Hack At Home: Hands-On Security Training Can Be Fun

Although many of us are working from home (WFH), security training does not have to be monotonous slide presentations in a virtual conference room. We want to take advantage of technology and make security training educational, interesting, and personally relevant. One of the best ways for human beings to learn complex topics is through , in which multiple learning principles are used to maximize the internalization and retention of knowledge. Learn more about the science behind our training in .

In this post, I continue the capture the flag (CTF) conversation by sharing how we improved our security training, making it more memorable, even when you are participating from home.

Security Training at TrailheaDX

This year, Salesforce’s developer-focused conference  is completely virtual. While this means that anyone in the world can attend, for free, it also means that we have some additional challenges to catching the attention of our attendees. Even without the traditional booth presence, we want to make sure attendees are aware of all of the ways they can improve the security of their Salesforce-based solutions.

Last year at TrailheaDX, we launched our first admin and developer focused capture the flag, where attendees competed against each other to increase the security of a vulnerable Salesforce trial org. Nearly 500 players participated throughout the three-day conference, with winners announced every day. During the game, attendees were drawn into learning more about Salesforce security through:

  • questions designed to drive independent research;
  • challenges that required the player to find and set appropriate security controls within their Salesforce Org; and
  • purposefully vulnerable modules where the player had to find and fix security bugs in code.

We document the architecture and tooling of the Salesforce Secure the ‘Force platform in .

This year, we are bringing a bigger and better Secure the ‘Force to TrailheaDX with new challenges, improved user experience, and a global audience of competitors. This self-paced, hands-on training gives the reward of finding the right knowledge and applying it correctly, which enhances the retention of the skills our players are learning. Performing the training in a competitive, but friendly environment helps keep players interested and gives them incentives to excel.

Playing the game is a win for everyone. Players build their knowledge and skills using real environments and the Salesforce ecosystem wins by having customers with an increased understanding of the security features and capabilities of the platform.

Secure the ‘Force from 2019

Capture the Flag for Internal Training

Salesforce customers are not the only ones learning from security training disguised as a Capture the Flag game. At Salesforce, we are also using the technology to improve our internal security training. New Salesforce engineers receive in-depth application security training, which we enhanced by including a Capture the Flag competition for each incoming class of engineers. By giving our engineers experience with how application vulnerabilities can be exploited, we help teach them how to write defensively to build secure Salesforce product code.

At the beginning of their training, each participant receives a set of custom applications and is challenged to find and exploit the security vulnerabilities of those applications. Everyone can see the points on the scoreboard, which provides some additional incentive and friendly competition. Players compete against their class and at the end of the training the winners are recognized.

The experience of learning how to exploit application vulnerabilities, just like attackers, keeps players interested and engaged. Afterwards, engineers are able to take the knowledge and skills from the game with them as they write new Salesforce code and features.

See You on the Leaderboard!

Ready to transform your everyday? Indicate your interest to the Salesforce Recruiting team.