Remediate the Flag: Practical Application Security Training for Developers

Transcript

1. Remediate the Flag Practical Application Security Training for Developers www.remediatetheflag.com

   Paris Open Source Summit 2019

2. AppSec Training for Developers • Developing secure software is a

   key component in enterprise defense strategy. • AppSec training is part of cyber security programs for most companies operating in regulated industries. • Software developed today still suffering from 20 year old vulnerabilities.

3. AppSec Training, today. In Class Training Computer Based Training ✓

   Provides real-world examples Expensive (Cost / Time) Often a one time event No hands-on examples ✓ Scales well for large companies Difficult to assess competency

4. AppSec Training, tomorrow. • 100% hands-on training • Identify, exploit

   and fix security issues. • Dedicated DEV environment accessed in seconds through a web browser. • Learn using the same tools used at the workplace.

5. Engaging and Interactive • Real-time results & Hints • Automated

   scoring • Gain Points & Trophies

6. Learning Paths • Learners become expert in a topic in

   small steps. • When candidates complete a Learning Path, they receive a RTF certification. • Certifications expire and they can be renewed by taking refresher exercises.

7. Tournaments • Run time-boxed challenges. • Users of the same

   Organization compete to remediate security issues. • Engage the whole developer community. OWASP London CTF
 28.11.2019

8. Measure ROI for Training • Measure real competency in secure

   coding and remediation • Metrics allow for rapid discovery and closure of gaps o User o Team o Geographical region o Organization

9. Live Demo 1. Start an exercise 2. Exploit vulnerability 3.

   Remediate code 4. Check results

10. Supported Exercise Technologies On the Roadmap Installation • Automated installation

    on AWS cloud. • Up and running in 15 minutes. Exercises • Install Exercises from RTF Exercise Hub. • Create your own exercises using the RTF SDK.

11. DGFiP experimentation • Started experimentation in April 2019 with 15

    users, DGFiP deployed AWS RTF instance with Java exercises • Developers comments: “it is great to learn with the same tools as developer workspace”, “ great to have hands-on/practical exercises”, “platform is very reactive”; they have asked more exercises and languages and to add it in developer formation. • Will be presented during a workshop at DGFiP project manager day in December 2019 RTF Collaboration with DGFiP • After participation at OWASP Appsec London in July 2018, DGFiP started a trial of RTF in September 2018 • DGFiP considering adding exercises in Java or Php, it will be proposed to the RTF community • From the beginning : great support by Andrea Scaduto during installation and deployment of RTF DGFiP instance

12. www.remediatetheflag.com Q&A [email protected]