For the past 2.5 years, a few of us at SAP have been trying to redefine how we teach security to employees in our organization. In the past, security was only taught via compliance trainings and forced workshops. This made security more of a mandate than a passion, which is what we wanted to change. To solve this, we built a CTF platform and grew it into a full-fledged security education program, leveraging the existing security experts to multiply their knowledge in the form of challenges. Over time, the traction gained was immense and the biggest breakthrough was that for a first, newbies actually wanted to learn about security. We believe to stay more secure, you need to know the various attack paths adversaries use to penetrate. With this same approach, we were able to create a small but steady army of hackers which has now reached self-sustenance. Through this process, our organization has also benefitted in terms of increase in security awareness + identifying new talents.
We also came across a lot of hurdles â€“ from curating content, finding ways to engage the non-technical to sustain a growing, hungry community. I’d like to share the benefits and learnings that I’ve gotten over the years with the security community as I feel this knowledge can be used by many others who are faced with similar challenges as we were a couple of years ago.
In this talk, I look to give a quick overview of what CTFs are to get everyone up to speed. Next, I’ll cover some challenges we faced when trying to teach security within a large organization. And highlight the journey we went through while setting up an internal CTF. Iâ€™ll also include a starter-kit if someone is looking to get started in setting up such a system. Iâ€™ll also show some example challenges as they’re not your orthodox ctftime.org challenges.
I had published an article on this in Pentest Magazine sometime last year. The article was focussed on how large organizations can set up a CTF program within their environment, to educate on security. The response I got from it as well as other conferences I had attended was awesome, hence the idea to present it here. Iâ€™m attaching the Pentest Magazine article here for your reading.