We spent a day gaming… at work!
From the title (which is total clickbait, sorry not sorry!) it might sound like the Auth team at Click Travel spent the day slacking off. I can assure you that is not the case and in fact we just participated in a ‘GameDay’. It has nothing to do with Playstations or Minecraft, in fact we used it as a tool to validate some of our platform’s existing security and to see if we had any new areas of risk.
First things first, who are the Auth team at Click Travel? We are a small product engineering group whose mission is to: “Enable the Product Engineering department to seamlessly authenticate and authorise users on the platform by providing robust access control services”. (Side note: Sound fun? We’re hiring!)
About GameDays
They are used throughout the tech industry as a tool of chaos programing to help engineering teams confirm that they are delivering resilient software. It is essentially time that you set aside in order to consider areas of risk within your system and attempt to break them to see whether it is possible and if it is, then at what threshold.
For example, you could use a GameDay to test all the strategic actions that have been implemented from the last [x] incidents, to make sure those actions would have actually stopped the same incident from happening again under similar conditions.
We love this article on a GameDays from Gremlin, head over there if you want a little more info:
https://www.gremlin.com/community/tutorials/how-to-run-a-gameday/
Our approach to the day
The Auth team wanted to take a slightly different slant on the GameDay in order to keep it more valuable to our own goals. So with this in mind we decided to change the focus of the day from strictly resilience to more of a self hack/penetration test but with a totally white-box approach. This way we could use knowledge of our services in conjunction with the industry wide security standards, such as OWASP Top 10, to make sure our platform held up under very targeted attacks.
We broke the day down into two parts which we split over one week:
- Decision on chosen targets and deep analysis of those targets.
- The actual gaming and analysis of the findings
So we planned
We took an afternoon and all got together to discuss our ideas. We used Miro (a collaborative whiteboarding platform) extensively throughout these days in order to enable visual collaboration whilst being part of a remote team.
We all presented our ideas on what we thought would be a good area to test and used a mind map to dig deeper into the expected results and value. We tried hard to time box all actions and discussions over the allotted prep days so that we could keep to the time given to us for this task. We all agreed on what should be tested and divided the targets amongst ourselves.
And we gamed
Our targets were decided so we scheduled the second part of the GameDay later that week giving us soak time on how best to hack our chosen areas. As we work in an Agile way, we allowed thinking time for GameDay during the week’s focus to ensure we could maximise the value out of the actual gaming time, whilst still delivering on other weekly objectives.
I also created a test case document that we could use to collect the results uniformly. We jumped on a group call using Zoom, with all of us having a vague plan of our individual approaches, and set the timer for two hours to get it done.
Once again Miro was used as a collaboration space so that we could visualize what the others were doing. Being on a video call helped the team share something interesting or reach out for guidance if needed. The two hours went extremely fast but we all kept focused, determined to have valuable results at the end.
We analysed
The gaming was done and results had been captured. We spent another hour and a bit going over them, sharing what we had found and critiquing our own approaches to help with the evaluation of the day. This was a bit like an incident debrief — we talked through what we found and the actions generated were given a severity rating and sub-classed as immediate or strategic. The main point was to capture everything in one place, so we could refer back to it at any point and understand what decisions we made.
Evaluation of the day
We found that this GameDay complimented our existing penetration testing process nicely. The day itself brought the Auth team together on a fun and proactive project that enabled knowledge sharing and bolstered our mindsets as security professionals.
All of the collaboration aspects worked very well but we might change it to do the actual Gaming as more of a group activity so that we can all see what is going on as it happens.
Overall, we felt it was a successful exercise and we look forward to the next one!
Could you do one?
The benefit the team saw from this outweighed the time we put aside for carrying it out. Based on that I would urge any team that found hearing about this with interest to give it a go yourself.
Like the sound of this? Come and work with us!
Click Travel is shaping the future of business travel with our award-winning corporate travel management and booking platform. Our goal is to reduce the cost and complexity of business travel for everyone involved. But for all the developers in Click, it is more like an advanced technology company. We are all in a department called ProdEng — Product and Engineering Team. We build our own cloud-based platform on AWS, and make API connections with lots of 3rd party suppliers which are related to Flights, Hotels, Trains and other business travel bookings.
We are looking to expand our Product Engineering team. Find out more about what it’s like to work in Product Engineering from our dedicated careers page and take a look at the Product and Engineering roles we have on offer!
About the Author
I’m a senior software engineer with a passion for dev-ops and a love of helping distributed computer systems seamlessly and securely integrate through well built interfaces. This ethos has guided me to tech leading the Authentication and Authorisation team at Click Travel. I get to innovate and use some of the newest cloud technologies to enable our users and other microservices to get the best experience while keeping them guarded against malicious intent.
