Security is hard. Most software is written by engineers. Most platforms are configured by system administrators. These professionals rarely have more than basic training and best practices. To further complicate matters, application and platform security can be seen as "black arts" among non-security professionals. This perception can lead to paralysis in our colleagues attempts to learn and improve their knowledge. What's not often understood, is that “security” isn't a different set of skills, but a mindset through which existing skills can be expanded and applied.
Maybe there is a different approach that can help our colleagues overcome this paralysis by playing games. Games have advantages over traditional learning methods. Security professionals play Capture-The-Flag and wargames to test and expand their current knowledge and skills. These games could prove to be an effective training mechanism for developers and administrators.
CTF and wargames can show these professionals their programs and systems through the eyes of an attacker. Through playing, they become exposed to common attack methods, and realize that their "non-security skills" are the same ones that will lead them to the next challenge. Those skills when applied with this new knowledge will lead to secure systems and applications.
Presented at Security Fest 2016.Speakers: James Powell
James Powell is a senior software engineer at Cisco Systems. He has been a professional in the Information Technology space for 18 years. James spent the first 7 years of his career as a system and network administrator before moving to the dark art of programming. Two years ago he stopped dabbling and fell down the security rabbit hole. His late career move into Information Security gives him a perspective of the gap between IT and IS. He actively develops in C and Python while looking for good excuse to write more Perl. James presented at BSides Asheville 2015 and PhreakNIC 19 last year. During his downtime, James can be found practicing martial arts, brewing beer and mead, or reading.