Users of the same

    Organization compete to remediate security issues. • Engage the whole developer community. OWASP London CTF
 28.11.2019
  8. Measure ROI for Training • Measure real competency in secure

    coding and remediation • Metrics allow for rapid discovery and closure of gaps o User o Team o Geographical region o Organization
  9. Live Demo 1. Start an exercise 2. Exploit vulnerability 3.

    Remediate code 4. Check results
  10. Supported Exercise Technologies On the Roadmap Installation • Automated installation

    on AWS cloud. • Up and running in 15 minutes. Exercises • Install Exercises from RTF Exercise Hub. • Create your own exercises using the RTF SDK.
  11. DGFiP experimentation • Started experimentation in April 2019 with 15

    users, DGFiP deployed AWS RTF instance with Java exercises • Developers comments: “it is great to learn with the same tools as developer workspace”, “ great to have hands-on/practical exercises”, “platform is very reactive”; they have asked more exercises and languages and to add it in developer formation. • Will be presented during a workshop at DGFiP project manager day in December 2019 RTF Collaboration with DGFiP • After participation at OWASP Appsec London in July 2018, DGFiP started a trial of RTF in September 2018 • DGFiP considering adding exercises in Java or Php, it will be proposed to the RTF community • From the beginning : great support by Andrea Scaduto during installation and deployment of RTF DGFiP instance
  12. www.remediatetheflag.com Q&A info@remediatetheflag.com