Hackers are looking for holes in your software. Are you up to the challenge? Can you find the next security bug? Can you implement the software defenses that will prevent the next cyber-attack on your application? Be prepared! Join the Dojo!
In order to know how to defend you must first learn what you need to defend against.
Attacks on software are conducted by taking advantage of software weaknesses or misconfigurations. The most dangerous software weaknesses are known as the SANS Top 25.
To advance your training you will have to complete challenges that involve identifying and attacking SANS Top 25 weaknesses. This will help you get into the attacker mindset and 'put your hacker hat on'.
Thinking like an attacker will help you avoid vulnerabilities when designing software, a process known as 'Threat Modeling'. It will also help you test your code for vulnerabilities once the software has been built.
In martial arts you learn various blocking techniques. Each block defends against one or more types of attacks.
In a similar way software can be defended through 'code blocks'. They are also more widely known as 'secure coding practices'. Code blocks include practices like: 'whitelisting user input' or 'using strong cryptographic algorithms'.
After you complete a challenge you will have the opportunity to review the 'code blocks' that could have prevented the attacks.
Knowing the basic 'code blocks' will help you prevent the attacks while you are writing your code. It will also help you identify software weaknesses during code review.
Just like in Karate you can never use the skills you learn here to attack someone. You are only participating in this training to learn how to defend your software.
Even when you are conducting security testing to find the security bugs so they can be fixed, it has to be fully authorized.
Any unauthorized testing, even when conducted for good, is a criminal offense so be sure to check you have authorization before you touch any applications outside this challenge.
You are fully authorized to conduct testing on the target applications provided for the challenges, the 'Insecure Inc.' site, however you are not authorized to conduct disruptive testing, load testing, automated scanning or intentionally alter the integrity of the target applications.
You are not authorized to conduct any testing on this page, or the authenticated portion of this site, try to bypass the challenges, steal challenge codes, impersonate any users or otherwise try to break the leaderboard application. If you happen to notice anything you get bonus points for reporting it to the organizers.
Don't get too intimidated by the rules, though :), have fun and enjoy the learning experience. Sign in the top corner to get started.