Facebook's plan to train a new generation of cybersecurity pros
Facebook likes hackers. Not the kind that break into its accounts, but the ethical kind that can find and fix software vulnerabilities that plague massive tech companies.
In fact, it听is so committed to educating and encouraging听this kind of bug hunting that it鈥檚 sharing its internal Capture the Flag (CTF) security training platform with high schoolers, college students, and anyone who wants to learn how to think more like a hacker.
In making the program available on听, an online repository of open source code, Facebook is giving students and budding software tinkerers a legal way to hone their research skills, but also tapping into a growing trend of using games to draw young people into technical topics such as security research. During听CTF competitions, teams practice engineering and defending against cyberattacks on fake websites.听
"We hope to see more people gamifying security education, both in schools and the enterprise,鈥 said Javier Marcos, a security engineer at Facebook and the lead engineer on the CTF project. 鈥淲e know playing games makes it easier to learn hard topics."
Releasing Facebook CTF as an open source platform makes that kind of gamified security education more accessible, since anyone organizing a CTF competition can now download the platform and get it up and running on their own server.
"We wanted to share our experience organizing and competing in CTFs with an easy to use platform," Mr. Marcos said via e-mail. "We also wanted the code to be an educational tool by itself, so people can learn about secure coding practices by looking at our codebase."
While Capture the Flag games aren鈥檛 new in the security research community (they鈥檝e been taking place at hacker conventions for 20 years)听the idea has gone mainstream as听university teams regularly compete in similar challenges.听
But what all these competitions have in common is the way of transforming the often arcane and arduous task of finding vulnerabilities and creating exploits听into听something of an adventure. Players听may听have to听patch their own vulnerabilities while also looking for ways of hacking their opponents 鈥 the kind of action that鈥檚 often missing from computer engineering classrooms.
鈥淧laying CTF is different from reading a book,鈥 said Soufiane听Boussali, a Morocco-based security researcher, via Facebook. 鈥淚n CTF we practice what we learn in books.鈥
Facebook also hopes that by releasing its CTF it can help root out bugs within the game听platform听itself, providing yet another way to learn about finding and patching vulnerabilities.听The game will be connected to the听听so anyone who downloads it can also earn money by reporting vulnerabilities or errors in the platform.听
Of course, the real test of Facebook CTF is whether its combination of game playing and information security will translate into real learning, and into training and identifying the next generation of information security professionals.
"There's always something that will come up that's unexpected during a CTF," says听Jared Stoud, a computer security graduate student at the听Rochester Institute of Technology, suggesting the games are strikingly similar to reality. "From a competitor standpoint I've learned a significant amount about web application security and reverse engineering."
听
