CyberCX 2020 AppSec Hackathon roundup

Gamified learning, such as hackathons, are widely seen as one of the most effective ways to develop new skills.

For any organisation looking to enhance the cyber security capabilities of their software developers, hackathons offer a fun and exciting opportunity for their teams to test out existing knowledge whilst picking up some new skills along the way.

Last month, CyberCX ran its inaugural AppSec hackathon in which 180 participants competed remotely to identify and exploit vulnerabilities in two fintech application challenges:

Shadow Bank
For competitors with beginner to intermediate experience, this challenge included a range of intentional vulnerabilities of varying difficulty. Vulnerabilities included cross-site scripting (XSS), password cracking, authorisation bypass, business logic abuse, SQL Injection, and others.

Gold Standard
For competitors with intermediate to advanced experience, this challenge included 54 exploits such as SQL Injection, XSS, authentication/authorisation issues, business logic flaws, and others. Many of the vulnerabilities included poorly implemented mitigations, such as blacklisting attack strings and client-side validation, which competitors needed to identify and remedy.

The event brought together competitors, including security professionals, developers and students, from across Australia and New Zealand.

Some organisations view hackathons as central components of their corporate training initiatives. One such organisation even sent along a cohort of over 30 software developers!

With members of CyberCX’s Security Testing and Assurance team on-hand to offer tips and advice, participants were able to gain an insight into ways to interrogate applications to uncover hidden vulnerabilities.

To inject some excitement into the event, the scoreboard went offline for the last 5 minutes of the competition. With no scores visible, keyboards came alight as competitors rushed to submit their findings. Right down to the last seconds of the competition, teams were battling it out to exploit as many vulnerabilities as possible.

Congratulations to the winning teams:

Shadow Bank

Position Team name Players Company
1st Cereal Killer Duy Nguyen / Stephen Mudra / Eric Do / Sam Leotta Go1
2nd Tea Series Robert Cowsley / Jeremy Utting / Matthew Stringer / Orion Edwards Gallagher
3rd Canva HPF Cian O’Leary / Quang Huynh / Clark Pan / Nick Whyte Canva

Gold Standard

Position Team Name Players Company
1st Sendle Gabriel T / Hailey Martin / Josh Taylor / Carl Baxter Sendle
2nd Turbo Meme Team Camilo Lozano / Sid Bachtiar / Gareth Bestor / John Paler Objective
3rd Avengers Jonathan Remnant / Colin Leighton / Norris Charlton / Thor Chen Objective

 

As a supporter of men’s health initiative, Movember, CyberCX is proud to announce that the hackathon helped raise $2,700 towards this important cause. 

If you’re interested in exploring the potential benefits of gamified learning initiatives, contact our Cyber Capability, Education and Training (CCET) team. We offer a range of innovative gamified programs including:

  1. Facilitated cyber escape rooms that complement cyber-awareness training with a team building immersive puzzle scenario.
  2. Tabletop exercises for leadership, technical teams and whole organisations aimed at developing skills, assessing preparedness and gaps in policy, process or people.
  3. Implementation of gamification into the overall learning and security strategies for your organisation.

We look forward to seeing all our hackathon participants again in 2021.