Last month, Aurion’s Software Operations team held their second annual hackathon event: Hackathon V2: Juice Shop – a hackathon about cyber security attacks and how to think like an attacker.
With our recent focus on enhancing security understanding and practice within our business and customer community, Hackathon V2 was a great opportunity to mashup the concept of a hackathon with actual ‘hacking’ to educate our teams about security vulnerabilities and how they can potentially be exploited.
Hackathons in general (including our inaugural Hackathon V1), focus on creating workable software solutions. However, ‘hackathon’ can be defined very broadly – hacking is essentially creative problem solving, and a hackathon is any event where people come together to solve problems. It doesn’t have to be about delivering technology solutions or creating working software or prototypes – a hackathon is also a great forum for teams to focus on a specific theme to broaden their skills and understanding.
Thinking like a ‘hacker’
Solid security practice is imperative to our business and our customers, and it’s an important part of our jobs and obligation to our customer community which we all take seriously. We have a big job to do to make sure that our applications and systems are secure from any threat that may come at us.
Within our Software Operations team, we are focused on supporting our customers with leading-edge solutions that encompass the most rigorous security practices and processes. Hackathon V2 was a great opportunity to understand the attacker’s side of the security equation, not so we can empathise, but so we can minimise the risks posed by and to our applications.
Our resident security consultant from partner Cyber Research, Ian Hughes, assisted the teams to prepare for and complete the Hackathon, providing insight and mentoring for team members.
Hackathon V2 introduced new tools and practices that are commonly used by hackers to exploit vulnerabilities. Ian – an industry veteran and cyber-security expert – had the following advice for our teams: “It’s important that developers and system administrators not just blindly follow the security guidelines defined by the selected coding standards such as the OWASP Top Ten or the ASD top 35 mitigating controls. It’s important to understand why and how the common types of application and infrastructure attacks actually work. When you understand how your infrastructure and applications might be attacked you will have a much better chance of being able to defend them.”
Creative solutions for complex problems
Armed with our newfound knowledge of security intrusion provided by our Cyber Research mentors, each team accessed their very own version of the Juice Shop web application and completed as many challenges as they could in a single day.
Challenges included everything from basic password guessing, SQL injection and cross-site scripting attacks to ‘Man-in-the-middle’ MITM attacks and cryptography.
Each team included Hackathon team members from across Software Operations – front and back end developers worked with business analysts and technical writers to understand the challenges and use any available tools to complete them. Having multi-disciplinary teams working together allowed each team to use diverse skillsets to come up with the most creative solutions to problems – and solving each challenge didn’t necessarily require the same action every time.
Some challenges offered multiple ways of achieving the points, and some of the most effective Hackathon teams used very simple security intrusion techniques to achieve quick outcomes.
What we learned
Despite some initial hesitation from the less web-savvy team members, each team managed to complete multiple challenges in what became a hotly-contested battle. In the end Pulp Faction came away the victors, scoring maximum points for the hack and completing nearly all challenges.
Feedback from the teams indicated that most were surprised at the variety of cyber-security threats, and the relative simplicity of some. The Hackathon event definitely emphasised the importance of understanding cyber security risks and mitigation for all.
Watch this space for more exciting developments from our Software Operations team!
Watch the highlights
If you’d like to try the Hackathon V2 project, more info about the OWASP Juice Shop is available here – https://www.owasp.org/index.php/OWASP_Juice_Shop_Project
Additionally, the following article provides links to a number of other legal hacking websites with different education and training opportunities – https://www.checkmarx.com/2015/04/16/15-vulnerable-sites-to-legally-practice-your-hacking-skills/