Game On!

Engineering Security Through Friendly Competition

The Alamo Cup is presented to the winner of the National Collegiate Cyber Defense Competition winner.

Cybersecurity competitions are a great way to scout top security talent while giving back to the community and refining professional skills. From DEF CON to U.S. Cyber Challenge, Codegate, PH-days, and BruCON, Uber security engineers actively participate in dozens of events around the world and these efforts are an invaluable component to our security team. Some of our security groups are almost entirely comprised of engineers who compete or volunteer at these events.

Enlisting Defenders

Students defend computer networks at the National Collegiate Cyber Defense Competition. (Source: NCCDC/Raytheon)

One reason our engineers love to participate in security competitions is the opportunity to meet and engage with the next generation of security professionals. With several hundred thousand cyber security jobs unfilled in the U.S. alone, the demand for highly skilled candidates is at an all time high. Strong, passionate, engineering is a deeply valued principle at Uber. Security competitions allow us to identify individuals who share this same mindset.

For years, we have volunteered for Collegiate Cyber Defense Competition (CCDC) events. With 10 regions and more than 250 participating colleges and universities, CCDC is one of the most anticipated competition series in the country. In this competition, teams of students are placed behind the keyboards of realistic enterprise networks and then scored on their ability to defend its infrastructure from realistic cyber attacks. This is a great way for students to experience a day in the life of cybersecurity.

Advancing Education

Security competitions also provide a dynamic, hands-on experience to students that classroom instruction can’t do alone. It’s not uncommon for college students to treat these programs as extracurricular activities, allowing them to take lessons from the classroom and apply them in real world situations. Uber recently sponsored a competition called the Collegiate Penetration Testing Competition (CPTC) hosted by Rochester Institute of Technology.

Dan Borges and I with Tennessee Tech’s CPTC Team

While most offensive competitions utilize the popular CTF (Capture the Flag) gaming model, CPTC pushes competitors into a security assessment that more closely reflects a professional environment. CTFs help develop offensive thinking and technical skills, which help defenders anticipate the approach of attackers. Other competitions, such as CCDC and CPTC, reward competitors for demonstrating strength in technical writing, presentation skills, and communicating technically advanced topics in easy to understand ways.

Refining Professionals

One of the most important aspects of professionals participating in these events is contributing time and expertise. Just as these events provide college students with an extracurricular learning experience, our engineers use these opportunities to improve the skills they use on the job by building custom tools or architecting competition infrastructure. This kind of career development is hard to come by in traditional enterprise security teams, but it’s built into our culture at Uber.

The Red Team for the National CCDC competition is a volunteer group of security professionals who intentionally attack competitor networks to simulate an adversary for students to defend against. These professionals spend several months before the competition developing custom malware and discrete command and control systems to use in their attacks — a process that both leverages and strengthens professional skills used on the job. The majority of Uber’s security response team volunteers on the CCDC Red Team, providing us an opportunity to continuously improve our ability to defend Uber’s infrastructure.

Getting Started

Participating in these events helps us find the best engineers and continuously educate our team. Additionally, we’re helping to shape the future of information security by mentoring newcomers from other computer science and engineering disciplines. We’re extremely proud to support these events and we encourage other companies and professionals to contribute in anyway they can.

To get you started, here is a list of a few events our team participates in:

Collegiate Cyber Defense Competition

Collegiate Penetration Testing Competition

US Cyber Challenge

Pros Vs Joes

DEF CON CTF

If you want to talk more about how to get you or your organization involved, shoot me a DM on Twitter. I’ll be happy to connect you with the right people!