Reece Donovan

Learning security in a gamified hacking sandbox? Yes please!

SONY Music generously fronted the cost for 6 developers in our company to undertake security training at adversary.io. There were 80 missions in the course and each had about 5-10 "steps" which ramped up in difficulty from identifying the exploit to exploiting the mock target application to its fullest. The missions were truly challenging and required some deeper creative thinking of how to best wield exploits and achieve the required tasks - any hints taken deducted from your score.

To say I got a bit obsessed with these challenges would be an understatement. My largest session was one 5 hour block where I completed about 21 missions. When I reconvened with the developer group on Skype a few weeks later to discuss progress, they were audibly shocked that I had already completed all the missions and held the top score within the SONY Music group (which went undefeated).

As far as I am aware, no other developer at our company completed all the missions - it was too hard for some and too time consuming for others. Many of them (including my boss) came to me for advice when stuck on certain challenges. The knowledge I gained over the missions was invaluable, and the lessons learned while "becoming the hacker" still inform my security decisions when programming today.