Making Cybersecurity Fun with a Capture the Flag Event, Part 1

The social and business value of running a company-wide hacking competition.

Capture the Flag, or “CTF”, is a low stakes, medium difficulty, security challenge contest. In the summer of 2022, we held a company-wide CTF event and invited all Network Ninja developers across our three product teams to participate.

Similar to Wordle, our hacking contestants logged in daily to solve a new puzzle, without a big time commitment. Challenges involved exploiting intentionally placed vulnerabilities in a specially designed system to capture a “flag" - a piece of code to prove they solved the puzzle. Across ten business days, we competed, laughed, and collaborated together - and learned some things about security along the way.

Key benefits of CTF 2022

  • Fun - Based on the participant feedback below, CTF was a big success. This was our main concern!
  • Security - CTF is a security training. In our case, developers’ eyes were opened to the dangers of poorly-written permissions rules.
  • Technology - Our software pros used tools and techniques that many were previously unfamiliar with - or hadn’t used in a while.
  • Cross-product collaboration - Three product teams - which typically don’t interact much on a daily basis - came together to compete, share strategies, and get to know each other a bit better.

CTF 2022 by the numbers

  • 17 Developers participated
  • 63 Collective challenges solved
  • 100% Enjoyed the event
  • 100% Think we should do another CTF
  • 1 Champion

Photo of CTF winner Mike Matz holding his trophy.

Above: MainEvent developer Mike Matz with spoils of his victory, a custom trophy.

What participants liked most about CTF

Actual feedback from Network Ninja developers.

Camaraderie.

Challenging! Definitely stretched my knowledge and broke it many times.

The solutions!

The different ways of thinking about the challenges was a lot of fun.

It definitely took me out of my comfort zone!

I was so proud and inspired by everyone’s creativity, what a sight. Also, the event itself was extremely pro while remaining actually fun and jovial. It had a special feel, legit felt ‘cool’.

Elements of CTF success

Planning. We put a lot of thought into factors like technology, timing, communication, and documentation. For example, Network Ninja has Summer Fridays 🌴 from June through August, so we stuck to Monday through Thursday. Here’s an excerpt from our invitation email:

Screenshot of our CTF schedule in a calendar.

An introductory primer video entertained and educated participants about rules and strategies for the contest.

A dedicated Slack channel was used to announce daily challenges and provide live updates and hints. It was also a hub for folks to socialize and brainstorm.

Screenshot of ouf #ctf2022 Slack channel.

A live leaderboard kept contestants engaged and informed. It was a competition, after all - so we needed to track who was winning.

Animated GIF of our CTF leaderboard.

Daily solutions were posted for each challenge after completion. This resulted in a lot of “Ah-ha!” moments for contestants who weren’t able to complete the puzzle.

Animated GIF of the solution to CTF challenge 1.

Wrapping it up

A combination of thoughtful planning, good communication, technical wizardry, and the participation of many talented Network Ninjas employees made CTF a big success. We:

  • Had fun,
  • Learned about security & technologies, and
  • Engaged with folks across our three product teams.

Now, speaking of technology…

Part 2: the technology behind CTF

Stay tuned for Part 2 of our CTF recap, including the technical tools Site Reliability Engineer Bob Micheletto used to manage servers, logins, challenges, time limits, scoring, and much more. We’ll even provide the ability to attempt our CTF challenges yourself.

Date

Reading Time

4 minutes

Category

Network Ninja

Are you a developer? We’re hiring! Join our team of thoughtful, talented people.