Have you ever wondered how it would feel to turn evil for a few hours, legally of course? People from all over the St. Louis did just that on Thursday night. STL-OWASP & STL-Cyber hosted a Capture the Flag (CTF) event at the TREX building in downtown St. Louis. From there, individuals competed into the night using a simulated network environment to steal money, perform employee espionage and conduct other nefarious acts. Every competitor was given access to a mock banking website environment provided by Security Innovations and given the legal green light to do whatever they wanted to the system while enjoying drinks with friends. Each indicator of compromise was awarded a point value upon the success of the exploit. As the event started, the sounds of point scoring began. The event continued and the lead was chased for the next 2 hours. In the end, only the top three received a tangible award. However, everyone who attended truly got something out of the race.
Fun for Every Skill Set
Capture the flag (CTF) events don't just have to be for the comp sci major that has way too much time on their hands on a weekday evening. It can be a good way to start learning the ropes on how attackers can break into the systems you manage yourself. Instead of going out to the local bar with your coworkers after the 5 o’clock hour rolls around, CTF’s provide a great team building resource. These events are more of a social ground with friendly competition between beers. Whether you’re looking for a new junior analyst to add to your ranks or you’re interested in what type of vulnerabilities are being exploited in your systems, these events are tailored to every skill set and can be a valuable experience on every level. Last night there was plenty of help on hand to assist anyone who needed it even if you are new to the Cyber Security space.
Who or What is OWASP?
OWASP stands for "The Open Web Application Security Project." It's a not-for-profit organization that spends their focus on software security and web applications. As a penetration tester, many methodologies reference that testing should cover what is called the OWASP Top 10. These are vulnerabilities that are the most common in web applications and are often over looked by developers when writing code. These are vulnerabilities such as code injections, broken authentication and sensitive data exposures. The applications and interfaces can be your most vulnerable because they are the door that stands between the vast internet of the unknown and your sensitive data. All a hacker needs to do is find the vulnerable key and open the door to your entire environment. For more information on this list you can check out the most recent top 10 list here: OWASP Top 10.
How TechGuard Can Help
Do you have a web application that needs to be tested against the OWASP Top 10 vulnerabilities? At TechGuard, we can help. Check out our white paper on penetration testing at the following link: Penetration Testing White Paper.
Written by Grant Codak
Grant has nine years of IT experience spanning a variety of domains with a focus in defensive security. Grant is currently a Cybersecurity Consultant at TechGuard Security where he performs a wide variety of proactive security services, including penetration testing. He also holds the following certifications: CISSP, CEH, Security+, Network+, A+, and Metasploit Pro Certified Specialist. Recent responsibilities include, a Senior Web Security Engineer at a Fortune 50 organization along with a variety of application administration roles in security operations. His past project work includes, web tool development as well as firewall and web proxy migrations. Currently at TechGuard Security, Grant conducts audit control assessments, penetration tests, vulnerability assessments and social engineering exercises. Grant ties his knowledge together with his deep understanding of network operations and security architecture to deliver approachable report analysis to clients. Grant is also a nature enthusiast and enjoys mountain biking, hiking and kayaking with his wife.