Get Your Testers Into Security With Capture The Flag
Whether your team is two or twenty. Whether your testers code or not. Whether your devs or ops folks get involved or not. There is really no reason not to dip your QA team of testers into Capture The Flag challenges.
CTFs range from simple to decidedly not. They also range from at your own pace solo adventures to competitive team contests with prizes.
What the jeopardy style CTFs usually have in common is that they have approachable web app testing and are expanding their mobile offerings as well. That's a good entry point for your average QA/tester. Once they get into this app hacking, they will quickly realize they already know most of the lingo and culture, it's just focused on sec bugs and vulns only.
Benefits
- They're fun, really, if your testers have that tester mindset, they will probably dig it
- Team building, you will need to ask for help at some point
- Your team might quickly find themselves installing Linux for the first time, woohoo
- Skill sharing between people and departments
- Build security knowledge across your team, distributing takeaways/lessons learned
- Intensely step up your team's experience with tooling
- You may find yourself spinning up infra, which would help your QA team build ops chops
How To Get Started
- YouTube some CTF walkthroughs showing flags on systems like yourself
- Read CTF write ups, usually these are for contests but they are a good peek into the landscape
- Watch Live CTFs on Twitch.tv very good for seeing how thought process works
- Read up on all things hacking! There is so much to know, focus on your domain
- Pick a beginner CTF, probably jeopardy style, maybe focused on Web or Mobile, and just dive in
Resources
- ctf101.org/
- ctftime.org/
- amanhardikar.com/mindmaps/Practice.html
- trailofbits.github.io/ctf/
- ctf.hacker101.com/
- captf.com/practice-ctf/
- ctfs.github.io/resources/
- csaw.engineering.nyu.edu/ctf
- microcorruption.com/login
Learn the landscape, start slowly, provide a safe environment to ask "stupid" questions, challenge each other, challenge yourself!
Happy testing, erm, hacking!