This latest challenge is based around secure software development. Its purpose is not to teach skills on how to stop active hacks, but to raise awareness on how to design and develop software and systems that are naturally resistant to hackers and hacking. An example problem can be seen in the current in-app man-in-the-middle attack on iOS. Apple hasn’t been hacked; but the system has a design weakness that can and has been be exploited. Cyber Security Challenge UK’s latest challenge wants to make systems developers more aware of how criminals think, and how systems can be designed and coded to be more resistant to attacks.
This challenge, Command Control, has been developed by QinetiQ – a company that works extensively with UK and US government defense organizations – and (ISC)² – the world’s largest not-for-profit body of certified security professionals. It is now open for registration and will commence on 6 October.
Last year (ISC)² surveyed its members as part of the Global Information Security Workforce Study. Seventy-three percent ranked software vulnerabilities as the number one online threat. The problem is that business needs to develop software fast. The economic pressure on being ‘first to market’ often means that security is given scant regard in early development. (ISC)² and QinetiQ want to change this by making secure thinking a natural part of system development.
“It’s a challenge that is not open to security people,” John Colley, managing director of (ISC)², told Infosecurity. “It’s primarily open to IT developers who will be set a number of questions that they probably cannot answer. So they’re going to have to research the questions in order to find the answers. It’s going to force the developers to understand the security aspects of what they’re doing, and hopefully raise their interest in security issues in general.” The belief is that people learn more by finding out for themselves rather than simply being told the answers by experts.
Colley gave an example. A question might involve defending against syn flood DDoS attacks. The answer would then involve discovering what they are and how they work. This would lead on to analyzing the system weak points that allow them to happen – and thereby learning how to avoid introducing similar weak points into their own systems. Hopefully this will lead to secure thinking as an instinct during development, rather than a bolt-on afterthought after completion.
Full details of both the challenge and its prizes can be found on the Cyber Security Challenge UK website, and on the Challenge registration page.