Although many of us are working from home (WFH), security training does not have to be monotonous slide presentations in a virtual conference room. We want to take advantage of technology and make security training educational, interesting, and personally relevant. One of the best ways for human beings to learn complex topics is through multimodal learning, in which multiple learning principles are used to maximize the internalization and retention of knowledge. Learn more about the science behind our training in Play Games, Learn Better.
In this post, I continue the capture the flag (CTF) conversation by sharing how we improved our security training, making it more memorable, even when you are participating from home.
Security Training at TrailheaDX
This year, Salesforce’s developer-focused conference TrailheaDX is completely virtual. While this means that anyone in the world can attend, for free, it also means that we have some additional challenges to catching the attention of our attendees. Even without the traditional booth presence, we want to make sure attendees are aware of all of the ways they can improve the security of their Salesforce-based solutions.
Last year at TrailheaDX, we launched our first admin and developer focused capture the flag, where attendees competed against each other to increase the security of a vulnerable Salesforce trial org. Nearly 500 players participated throughout the three-day conference, with winners announced every day. During the game, attendees were drawn into learning more about Salesforce security through:
- questions designed to drive independent research;
- challenges that required the player to find and set appropriate security controls within their Salesforce Org; and
- purposefully vulnerable modules where the player had to find and fix security bugs in code.
We document the architecture and tooling of the Salesforce Secure the ‘Force platform in Capture the Flag, Secure Your Knowledge.
This year, we are bringing a bigger and better Secure the ‘Force to TrailheaDX with new challenges, improved user experience, and a global audience of competitors. This self-paced, hands-on training gives the reward of finding the right knowledge and applying it correctly, which enhances the retention of the skills our players are learning. Performing the training in a competitive, but friendly environment helps keep players interested and gives them incentives to excel.
Playing the game is a win for everyone. Players build their knowledge and skills using real environments and the Salesforce ecosystem wins by having customers with an increased understanding of the security features and capabilities of the platform.
Capture the Flag for Internal Training
Salesforce customers are not the only ones learning from security training disguised as a Capture the Flag game. At Salesforce, we are also using the technology to improve our internal security training. New Salesforce engineers receive in-depth application security training, which we enhanced by including a Capture the Flag competition for each incoming class of engineers. By giving our engineers experience with how application vulnerabilities can be exploited, we help teach them how to write defensively to build secure Salesforce product code.
At the beginning of their training, each participant receives a set of custom applications and is challenged to find and exploit the security vulnerabilities of those applications. Everyone can see the points on the scoreboard, which provides some additional incentive and friendly competition. Players compete against their class and at the end of the training the winners are recognized.
The experience of learning how to exploit application vulnerabilities, just like attackers, keeps players interested and engaged. Afterwards, engineers are able to take the knowledge and skills from the game with them as they write new Salesforce code and features.
See You on the Leaderboard!
At Salesforce, we believe others can benefit from our knowledge and experience. That is why we support the distribution of the techniques, processes, results, and tooling used to build fun, educational, and successful capture the flag competitions. Attend TrailheaDX on Thursday, June 25, and be prepared to dive into the Salesforce security model by joining our Secure the ‘Force game. The game will stay open through Friday, June 26, which includes plenty of time to see everything at the conference and still try to outscore your fellow attendees!
Salesforce is open sourcing some of the tooling that helps us to create great player experiences. Our first open source release is the custom challenge type which allows your players to validate and claim challenges without having to juggle multiple windows.
The code is at https://github.com/salesforce/integrated_challenge and is released under a BSD-3 license.