After seeing a demonstration of Security Innovation’s new health-care focused cyber range application hacking module, I knew we had to share it on Shift Left Academy. So, in this show, Brandon Cooper, lead solutions engineer at Security Innovation, provides a short demonstration of a cyber range module.
Our other guest is Mark Merkow, application security program manager at Phoenix-based copper mining company, Freeport-McMoRan, who offered these modules to his sprawling development organization at a previous financial institution where he managed development. Those who accepted the challenge, he says, often became DevSecOps champions.
Security Innovation hosts a variety of cyber ranges based on vertical industries, along with skills labs for developers, engineers, and product officers to help them build, practice, and master DevSecOps. We start the show with a demonstration of Security Innovation’s new health care range, which gives developers a hands-on perspective of attackers exploiting vulnerabilities in a medical portal application.
Switching between viewpoints from patient and provider, Cooper describes the modules as “fun,” and shows how trainees get rewarded with points by “hacker generals” who heap praise for passing the challenges. There are 46 challenges in all, which are broken up into bite sized bits.
Trainees work at their own pace and level. The real enthusiasts prefer to blast through all the modules in a day or two, adds Merkow, who made Security Innovation training available to nearly 6,000 architects, engineers, and product managers across the product scrum teams in his previous role.
“The behaviors they were exhibiting among themselves, it was fascinating to watch from the sidelines,“ he adds. One trainee, he said, didn’t want to pay for hints, so he set up a system to social engineer the hints from others in the game. Merkow adds, “The value is not training people to become attackers – It’s training people to become defenders.”