Original URL: http://www.theregister.co.uk/2012/07/18/cyber_security_challenge/

Psst, UK software devs: Up for a Cyber Security Challenge?

Future Stuxnet-style attack defenders wanted

By John Leyden

Posted in Security, 18th July 2012 16:02 GMT

A new Cyber Security Challenge UK competition aimed at finding people to protect the country against future Stuxnet-style attacks was launched on Wednesday.

Previous Cyber Security Challenge competitions focused on crypto-cracking, penetration testing and malware forensics – but this is the first competition in the challenge that will test devs' wits on software security. The two-year-old public- and private-funded programme is now looking for software and application developers with the security know-how to keep business and critical national infrastructure safe from the latest online attacks. Defence contractor QinetiQ and training body (ISC)² have teamed up to devise the challenge.

Why devs?

Software applications are increasingly being developed for very open, highly distributed environments, often involving elements of outsourcing and many suppliers. Traditionally, developers operate under tight deadlines to introduce new functionality and security has been a secondary concern. Competition sponsor (ISC)² said it had identified software vulnerability as the number one online threat in its survey of information security professionals. It said that the majority (73 per cent) of respondents had fingered it as the main problem.

The challenge aims to test the competitors' knowledge of security requirements, as well as their "instincts" for anticipating and resolving security vulnerabilities as they develop their own software. The best candidates will then be invited to QinetiQ at the start of next year for a "hands-on experience of writing secure code to move physical devices" and and exercise in protecting a "top secret facility from real life cyber-attacks".

John Colley, managing director of (ISC)² EMEA, explained: “Security instincts will be just as important as technical skills, as candidates prove they can effectively research and anticipate requirements for security at the same rapid rate at which software is developing.

“Those with the right instincts have a significant opportunity to demonstrate new skills that are incredibly relevant today. We hope this competition will attract, identify and nurture new talented individuals to work in this field,” he added.

How it works

The initial phase of the competition will involve an online exercise challenging competitors to write their own secure code. Between 15 and 30 of the best candidates will then progress to the face-to-face phase of the competition, next February. All participants at this stage will be awarded an training module, with the overall winner receiving a special prize. Winners from this event will then be invited to attend the Masterclass Final and awards weekend next March.

“Cyber criminals are increasingly developing the capabilities to manipulate the software used to control key security systems,” says Neil Cassidy, practice lead in cyber defence at QinetiQ. “Attacks like Stuxnet highlight the fundamental impact which these attacks can have on national infrastructure, from power stations to military installations.

"At QinetiQ’s face-to-face stage of this competition, competitors will be responsible for securing the systems protecting a simulated top-secret facility. They must identify vulnerabilities in command software systems and work to anticipate security breaches to avoid attack. Through this Challenge we aim to provide the software developers of the future with experience of what it takes to secure software systems and the impact any failures can have.”

The competition is open to software developers and students, with entry via a registration page here. Those already working in information security are not eligible.

Upcoming competitions in the ongoing security challenge scheme will include a packet-capture analysis competition, run by the SANS Institute, that will involve the analysis of network and web application attacks, as well as a linked-based competition, to be run by Sophos. The Cyber Security Challenge UK is now in its third year. ®