BSides Knoxville 2020 Opening Remarks & Secure Code Warrior Tournament

all right so so the time I did not spend in hair and makeup today I spent trying to make this go as smoothly as possible last night so here's hoping everything goes smoothly all our speakers look like they're ready our organizers are ready and caffeinated so let's go all right so besides Knoxville 2020 track 1 so this is not what we were expecting to be doing back in January or even February when we when we were finding an event a venue but it's what happened yeah there's a lot of things about besides Knoxville that that we're gonna miss this year we're gonna miss seeing everybody we're gonna miss the hugs the doughnuts it's but things will

go back to normal next year and we're definitely looking forward to that same plans that we had this year we found a great new venue and you know we hope to use them again next year but this year you know this is this is what we could do so we kept the date and and we kept the speakers and and we even kept some sponsors everybody was really supportive so we appreciate that thank you

electronic badges another thing that we're missing posters some people have asked if we're gonna mail out posters now we might double up next year we might have a special coded 19 poster as well as 20 21 poster we don't know at this point but yeah we're not doing any physical stuff this year you know it was enough for us to try and tackle a virtual conference for the first time we didn't I was weary of tacking on too much extra stuff so keeping it fairly simple and yeah photography videography you know it's gonna use the same same great people we've got some great photos on Flickr if you search on Flickr from previous years if you want to see what the fiscal

conference looks like I know a lot of folks are going to be tuning in that aren't in Knoxville and have never been to the fiscal conference I'd urge you to consider coming to the fiscal conference next year it's it's usually it's like this and it's not raining we'll see you know we can't we can't guarantee that but usually we get pretty nice weather and and a lot of people turn out so thanks to our sponsors both new and old tech systems has been with us every single year including with this virtual conference lb MC is a new sponsor we've got a lot of good friends over at lb MC and we appreciate them coming through

for us and Clayton Homes as well I came in as a as a platinum sponsor and big things there for them coming through and we kind of had a realization this year you know we realized that there's probably more value for sponsors for folks looking to hire security people and specifically in this area in East Tennessee then maybe vendors you know we not sure vendors get a whole lot of leads out of it but it was a thing that we tried out this year and it seemed to resonate with folks and and we'll probably go for that next year as well we also have some community community sponsors we've got ascension which is joke thing you'll learn a little bit more

about that later he's doing some hosted training and the big draw still there the the North tree is his his logo there I'm assuming that's what that's supposed to be Joe and DC 865 is is running one of our two CTS today and secure code warriors is running a tournament a CTF and you'll hear a little bit more about that here in just a moment we got Dan Lewin on the line with us and so a few housekeeping items lobby con hallway con all the chat all that stuff is on discord so if you haven't jumped on the discord that's the link there you can find it from the b-sides website also if you look at the very top you'll see a

link to hallway con at the very top of the page when you go to be sites Knoxville calm and you can just click it there or if you can type quickly you can transcribe that right there we also have links there to the secure code warrior tournament to the besides Knoxville 2020 jeopardy CTF put on by by DC 865 or a local DEFCON group any questions issues queries live streams down somebody's being a jerk anything like that either let an organizer know in discord you can you know the organizers from the the read names their names will be in red text or just email info at besides Knoxville that calm and we'll monitor that that email address throughout the

day and it goes to all the organizers in the hashtag if you're going to tweet anything about it we like to keep it short and sweet this is the same format we've used since year one just be sk4 besides Knoxville 2020 there's systems there and I think that was yeah 2016 the only year we didn't do a an electronic badge I thought it would be really cool to do floppies and I was going to put stuff on the floppies and everybody assumed there was gonna be like a secret challenge and the floppies and I just didn't have time for it and I I let everybody down but they were color coded vendors were green that was a fun

year and yeah short video from TEKsystems I did have some animations here it's actually for the best cuz we need to get moving on here but had a bunch more photos but that's that's alright you probably can't hear the the audio but it's it's just music that's cool I can beatbox it if you want it's very rhythmic it's nice it's a nice video I like it alright at this point we've got Dan Lewin here Dan if you're ready I'm gonna just throw you in the deep end here make you a presenter and we should be able to see and hear you in just a moment here you

I can't hear you right here let me make sure it's yeah my settings yeah I'm muted let me look at the chat see if it's just something done that I've done like people can hear me Dan let's see okay I've done hear me down on my answer go for it damn alright can you can you hear me hello yes we can hello okay great great great sorry about that let me see I'm about to present my screen here so let's move this out of the way here all right oops all right good morning everybody my name is Dan Lewin with secure code warrior I probably if you saw the video cam there I'm growing kind of one of those 14

beards usually clean-shaven but don't go anywhere these days so but very appreciate the opportunity to talk with you I promise to keep you shorts I know we've got a nine o'clock you know start time here but I just wanted to go over some of the details that we are hosting the CTF the secure coding tournament on the security warrior Tech's Channel so it is open from 8:30 to 4:30 and highly recommend when you have an opportunity to go in there and try to compete and win some prizes just to give you an idea who's secure code word is we are a global application security company and our vision is to empower developers to become the first line of

defense by making security highly visible and providing them with the necessary school skills and tools to write secure code from the beginning what we developed was a cloud-based training platform for developers it was designed by developers to really help developers secure their code from the start and ultimately where we are customers organizations use this is to help them achieve faster more secure product development it's helping developers become more security conscious so they're able to defend their own applications and I think one of the biggest keys that we're doing we're basically bridging the gap between security and development creating a positive security culture within organizations and what we have done we're changing the paradigm from traditional learning to hands-on so

where you think of the traditional is more around me learning and classroom instruction which is great but when it comes to learning how to secure code we found their retention rates are very low over a period of time where as something when you're practiced by doing we see a much higher rate of retention I equate this very similar to things you learn growing up remember you know working my dad teaching me how to work on cars or doing small projects in 20 years later I still remember how to do those things so very similar to with the secure code more current code warrior approach where we fit in the the software development life cycle where there's a lot of stuff

out there is trying to shift left where we actually start left we want to be the the starter for developers to learn how to securely code we're not here to replace existing tools we're here to make them even better the goal is at the end of the day is that developers are learning not not putting in the same types of vulnerabilities into their code and for the organization itself the cost of fixing security bugs will start to drop over time we have a full slew of features in our training platform everything from tournaments learning training and assessment everybody that signs up for the tournament will get access to the platform and we're going to be keeping it open for another two

weeks after the tournament so feel free to go in there but the majority of the time you're going to be spending is in the training and learning this is really building and maintaining skill and then what you're going to be doing in the tournament here is where we're going to have that fun competition where you're going to compete against others to to earn points just going to show you a quick example what it looks like from a four what a challenge when you go into the platform so I'm just going to work on a an ejection category here so typically where you're with with our challenges and you'll find this in the tournament itself you're going to be

tasked to either locate or identify and fix vulnerabilities we have over 35 languages for the tournament itself I think we have about 20 or so languages you can choose from but just remember just that once you choose one language in the tournament that's the language you're going to be playing in so in this particular example here I'm actually working in c-sharp net webforms and in the goal here is I need to locate a particular vulnerability in it's an injection flaw and this particular vulnerability is an email objection you're going to be asked to maybe potentially find one vulnerable code block or you may be able to find two cold blocks so what you're going to do

is basically go here and I'm going to highlight museu like yellow triangles as you can see one code block popped up and I will need to go and find another one so you know the idea is to go through this particular code snippet and identify where that potential these potential vulnerabilities but no worries if you're new to secure coding you're trying to learn that's part of the the fun of what we provide so we do provide a hint system here it will ask you to give you a hint typically the first hint that hit the first hint in the tournament is free and I highly recommend everybody looking at it we will provide a small video that comes

with it so will tell you a little bit about the vulnerability and then provide you a video as well so it'll help with your learning process so it is it is a free free hint and I highly recommend using it other hints I will show you in the scoring here could cost you some points but definitely take it but this typically that's the process is that you're going to be going through these challenges there is a walk through once you first go into the into the into the tournament so it'll help you kind of walk you through the process let's go back here to my tournament details alright so tournament details as I mentioned we have about 20 or so

languages you can choose from and we have about 36 total challenges that's going to take you if you go through all the challenges we'll take you somewhere probably about an hour and a half two hours complete now you got the whole day and I know there's a ton of talks today so you know you can you can go in go out when when you can there's a there's a number of quests that you can compete in there's actually eight different levels you can start at any level level one is going to be much more easier level eight it's going to be a little bit more difficult as you get there but you do score points for more difficult

questions all the challenges will require you to identify a particular vulnerability within a block of code you'll be taught you'll be asked to locate a name vulnerability and there also be tasked to fix the vulnerability a piece of code scoring the way it works is you're going to earn points typically for easy points is around 100 medium is about 200 I don't think I would have me maybe I have one or two hard in there but that you get the most points from that you do have about three attempts per challenge so the first time you go through it you get a hundred percent of that total points there as you start to do another attempt in the third attempt

you start to get less less points from that as I mentioned there is a please do use the the first hint it is actually free as you start to do work with other hints to help you walk you through the problem you will get points taken away so feel free to use that first hint you do have until 4:30 today we are going on a jury and the team they're going to be announcing winners it implies a--'s by the end of the day in some of these prizes at least on the secure code we're side we're going to be providing a first place that really really neat hoodie a second and third place winners will be t-shirts so once

we find out who wins will definitely shift those directly to you so some really cool swag becoming way this is on our on their discord text channel you go here to register you sign in once again you sign in to the tournament and get it access to the platform you will have it in additional two weeks to just kind of play around with the platform in the training and take more challenges so you would go here click and enjoin you'll see this in the tournament page in your in your puck in the platform and then you should be ready to go we do feel if you don't mind at the very end feel free to take it as a survey less than five

minutes always open to your feedback just makes our platform better but at the end I just wish everybody a good luck in and let's find out who's going to be the ultimate secure code water for b-sides Knoxville awesome thanks Dan we should have set something up I wish I could just reach into your video and spin your spin you're moving it looks funny hey I just noticed looking at my other monitor it looks like I'm watching you talk so yeah thanks thanks for that I'm not sure if you mention it but we'll announce the the winners after the 4:00 p.m. talk is done so shortly before 5:00 p.m. is when to look out for that and

good luck to everybody that that's gonna do that tournament and thanks very much din next up oh look at us we are right on time Xavier are you ready let me unmute you so you can respond there we go you did can you hear them no yep yep all right great hello everyone yep so we are actually running to two minutes early great yeah let me I'm gonna promote you to a presenter and I'm saying this out loud because I'm still new to it just gonna awkwardly say things that I do out loud it's gonna be a thing that's better than that on-air silence right that's the yeah yeah and it's uh believe it or not

we have practiced and our speakers have practiced the organizers of practice and I guess that shows we're two minutes ahead of schedule here yeah so if you want to go ahead and go the floor is all yours I appreciate it