CyberCX 2020 AppSec Hackathon roundup
Gamified learning, such as hackathons, are widely seen as one of the most effective ways to develop new skills.
For any organisation looking to enhance the cyber security capabilities of their software developers, hackathons offer a fun and exciting opportunity for their teams to test out existing knowledge whilst picking up some new skills along the way.
Last month, CyberCX ran its inaugural AppSec hackathon in which 180 participants competed remotely to identify and exploit vulnerabilities in two fintech application challenges:
For competitors with beginner to intermediate experience, this challenge included a range of intentional vulnerabilities of varying difficulty. Vulnerabilities included cross-site scripting (XSS), password cracking, authorisation bypass, business logic abuse, SQL Injection, and others.
For competitors with intermediate to advanced experience, this challenge included 54 exploits such as SQL Injection, XSS, authentication/authorisation issues, business logic flaws, and others. Many of the vulnerabilities included poorly implemented mitigations, such as blacklisting attack strings and client-side validation, which competitors needed to identify and remedy.
The event brought together competitors, including security professionals, developers and students, from across Australia and New Zealand.
Our workstation for today’s CyberCX hackathon with the squad #appsechackathon @CxCyber #cybercx Stocked up on the essentials: Coffee and sunglasses ???? pic.twitter.com/SjOIYX89n3
— Mariam Antar (@mariamannx) November 20, 2020
Some organisations view hackathons as central components of their corporate training initiatives. One such organisation even sent along a cohort of over 30 software developers!
With members of CyberCX’s Security Testing and Assurance team on-hand to offer tips and advice, participants were able to gain an insight into ways to interrogate applications to uncover hidden vulnerabilities.
To inject some excitement into the event, the scoreboard went offline for the last 5 minutes of the competition. With no scores visible, keyboards came alight as competitors rushed to submit their findings. Right down to the last seconds of the competition, teams were battling it out to exploit as many vulnerabilities as possible.
Congratulations to the winning teams:
|1st||Cereal Killer||Duy Nguyen / Stephen Mudra / Eric Do / Sam Leotta||Go1|
|2nd||Tea Series||Robert Cowsley / Jeremy Utting / Matthew Stringer / Orion Edwards||Gallagher|
|3rd||Canva HPF||Cian O’Leary / Quang Huynh / Clark Pan / Nick Whyte||Canva|
|1st||Sendle||Gabriel T / Hailey Martin / Josh Taylor / Carl Baxter||Sendle|
|2nd||Turbo Meme Team||Camilo Lozano / Sid Bachtiar / Gareth Bestor / John Paler||Objective|
|3rd||Avengers||Jonathan Remnant / Colin Leighton / Norris Charlton / Thor Chen||Objective|
— Hailey ????☕️ (@konecoffee) November 20, 2020
As a supporter of men’s health initiative, Movember, CyberCX is proud to announce that the hackathon helped raise $2,700 towards this important cause.
If you’re interested in exploring the potential benefits of gamified learning initiatives, contact our Cyber Capability, Education and Training (CCET) team. We offer a range of innovative gamified programs including:
- Facilitated cyber escape rooms that complement cyber-awareness training with a team building immersive puzzle scenario.
- Tabletop exercises for leadership, technical teams and whole organisations aimed at developing skills, assessing preparedness and gaps in policy, process or people.
- Implementation of gamification into the overall learning and security strategies for your organisation.
We look forward to seeing all our hackathon participants again in 2021.
CyberCX State of the Hack – 2020