Past Meetup

AppSec USA Planning: CTF Development

This Meetup is past

6 people went


Code, hack, learn, plan, hang out.


"Isn't there anyone out there who can tell me what CTF is all about?"

Sure, devoted OWASPer, I can tell you what CTF is all about.

In preparation for AppSec USA 2014 (hosted in Denver next September), BOWASP is creating a competition of security-related challenges. One such challenge might involve a web application designed with insecure Apache settings. Another challenge might require competitors to find and exploit a SQL injection vulnerability to reveal a flag. For each flag found, players receive points. Point values vary based on challenge difficulty. The player with the most points at the end of the competition wins.

BOWASP's CTF takes a somewhat unique approach of integrating challenges organically into an overarching story. Challenges serve to develop and progress the plot, the characters, and other story elements. The purpose is to create a more engaging experience.

"I haven't been to any CTF meetings. Can I help?"

Yes! We have a lot of work left in the areas of plot writing, FreeBSD administration, challenge development, documentation, and network administration. Key skills sought include:
• Application development (many challenges are language-agnostic, but there is a slant toward web applications)
• Web design (look-and-feel, etc.)
• Graphic design
• Database administration
• System administration
• Network administration
• Cryptography
• Creative writing
• Et cetera

"I'm not a developer / hacker / whatever. Are you sure you want my help?"

By far the most important quality to contribute to this project are time and enthusiasm. If you feel comfortable learning new technologies and believe you would be able to cobble something together, then we absolutely want your help. The beauty of developing a CTF is that writing poor, insecure code is actually desirable.

Through the end of the year we will work on refining the story and the infrastructure components. The infrastructure consists of two primary entities: the scoreboard and the competitor VM. The VM is a self-contained environment in which all of the challenges reside. FreeBSD expertise is welcome, particularly surrounding the concept of jails. In January our development efforts will shift from infrastructure to writing and integrating challenges.

"This sounds like work. What's in it for me?"

Free food and drinks, a fun project to work on, a good group of folks to spend time with, a no-pressure environment to learn about security, and AppSec USA 2014 incentives for steady contributors.