Hacking for Security

by Kristen Psaty

On June 21st, Women in Security and Privacy (WISP) partnered with Security Innovation, Inc. (SI) and the Wikimedia Foundation to put on a fun, educational “find the vulnerabilities” game. The “Hackathon” was a technical workshop on web application security, with a hands-on approach geared at teaching effective website security and secure coding habits to WISP members.  

Playing the CTF at the WISP meet-up was a wonderful opportunity to meet other women in our field, and it was a lot of fun!
— Marisa Fagan from Salesforce Trust

Wikimedia generously provided the space, while SI experts guided the participants through training sessions to introduce core concepts via the game played as a group. SI has donated and hosted similar events for a variety of groups ranging from middle-school kids in Montana to the RSA Conferences in the U.S. and Europe. For the WISP event, SI created a fake website of an imaginary financial institution for participants to exploit vulnerabilities.

Getting more women into the security industry is a difficult and complex challenge; however, it is one that we can help to solve through inclusion, respect, and education.
— Joe Basirico, VP of Services at Security Innovation

The workshop introduced participants to the mechanics of hacking a site and the types of vulnerabilities that malicious actors commonly exploit. The event brought together women from a variety of backgrounds and programming skill levels, including many who had never been exposed to computer code to seasoned programmers fluent programming language and familiar with the newest web security threats. 

The WISP “find the vulnerabilities” game was a fun and engaging night to learn about secure coding.
— Kristin Psaty

“Playing the CTF at the WISP meet-up was a wonderful opportunity to meet other women in our field, and it was a lot of fun!” said Marisa Fagan from Salesforce Trust, who was in attendance at Tuesday evening’s event. “We got to be creative, competitive, and even a little bit evil...all for a good cause, of course. I learned a lot about web app hacking that will make me better at my job.”

All of the hacking was done by members of the WISP community on fake, intentionally vulnerable websites, that were created with software from Security Innovation’s CMD+CTRL Web Hackathon Product. Attendees were encouraged to experiment, explore and investigate the code underpinning the fake financial website. Through persistence (and a few cheat sheets) participants learned to spot potential vulnerabilities and the ways on which they are commonly bypassed. Participants earned points for each skill developed or vulnerability exploited, and the event ended with an award ceremony for the top scorers.

Nora Sandler, Security Innovation Engineer and Hackathon team member, encouraged participants to “develop their hacker streak.”  Many of the participants have careers committed to thwarting and protecting against malicious activity, so the closed-universe web hacking game was an opportunity to trade in their white hat for a black hat, and think like a malicious hacker. Some of the mock-website attack features included breaking into different user’s accounts, adding items to an online shopping cart and purchasing them for $0, and manipulating brokerage rates and loan applications. 

 Nora Sandler, Senior Security Engineer at Security Innovation, leads the WISP CMD+CTRL Hackathon

Nora Sandler, Senior Security Engineer at Security Innovation, leads the WISP CMD+CTRL Hackathon

By learning how the bad guys operate, participants left the event better equipped to defend against potential attacks. In addition, participants gained a stronger framework for understanding the mechanics of data breaches and the type of work done by web security professionals.

Women are only 11% of the cyber security profession and only 1% of its leadership[1]. WISP is committed to promoting the development, advancement and inclusion of women in the information security and privacy fields. "Getting more women into the security industry is a difficult and complex challenge, however it is one that we can help to solve through inclusion, respect, and education,” said Joe Basirico, VP of Services at Security Innovation. “With the success of our Hackathon event at WISP, we are really looking forward to reaching out to more women’s tech organizations to teach about security and privacy."

It was rewarding to watch approximately 100 women learn the basics of becoming a hacker in a hands-on workshop environment. Personally, I learned a lot and had fun learning how to hack web apps.
— Elena V. Elkina, Chief Evangelist and Events Co-Chair at WISP

Through hands-on, accessible workshops such as this Hackathon, WISP continues its commitment to helping women identify and achieve the level of education and skills required to succeed in security and privacy positions across multiple industries.

“It was rewarding to watch approximately 100 women learn the basics of becoming a hacker in a hands-on workshop environment. Personally, I learned a lot and had fun learning how to hack web apps,” said Elena V. Elkina, Chief Evangelist and Events Co-Chair at WISP. “On behalf of Women in Security and Privacy, I would like to thank the Security Innovation team for sponsoring and leading this WISP hackathon. Also, we want to extend a heartfelt thank you to Wikimedia Foundation for hosting the event and providing food and drink. Thank you Security Innovation and Wikimedia Foundation for supporting our mission -- promoting the development, advancement, and inclusion of women in security and privacy.”