SSTIC 2019 : How to Improve Security Awareness of Software Engineers
In early June, a few members of the Dashlane Engineering team attended SSTIC (Symposium sur la sécurité des technologies de l’information et des communications), which is one one of the most important events about cybersecurity in France.
One of the team's favorite presentations was by security expert Alex Ionescu, Vice President of Detection Strategy at CrowdStrike. His keynote was on "Death of Software Engineering." French speakers can watch Alex's full presentation at https://www.sstic.org/2019/presentation/keynote_2019/.
The main point of his keynote was that security is being taken more and more seriously by companies, but there is a growing gap between security and software development. This is a result of three long-term trends:
- Companies running bug bounties are giving more and more money to hackers rather than to the employees fixing the bugs. It ends up discouraging people addressing the issues and pushes talented individuals towards other career opportunities.
- At most universities, computer science students are pushed towards productivity instead of quality of code. This imbalance means security programs are often only about offensive security and train students to find bugs, not teaching students how to catch and fix them.
- Companies are pushing code live without proper security checks. Vulnerable Alpha and Beta software are deployed online with the belief that "making mistakes is nothing wrong." The final question Ionescu is asking is whether a "Pay for the fix, not for the bug" model would work.
What we are doing at Dashlane
At Dashlane, our goal is to have a team of software engineers that have a strong understanding of and respect for cybersecurity matters. Privacy is core to the products we build, and security is a huge reason our customers trust us with some of their most important personal data.
- We regularly involve all our employees into training sessions, ranging from lecture-style presentations from different members of the team to an internal CTF (Capture The Flag), a session where everyone was encouraged to try to find various security vulnerabilities.
- Similarly to the SSTIC, we encourage every employee to go to security conferences and ensure security is part of every team's identity and approach to their work.
- We use bug-bounty programs, such as HackerOne, to let the community help us bring a safer product to our users. We do reward contributors accordingly to their discoveries and raise bounties if an interesting fix is suggested.
Organizing a Capture The Flag
Because it's important to go from word to actions, here is how we organized a CTF for our employees that are beginners in cybersecurity.
The first step is to choose a framework where the game will be running on and you will keep track of your players progress. The two most common ones are FBCTF and CTFd.
- FBCTF is made by Facebook coded in Hack, their own language, and features a cool dashboard with a map of the world where you need to solve a challenge in order to capture a country.
- CTFd is a more classic framework built in Python, it's used for loads of CTF games and has a strong reputation for its reliability.
We chose to use FBCTF because we had a limited number of participants and the world map game is a little more fun for beginners.
After deploying the platform on our infrastructure (follow https://github.com/facebook/fbctf instructions), the next step is to add challenges. There are two options, creating your own exercises or use existing ones. Based on our experience, we recommend using a CTF provider such as Root Me: you'll save time creating and testing challenges, you don't need to use your own infrastructure, and your employees will be set up on a platform where there are more challenges if they want to keep training beyond the CTF.
During the game, players will have to submit the flag on your website and they can also do the same on the CTF provider of your choosing.
For us, the result was positive, all participants were involved in solving the challenges as fast as possible while learning potential security risks they may meet in their everyday work. After our CTF, half of the players decided to keep solving challenges on their free time!
Interested in helping Dashlane build great products with best-in-class security? Check out our careers page!