This past week, I facilitated an OWASP Juice Shop CTF at New Relic for the Portland OWASP Chapter to help those beginning in their development or AppSec careers to have an opportunity to learn from the Portland AppSec community.
What does that even mean?
OWASP stands for the Open Web Application Security Project. OWASP exists to raise awareness and understanding of software security. They are a global non-profit with chapters all over the world and a plethora of projects and documents to help developers, DevOps, and security people up their game.
The Current Top Ten:
Sensitive Data Exposure
XML External Entities (XXE)
Broken Access Control
Cross-Site Scripting (XSS)
Using Components with Known Vulnerabilities
Insufficient Logging & Monitoring
CTF means Capture the Flag. You are probably thinking - you brought computers into the woods and ran around hacking on them while trying to find the other team’s flags. Not quite. In the infosec world, CTF consists of gamified challenges where you uncover “flags” representing different vulnerabilities. You get points for finding them and teams compete against each other by earning more points / finding flags first / etc.
If you haven’t yet been to an event at New Relic, check out Calagator and find yourself something interesting to attend. New Relic does a great job being a community partner and opening up their space to improve the Portland tech scene.
We started with a brief overview of OWASP, the Juice Shop, and then broke into teams to learn and practice together vulnerability hunting. The Capture the Flag only lasted for a few hours, but it was great to see the teams making breakthroughs, talking together, laughing together, hacking on the juice shop. For some in the room, it was there first time learning vulnerability hunting, others were old hands. We tried to team up across skill levels to balance the teams and allow more experienced folks to show a few tricks to those starting out.
Want to Learn More about Application Security?
Host your own Juice Shop CTF among friends or colleagues! Bjorn Kimminich (the Juice Shop project lead) has written a great guide in his book on the Juice Shop. Fellow OWASP Member Josh Grossman also has a useful write-up on his setup.
And go to owasp.org to read to your heart’s content all things app security.