JET’s Hacktober Security brief — key insights and highlights
Our highlights from our Security Awareness month
Like many organisations, Just Eat Takeaway.com (JET) observes the annual tradition of October Cybersecurity Awareness Month. The last year (2023) was our biggest and best yet, featuring multiple event formats over two tracks. Each day saw a new talk, workshop, fun event, or competition. During what amounted to a continuous month-long security conference, we engaged with our JET colleagues from across the globe in order to raise awareness of topics ranging from new methods in social engineering to LLM injections, CTF and even the Crisis Simulation Game. Finally, we wrapped up the event with some memorable prizes and gifts announced and presented during a special closing ceremony.
Enterprise security culture & awareness
Scott Ticknor, JET Lead for Infosec Culture and Awareness, opened the month with the “State of the Culture Address”, a traditional Infosec culture year in review. He spoke of findings and results from the various training events that took place over the year, with some interesting illustrations depicting JET’s relative strengths and weaknesses in regards to security awareness.
The JET Phishing Derby, a fun event designed to raise awareness around the different kinds of phishing attacks, was held. During this month-long event, participants have to survive four waves (weeks) of increasingly difficult phishing emails for a chance to win a sweet prize. There is always a lot of engagement generated around this event, with people weighing in on what is “fair” and so on.
The “Build-a-Phish” workshops tend to generate wonderful creations; and this year was no different. One participant created what we call an Immortal Phish, a creation so devious that we implement it into our company-wide phish training.
We also recognized those that really came out, took the spirit of the event to heart, and made our sessions much more fun just by being there. Our Participation Champion wrote:
This was my very first Security Awareness Month extravaganza at JET! So, naturally, I signed up to as many of the ‘Hacktober’ workshops as I could possibly attend.
Scott Ticknor hit us with a keynote so passionate, I thought he might actually convince the world to communicate via carrier pigeons. Bye-bye, emails! 🐦
Then there was the Build-a-Phish workshop with Scott. We were practically phishing experts by the end of it. Not that we’re planning anything sneaky, but if we were, we’d totally ace it. 🎣
And the highlight of it all? I now have my own Lego ‘Security Awareness Month ’23’ mini-figure! Plus, my first ever JET T-shirt — I’m basically a walking, talking billboard for cybersecurity coolness. In a nutshell, Hacktober at JET was a rollercoaster of cybersecurity enlightenment — who knew security awareness could be this much fun? 🚀
Towards the end of the month, we held another incarnation of our annual October Security Trivia. This low-intensity quiz is mostly a back-door way to foist stats on people, but we also keep it fun and educational.
Fun hands-on-hacking activities
At JET Infosec, we strongly emphasise continuously enhancing security knowledge and providing the most crucial security information to the whole development and engineering community. Throughout the month, the Infosec team, JET Security Champions, and our partners provided numerous tech security talks. This was the first year with a fully-fledged engineering track, transforming CyberSec month into a continuous secure development conference.
We also organized a continuous Capture-The-Flag (CTF) competition that helped us to raise secure development awareness and provide targeted content about the latest vulnerabilities and threats, aiming to mitigate the root cause of these vulnerabilities. For Security Awareness Month, we followed the same approach. We released weekly security challenges based on real-life scenarios where participants had to identify and exploit a series of vulnerabilities to find the hidden “flags”. Each challenge came with its own backstory, designed to help engineers recognize potential issues they might encounter while developing products. The challenges ranged from exploiting JWT misconfigurations and API Handlers to identifying flaws in game logic and payment platform architecture vulnerabilities:
I found the CTF challenges particularly impactful. They provided a unique way to apply theoretical knowledge in a practical setting, making the learning experience not just informative but also genuinely enjoyable.
As was already mentioned, that continuous CTF could bring a lot of advantages …
I participated in the security CTF event to see whether I was able to complete the challenges with very little experience in security and exploiting vulnerabilities. I learned a lot of new skills in the process of trying to find the flags; it was exciting to find and exploit live applications. Learning through this method was far more effective than traditional online training for me.
The competition was intense right up to the end. In a thrilling finish, we had a tie for first place among three participants!
For those that didn’t have time to participate or those stuck on one of the challenges, we also organized additional workshops with task solving.
The activity of engaging in a Capture The Flag Challenge is an excellent way to enhance practical understanding of security concepts; indeed it provides a hands-on experience that goes beyond theoretical knowledge. By solving challenges and overcoming obstacles, I gained valuable insights into real-world security scenarios which contributed not only to personal growth but it represents a win for the company and the trust our customers place in us.
Another unique event was called the Secure Development Advent Calendar aka Codebash (no identification with actual products). Inspired by Code Security Advent Calendar 2022 and Advent of Code, we thought — “Why not try something similar”?
One of the best things about this challenge was that it didn’t require much time to participate. This short engagement still proved highly effective in highlighting and sharing common problems that could be found in code. Each day, participants were given a snippet of vulnerable code in various programming languages such as Java, .NET, Mobile, and others. The challenge for the competitors was to spot the hidden threats and provide a detailed explanation of the vulnerabilities they discovered.
To streamline the review process and enhance the experience, we used an AI-powered bot, affectionately named B0B. B0B’s main task was to assess the accuracy of the answers and evaluate how well participants identified the vulnerabilities.
Hacktober was a great learning experience. The CodeBash challenge was really fun but also very challenging. It was an awesome learning experience as I was able to read code & tried to spot the security vulnerabilities. I felt that it was great training to help me recognize security vulnerabilities in my work as a developer.
The power of community
Talking about Security Awareness Month would be incomplete without mentioning the essential part of it — our great Security Champions. These individuals are not only well-versed in security matters but also play a vital role in assisting with security tasks and acting as mediators between the security and engineering teams. I can talk a lot about the group and about their continuous efforts for hardening JET security, but Members from security champions helped a lot in organizing all above events by doing …
- Talks — encourage engineers to join Security Champions and their importance, Threat modelling, latest phishing trends, and others.
- Workshops — OWASP Security Coding in Java and C#, Introduction to security testing.
- Challenges for Codebash and CTF competitions.
- Doing numerous tasks about raising awareness, sharing news, and shoutouts.
With Security Champions, Just-Eat Takeaway Security Awareness Month could shine as never before!
As part of Security Awareness Month, I enjoyed a variety of different talks and workshops. In today’s ever-evolving digital landscape, understanding and proactively managing security is essential. It was great to see many talks to encourage “Shift Left” and Security First Development culture. This also gave me the opportunity to share with a wider audience how my team carried out Threat Modelling, and encourage other teams to do the same.
Finally, we closed the month out with the aforementioned closing ceremony/awards show! Scott hosted a brief stream to give shout-outs to all our contributors and participants and to crown our various champions!
See you next October!
Just Eat Takeaway.com is hiring! Want to come work with us? Apply today.
